概述
MAC(Medium/Media Access Control)地址,用來表示互聯網上每一個站點的标識符,采用十六進制數表示,共六個字節(48位)。
其中,前三個字節是由IEEE的注冊管理機構RA負責給不同廠家分配的代碼(高位24位),也稱為“編制上唯一的标識符”(Organizationally Unique Identifier),後三個字節(低位24位)由各廠家自行指派給生産的适配器接口,稱為擴展标識符(唯一性)。一個地址塊可以生成2個不同的地址。MAC地址實際上就是适配器地址或适配器标識符EUI-48。
解釋
MAC(Media Access Control,介質訪問控制)地址,也叫硬件地址,長度是48比特(6字節),由16進制的數字組成,分為前24位和後24位:前24位叫做組織唯一标志符(Organizationally Unique Identifier,即OUI),是由IEEE的注冊管理機構給不同廠家分配的代碼,區分了不同的廠家。
後24位是由廠家自己分配的,稱為擴展标識符。同一個廠家生産的網卡中MAC地址後24位是不同的。
MAC地址對應于OSI參考模型的第二層數據鍊路層,工作在數據鍊路層的交換機維護着計算機MAC地址和自身端口的數據庫,交換機根據收到的數據幀中的“目的MAC地址”字段來轉發數據幀。
網卡的物理地址通常是由網卡生産廠家燒入網卡的EPROM(一種閃存芯片,通常可以通過程序擦寫),它存儲的是傳輸數據時真正賴以标識發出數據的電腦和接收數據的主機的地址。
也就是說,在網絡底層的物理傳輸過程中,是通過物理地址來識别主機的,它一定是全球唯一的。比如,著名的以太網卡,其物理地址是48bit(比特位)的整數,如:44-45-53-54-00-00,以機器可讀的方式存入主機接口中。
以太網地址管理機構(除了管這個外還管别的)(IEEE)(IEEE:電氣和電子工程師協會)将以太網地址,也就是48比特的不同組合,分為若幹獨立的連續地址組,生産以太網網卡的廠家就購買其中一組,具體生産時,逐個将唯一地址賦予以太網卡。
形象地說,MAC地址就如同我們身份證上的身份證号碼,具有全球唯一性。
地址運用
MAC地址綁定就是利用三層交換機的安全控制列表将交換機上的端口與所對應的MAC地址進行捆綁。
基本意義
由于每個網絡适配卡具有唯一的MAC地址,為了有效防止非法用戶盜用網絡資源,MAC地址綁定可以有效的規避非法用戶的接入。以進行網絡物理層面的安全保護。
基本運用
由于MAC地址綁定的安全性能,所以被大多數的終端用戶所運用,以保證網絡非法用戶從非法途徑進入網絡,盜用網絡資源。這個技術被廣泛運用電信,一些OA辦公的網絡系統。
更改方法
一般MAC地址在網卡中是固定的,當然也有網絡高手會想辦法去修改自己的MAC地址。修改自己的MAC地址有兩種方法,一種是硬件修改,另外一種是軟件修改。
硬件的方法就是直接對網卡進行操作,修改保存在網卡的EPROM裡面的MAC地址,通過網卡生産廠家提供的修改程序可以更改存儲器裡的地址。那麼什麼叫做EPROM呢?EPROM是電子學中一種存儲器的專業術語,它是可擦寫的,也就是說一張白紙你用鋼筆寫了一遍以後就不能再用橡皮擦去了,而EPROM這張白紙用鉛筆寫後可以再擦去,可以反複改變其中數據的存儲器。
當然軟件修改的方法就相對來說要簡單得多了,在Windows中,網卡的MAC保存在注冊表中,實際使用也是從注冊表中提取的,所以隻要修改注冊表就可以改變MAC。Windows 9x中修改:打開注冊表編輯器,在HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceClassNet下的0000,0001,0002。
Windows 2000/XP中的修改:同樣打開注冊表編輯器,HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
Class4D36E970-E325-11CE-BFC1-08002BE10318中的0000,0001,0002中的DriverDesc,如果在0000找到,就在0000下面添加字符串變量,命名為“NetworkAddress”,值為要設置的MAC地址,例如:000102030405。
完成上述操作後重啟就好了。一般網卡發出的包的源MAC地址并不是網卡本身寫上去的,而是應用程序提供的,隻是在通常的實現中,應用程序先從網卡上得到MAC地址,每次發送的時候都用這個MAC作為源MAC而已,而注冊表中的MAC地址是在Windows安裝的時候從網卡中讀入的,隻要你的操作系統不重新安裝應該問題不大。
安全問題
這種标識方式隻是MAC地址基于的,如果有人能夠更改MAC地址,就可以盜用IP免費上網了,目前網上針對小區寬帶的盜用MAC地址免費上網方式就是基于此這種思路。如果想盜用别人的IP地址,除了IP地址還要知道對應的MAC地址。
舉個例子,獲得局域網内某台主機的MAC地址,比如想得到局域網内名為TARGET主機的MAC地址,先用PING命令:PING TARGET,這樣在我們主機上面的ARP表的緩存中就會留下目标地址和MAC映射的記錄,然後通過ARP A命令來查詢ARP表,這樣就得到了指定主機的MAC地址。最後用ARP-s IP網卡MAC地址,命令把網關的IP地址和它的MAC地址映射起來就可以了。
如果要得到其它網段内的MAC地址,那麼可以用工具軟件來實現,我覺得Windows優化大師中自帶的工具不錯,點擊“系統性能優化”→“系統安全優化”→“附加工具”→“集群Ping”,可以成批的掃出MAC地址并可以保存到文件。
ARP(Address Resolution Protocol)是地址解析協議,ARP是一種将IP地址轉化成物理地址的協議。從IP地址到物理地址的映射有兩種方式:表格方式和非表格方式。ARP具體說來就是将網絡層(IP層,也就是相當于OSI的第三層)地址解析為數據連接層(MAC層,也就是相當于OSI的第二層)的MAC地址。ARP協議是通過IP地址來獲得MAC地址的。
