Why You Can't Trust An IP Address As An Authenticator

In the Local Area Network...

Anyone can fake an IP address on the same LAN as the host you're trying to impersonate (e.g. on an Ethernet, you can find a machine you wish to impersonate, shut it down, or otherwise cause it to stop responding on the LAN, and then set your own IP address to be the same as the machine you wish to impersonate, and go to it). If you want to do so from far away, however, you have to successfully attack the routing system of the network so that it will send packets to you (the impostor) instead of to the "real" host.

...or Anywhere Else

In the modern Internet, there are no "natural" (classful) IP network numbers any more (e.g. "Class A", "Class B", "Class C" network numbers). Classless Inter-Domain Routing (CIDR) is now The Way, The Truth, and The Light. This means all routes in the Default Free Zone (DFZ) of the Internet are a tuple: they have a number, and a mask. The mask tells how many bits of the number everyone must treat as significant. Everyone must always route by longest match (i.e. pick the route for which the most bits of the destination address match). The new syntax for expressing routing information is number/mask, e.g. 10/8, 128.1/16, 192.1.1/24 (these are examples of the old "classful" IP addresses with their "natural" masks).

This was done to be able to aggregate the IP routing table in the DFZ (i.e. gang together network numbers into blocks that can be routed to with one route instead of several) so as to control the growth of the routing tables.

One of the implications of this is that I could, in principle, inject a host route into the DFZ (i.e. a route with 32 bits of significance), snatch/send packets for a time as that host, remove the route, and vanish into the æther. Whether this really works or not depends entirely on the Internet Service Providers (ISPs):

So, your task, as the attacker, is to find a permissive (or ignorant) ISP that will believe and pass on any route you give them, who, in turn, everyone else believes (or even just the ISP of your intended target believes), and you've got your target by the short hairs.

What To Do About It

Of course, if you use encryption to encode all your bits, you're safe from traffic snatching, and probably false authentication too, regardless of how the routes flow (so the host route idea now turns into a denial of service attack). Either way, pick your ISP carefully

What this all means is that if you want to do authentication on the Internet, you really have to do something cryptographic in nature.

In particular, for you UNIX system administrators out there, this means that you must stop running the rlogind and rshd because their authentication model is based on IP addresses, which has always been understood to be attackable (anyone can fake an IP address on the same LAN as the target, since you don't have to attack the routing system to do it - just shut the "real" one up, and lie, lie, lie), but is now known to be compromised (i.e. the cracker urchins out there have software tools that can successfully exploit this weakness to attack a server host).

Erik Fair <fair@clock.org>
May 6, 1996