On 2012-06-07 10:30, Mark Benson wrote:
On 7 Jun 2012, at 08:28, Johnny Billquist<bqt at softjar.se> wrote:
Dangerous in which way?
Promiscuous mode is considered a security risk because it can be used
to expose other packets not intended for viewing, which is why it's
restricted to root. BUT I, at least, am intending to use such a
service on a dedicated single purpose box, so that's not a big issue
for me.
Well, if you intend to run a bridge, router or whatever, you need to be root anyway, so
from a security point of view, this is a non-issue.
Changing the MAC address also requires you to be root... :-)
But yes, normal users are not allowed to sniff the network, and even less so allowed to
change the interface setup.
It will create a larger load on the system, but that's about it. And todays machines
are fast enough that you really need a lot of traffic before it will become a serious
problem from that point of view.
I run both my Linux boxes with SimH running 24/7 and the interface in
promiscuous mode as a result. They are behind a gigabit switch Netgear
switch. The resulting extra network traffic as a result is... well non
existant. My network isn't exactly busy but there are other machines
on the switch that have constant traffic.
The main reason in the past for changing the MAC address has been that you want to control
the source MAC address. However, most systems now allows you to spoof the source MAC when
outputting packets on the ethernet, so that problem is solved.
This also occured to me. MAC address spoofing is pretty easy in most
UNIX variants unless it is strictly disallowed.
Right. And it's hard to disallow, since you need to be root to even inject an ethernet
packet to begin with. At that point trying to prevent source spoofing is pointless.
The one environment where this is not possible is when you have hardware that enforce the
source address. Such as the DEC ethernet controllers for PDP-11s... You cannot spoof the
source MAC on those, as that is a piece of data that is inserted by the controller at the
time of transmission...
Load is the one remaining reason to even worry, and that is a rather small worry for most
people.
It's a risk anyone using DECnet via libpcap already accepts, anyway.
Yes. But load is the only real worry anyway. Security is not, in this case.
Johnny