ARP原理:某機器A要向主機B發送報文,會查詢本地的ARP緩存表,找到B的IP地址對應的MAC地址後就會進行數據傳輸。如果未找到,則廣播A一個ARP請求報文(攜帶主機A的IP地址Ia——物理地址Pa),請求IP地址為Ib的主機B回答物理地址Pb。網上所有主機包括B都收到ARP請求,但隻有主機B識别自己的IP地址,于是向A主機發回一個ARP響應報文。
其中就包含有B的MAC地址,A接收到B的應答後,就會更新本地的ARP緩存。接着使用這個MAC地址發送數據(由網卡附加MAC地址)。因此,本地高速緩存的這個ARP表是本地網絡流通的基礎,而且這個緩存是動态的。ARP表:為了回憶通信的速度,最近常用的MAC地址與IP的轉換不用依靠交換機來進行,而是在本機上建立一個用來記錄常用主機IP-MAC映射表,即ARP表。
解決方案
我們可以将IP地址和MAC地址捆綁起來來解決這個問題。進入“MS-DOS方式”或“命令提示符”,在命令提示符下輸入命令:ARP-s 10.88.56.72 00-10-5C-AD-72-E3,即可把MAC地址和IP地址捆綁在一起。這樣,就不會出現IP地址被盜用而不能正常使用網絡的情況,可以有效保證小區網絡的安全和用戶的應用。
注意:ARP命令僅對局域網的上網代理服務器有用,而且是針對靜态IP地址,如果采用Modem撥号上網或是動态IP地址就不起作用。
不過,隻是簡單地綁定IP和MAC地址是不能完全的解決IP盜用問題的。作為一個網絡供應商,他們有責任為用戶解決好這些問題之的後,才交給用戶使用,而不是把安全問題交給用戶來解決。不應該讓用戶來承擔一些不必要盜用的損失。
作為網絡供應商,最常用也是最有效的解決方法就是在IP、MAC綁定的基礎上,再把端口綁定進去,即IP-MAC-PORT三者綁定在一起,端口(PORT)指的是交換機的端口。這就需要在布線時候做好端口定時管理工作。
在布線時應該把用戶牆上的接線盒和交換機的端口一一對應,并做好登記工作,然後把用戶交上來的MAC地址填入對應的交換機端口,進而再和IP一起綁定,達到IP-MAC-PORT的三者綁定。這樣一來,即使盜用者擁有這個IP對應的MAC地址,但是它不可能同樣擁有牆上的端口,因此,從物理通道上隔離了盜用者。
攻擊方法
ARP欺騙技術已經很成熟了,這裡也不再闡述。此次重點講解如何不用ARP欺騙進行嗅探以及會話劫持的技術原理,實際的攻擊方法是進行MAC欺騙的原理,亦即根據附近共享的資源和自帶的資源裡帶有BK,然後取得一些客戶資料,算是商業間諜吧,隻是這個更隐蔽具有很高的安全性。平常的ID和address都是可以不加密。
原理:在開始之前我們先簡單了解一下交換機轉發過程:交換機的一個端口收到一個數據幀時,首先檢查該數據幀的目的MAC地址在MAC地址表(CAM)對應的端口,如果目的端口與源端口不為同一個端口,則把幀從目的端口轉發出去,同時更新MAC地址表中源端口與源MAC的對應關系;如果目的端口與源端口相同,則丢棄該幀。
英文資料
In computer networking a Media Access Control address (MAC address) or Ethernet Hardware Address (EHA) or hardware address or adapter address is a quasi-unique identifier attached to most network adapters (NIC or Network Interface Card).It is a number that serves as an identifier for a particular network adapter.
Thus network cards (or built-in network adapters) in two different computers will have different MAC addresses,as would an Ethernet adapter and a wireless adapter in the same computer, and as would multiple network cards in a router. However,it is possible to change the MAC address on most of today's hardware, often referred to as MAC spoofing.
Most layer 2 network protocols use one of three numbering spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, andEUI-64, which are designed to be globally unique. Not all communications protocols use MAC addresses, and not all protocols require globally unique identifiers. The IEEE claims trademarks on the names "EUI-48" and "EUI-64" ("EUI" stands for Extended Unique Identifier).
MAC addresses, unlike IP addresses and IPX addresses, are not divided into "host" and "network" portions. Therefore, a host cannot determine from the MAC address of another host whether that host is on the same layer 2 network segment as the sending host or a network segment bridged to that network segment.
