Re: [Tails-dev] [RFC] Design (and prototype) for MAC spoofin…

Delete this message

Reply to this message
Autor: anonym
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] [RFC] Design (and prototype) for MAC spoofing in Tails
04/11/13 14:52, intrigeri wrote:
> Hi,
>
> anonym wrote (25 Oct 2013 23:01:42 GMT) :
>> I'm unsure of how to proceed for wired connections. The problem is that
>> there's no strong concept of being "associated" to a wired network (at
>> least a "standard" ones, perhaps there is with 802.1x security...). I
>> haven't really looked into this deeply but I suspect it'll be hard to
>> identify blocking without confusing it with other types of wired
>> connection filures.
>
> Agreed.


I added a section about this to the blueprint nevertheless. But should I
take it that you also mean that probably we can't do anything about
this? Or do we accepts a fair amount of false positives? After all, only
a suggestion about what's wrong is shown + it links to the docs, which
could make this clearer. I'm unsure what's the least confusing.

>> If any one has good clues about how wired MAC
>> address blocking works (e.g. on which level. DHCP? Lower layer?) I'd
>> appreciate hearing about it.
>
> No idea. I doubt many network admins goes as far as white-listing
> known MAC addresses on the switches, but blocking access to anyone who
> hasn't a valid DHCP lease (that can only be obtained if your MAC is on
> a whitelist) wouldn't surprise me.
>
>> Funny side-note: MAC spoofing apparently breaks both NAT-based and
>> bridge-based networking in VirtualBox (it works well in libvirt/KVM
>> though). We may want to add a specific notification if we detect that
>> Tails is run in VirtualBox on network failure.
>
> Oh $DEITY :/


I think I have a really good fix for this. See commit ee1aa982 in T-G's
repo, and my other recent response in particular.

Cheers!