ARP is commonly used to convert from addresses in a layer 3 protocol such as Internet Protocol (IP) to the layer 2 MAC address. On broadcast networks, such as Ethernet, the MAC address allows each host to be uniquely identified and allows frames to be marked for specific hosts. It thus forms the basis of most of the layer 2 networking upon which higher OSI Layer protocols are built to produce complex, functioning networks.
Contents [hide]
1.Notational conventions
2.Address details
Individual address block
3.Bit-reversed notation
4.See also
5.References
6.External links
[edit] Notational conventions
The standard (IEEE 802) format for printing MAC-48 addresses in human-readable media is six groups of two hexadecimal digits, separated by hyphens (-) in transmission order, e.g. 01-23-45-67-89-ab. This form is also commonly used forEUI-64. Other conventions include six groups of two separated by colons (:), e.g. 01:23:45:67:89:ab; or three groups of four hexadecimal digits separated by dots (.), e.g. 0123.4567.89ab; again in transmission order.
[edit] Address details
The original IEEE 802 MAC address comes from the original Xerox Ethernet addressing scheme. This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC addresses.
All three numbering systems use the same format and differ only in the length of the identifier. Addresses can either be "universally administered addresses" or "locally administered addresses."
A universally administered address is uniquely assigned to a device by its manufacturer; these are sometimes called "burned-in addresses" (BIA). The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI).
The following three (MAC-48 and EUI-48) or five (EUI-64) octets are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100;EUI-64s are not expected to run out in the foreseeable future.
A locally administered address is assigned to a device by a network administrator, overriding the burned-in address. Locally administered addresses do not contain OUIs.
Universally administered and locally administered addresses are distinguished by setting the second least significant bit of the most significant byte of the address. If the bit is 0, the address is universally administered. If it is 1, the address is locally administered.
The bit is 0 in all OUIs. For example, The most significant byte is 02h. The binary is 00000010 and the second least significant bit is 1. Therefore, it is a locally administered address.
If the least significant bit of the most significant byte is set to a 0, the packet is meant to reach only one receiving NIC. This is called unicast. If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast.
MAC-48 and EUI-48 addresses are usually shown in hexadecimal format, with each octet separated by a dash or colon. An example of a MAC-48 address would be "00-08-74-4C-7F-1D".
If you cross-reference the first three octets with IEEE's OUI assignments,you can see that this MAC address came from Dell Computer Corp. The last three octets represent the serial number assigned to the adapter by the manufacturer.
The following technologies use the MAC-48 identifier format:ATM (switched virtual connections only, as part of an NSAP address),Fibre Channel and Serial Attached SCSI (as part of a World Wide Name).
The distinction between EUI-48 and MAC-48 identifiers is purely semantic: MAC-48 is used for network hardware; EUI-48 is used to identify other devices and software. (Thus, by definition, an EUI-48 is not in fact a "MAC address", although it is syntactically indistinguishable from one and assigned from the same numbering space.)
The IEEE now considers the label MAC-48 to be an obsolete term which was previously used to refer to a specific type of EUI-48 identifier used to address hardware interfaces within existing 802-based networking applications and should not be used in the future. Instead, the term EUI-48 should be used for this purpose.
EUI-64 identifiers are used in:IPv6 (as the low-order 64 bits of a unicast network address when temporary addresses are not being used)
ZigBee /802.15.4wireless personal-area networks.The IEEE has built in several special address types to allow more than one Network Interface Card to be addressed at one time:Packets sent to the broadcast address, all one bits, are received by all stations on a local area network. In hexadecimal the broadcast address would be "FF:FF:FF:FF:FF:FF".
Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.
Functional addresses identify one of more Token Ring NICs that provide a particular service, defined in IEEE 802.5.
These are "group addresses", as opposed to "individual addresses"; the least significant bit of the first octet of a MAC address distinguishes individual addresses from group addresses. That bit is set to 0 in individual addresses and 1 in group addresses. Group addresses, like individual addresses, can be universally administered or locally administered.
In addition, the EUI-64 numbering system encompasses both MAC-48 and EUI-48 identifiers by a simple translation mechanism. To convert a MAC-48 into an EUI-64, copy the OUI, append the two octets "FF-FF", and then copy the organization-specified part.
To convert an EUI-48 into an EUI-64, the same process is used, but the sequence inserted is "FF-FE". In both cases, the process can be trivially reversed when necessary. Organizations issuing EUI-64s are cautioned against issuing identifiers that could be confused with these forms. The IEEE policy is to discourage new uses of 48-bit identifiers in favor of the EUI-64 system.
IPv6—one of the most prominent standards that usesEUI-64—applies these rules inconsistently. Due to an error in the appendix to the specification of IPv6 addressing, it is standard practice to extend MAC-48 addresses (such as IEEE 802 MAC address) to EUI-64 using "FF-FE" rather than "FF-FF."
[edit] Individual address block
An Individual Address Block comprises a 24-bit OUI managed by the IEEE Registration Authority, followed by 12 IEEE-provided bits (identifying the organization),and 12 bits for the owner to assign to individual devices. An IAB is ideal for organizations requiring fewer than 4097 unique 48-bit numbers (EUI-48).
[edit] Bit-reversed notation
The standard transmission order notation for MAC addresses,as seen in the output of the ifconfig command for example, is also called canonical format.
[edit] See also
NSAP address, another endpoint addressing scheme.
Cisco Hot Standby Router Protocol or standard alternative VRRP Virtual router redundancy protocol,which allows multiple routers to share one IP address and MAC address to provide router redundancy. The OpenBSD project has an open source alternative, the Common Address Redundancy Protocol (CARP).
FAQ
介紹:這個實例用IP-以太網說明組播和太網組播的關系,及以太網組播的細節過程。
什麼是IP組播?協議層常需要和組群打交道,進行發現、通知、查詢等工作。IP用組播IP地址在第三層組播,一個multicast IP address可以有多個成員,組播數據包會被IP層路由器轉發到組群成員所在的路由器,然後用以太網的組播功能把數據包送到組播成員的網卡接口。
例,OSPF用Hello來發現局域網中的OSPF鄰居,HSRP發送Hello組播包把自己的狀态通知其它的HSRP路由器,組播的路由器可以從一個技術終端發到任何的連接點,成為共享資源,其中一些被屏蔽的信息參數就有可能不被加密而被後面的連接點所共享,并且有收藏及版權,因為這些的流通的數據電腦是不會記錄數據傳輸及浏覽痕迹,正所謂有利就有弊。
以太網怎麼組播(multicast)的?以太網具有廣播屬性,一個節點發送的數據包會被以太網洪泛,導緻每一個以太網網卡接口都會收到這個數據包,有的時候會造成數據的泛濫和垃圾資源的共享,這樣的就造成了大量的BK的攜帶更加方便與隐蔽。
建議是給自己的IP設置一個屏蔽的功能或是設置一定的訪問權限,安裝類似防火牆的POB,對于外界即使是可以共享的資源軟件具備篩選的功能。
接口收到數據包後,并不馬上交給節點CPU處理,而是進行MAC地址比較,如果數據包的目的MAC,這樣有的人會覺得麻煩,隻是個溫暖的建議,地址和接口的MAC地址一樣,它才接受,把數據包交給計算機,否則就把數據包丢棄。
組群成員的網卡接口除了硬件MAC地址(unicast MAC),還有組播MAC地址(multicast MAC)。接口收到組播包,會把此包的目的MAC地址(是個組播MAC)和自己的MAC地址比較,如果組播地址相同,就會接受此包。這樣,局網内這個組群的所有成員,都會收到送往該組群的組播包。但是,IP的組播地址和以太網接口的組播MAC地址是什麼關系呢?
IP-Ethernet的組播地址有什麼關系?許多MAC組播地址是從IP組播地址轉換而來,這就是所謂的資源共享,選擇的時候需謹慎。
例,OSPF IP組播地址是224.0.0.5,轉換為相應的MAC組播地址如下:
把IP地址(32位)用二進制表現11100000: 00000000: 00000000: 00000101
然後抽出最右邊的23叫做A 0000000: 00000000: 00000101
把IEE定義的組播01:00:5e作為B. B有24位(二進制是00000001:00000000:01011110)
合成相應的MAC組播地址如下:
連接B,0,A: B有24位,在左邊;0是一位,在中間,A有23位,在右邊。共48位。二進制是00000001:00000000:01011110:00000000: 00000000: 00000101
十六進制是01:00:5e:00:00:05
傳遞
IP-以太網怎麼配合傳送數據包?IP的任務是把原計算機發送的數據包經路由器轉發到最後一站路由器,然後以太網把數據包從路由器傳送給目的計算機。方法是使用數據包的報頭:把IP報頭的目的IP地址設為目的計算機的IP地址,路由器根據1這個地址查看路由表而把數據包轉發到下一站。
一站一站的發展,最後把數據包轉發到目的計算機所在的路由器。把Link報頭的目的MAC地址設為目的計算機的MAC地址。以太網洪泛,把數據包收到每一段網内的決定,但隻有目的計算機會接受,其它節點不會接受。
路由器怎麼轉發數據包?路由協議計算出傳送路徑,存放在路由器的路由表裡。路由器上的數據包時,抽出報頭裡的目的計算機的目的IP地址,路由查看路由表,找到下一站的接口,把數據包從這個接口轉發,抵達下一站。IP地址,路由器轉發。
以太網怎麼把數據包傳遞給目的計算機?以太網内的計算機用網卡連接到以太網。一個網卡可以有幾個接口1。每個網卡接口都配置一個IP地址,和一個固定的硬件地址(hardware address),也叫做單播MAC地址(Unicast MAC)。
由于以太網有廣播的屬性,數據包經路由器的以太網接口轉發時,會被洪泛到以太網中所有的接口,網卡接口在收到一個數據包時,把數據包的目的MAC地址和自己的unicast MAC地址比較,若相同,就接受此包,否則丢棄。這樣,隻有接收方的技術會接收此包,其它接口會丢棄此包。
怎麼配置數據包的報頭?計算機發送信息前得先封裝報頭,把報頭和數據合起來,成為一個數據包,發送時以數據包為單位。數據(payload)是計算機所要傳遞的信息。報頭(header)包含網絡設備、協議所需的控制信息,與OSI模式的layer相應。常見的報頭有link,IP,transport等(二,三,四層)。
