MAC address (in English: Media Access Control Address), literally translated as media access control address, also known as LAN address,MAC address, Ethernet address, hardware address or physical address. It can be seen that "MAC address" is actually the adapter address or adapter identifier EUI-48, which is used to confirm the location of network equipment[8]。stayOSIIn the model, the third network layer is responsible forIP addressThe second data link layer is responsible for MAC address[1]。MAC address is used to uniquely identify anetwork cardIf a device has one or more network cards, each network card needs and will have a unique MAC address[2]。
MAC address is also called physical address and hardware address. It is burned into the network interface card when produced by the network equipment manufacturerEPROM(A flash memory chip, which can usually be erased by a program).IP addressAnd MAC address in the computerBinaryIndicates that the IP address is 32-bit, while the MAC address is 48 bit[3]。
MAC address consists of 48 binary numbers (6 bytes), usually expressed as 12 hexadecimal numbers, in the format of XX-XX-XX-XX-XX-XX-XX[8]。For example, 00-16-EA-AE-3C-40 is a MAC address, of which the first three bytes, the hexadecimal number 00-16-EA represents the number of the network hardware manufacturerIEEE(Institute of Electrical and Electronics Engineers), the last three bytes, the hexadecimal number AE-3C-40 represents the serial number of a certain network product (such as network card) manufactured by the manufacturer.As long as you do not change your MAC address, the MAC address is unique in the world.Figuratively, the MAC address is unique just like the ID number on the ID card[3]。
structure
Announce
edit
MAC address composition
Each device in the network has a unique network ID, which is called MAC address or network card address, and is written inside the hardware when produced by the network device manufacturer.The MAC address is 48 bits (6 bytes), which is usually represented as 12 hexadecimal numbers. Every two hexadecimal numbers are separated by a colon. For example, 08:00:20:0A: 8C: 6D is a MAC address.As shown in the figure below, the first three bytes represent OUI (Organizationally Unique Identifier), which is the code assigned by the registration authority of IEEE to different manufacturers to distinguish them.The last 3 bytes are allocated by the manufacturer[2]。
The LSb of the highest byte (MSB) of the MAC address indicates whether the MAC address is global or local, that is, the U/L (Universal/Local) bit. If it is 0, it indicates the global address.All OUI bits are 0.
The LSb of the highest byte (MSB) of the MAC address indicates whether the MAC address is unicast or multicast.0 means unicast.[3]
There are three types of MAC addresses: physical MAC addressradio broadcastMAC address andMulticast MAC address.The physical MAC address is the only address that identifies the Ethernet terminal.The broadcast MAC address is used to send data to all terminal devices on the LAN, and all its bits are set to 1 (i.e. FF-FF-FF-FF-FF-FF).Multicast MAC address is used to send data to a group of terminal devices on the LAN, and its 8th bit is 1[8]。
working process
Announce
edit
On the networkdata packetStarting from the initial point, after passing through intermediate nodes and finally reaching the target node, how does the packet start from the initial node to identify intermediate nodes and finally find the target node?In fact, the initial node maps the IP address of the target node to the MAC address of the intermediate node according to the address of the target node to find the first intermediate node.Starting from the first intermediate node, map the IP address of the target node to the MAC address of the second intermediate node, so as to find the second intermediate node... and so on, until after the last intermediate node is found, start from the last intermediate node, map the MAC address of the target node to the MAC address of the destination node according to the address of the target node, so as todata packetTransfer to the target host.So the data packet transmission process is: continuously map the address of the target node to the MAC address of each intermediate node, and then start from each intermediate node until the final target node is found[4]。
The key of packet transmission is to map the IP address of the target node to the MAC address of the intermediate node.The mapping of IP address and MAC address should be completed through the ARP address resolution protocol, which can map the IP address in the network to the MAC address of the host. For example, the switch can find the MAC address of the local host according to the IP address in the network.The specific process is: when the switch receives a packet from the network, it will check whether there is a MAC address corresponding to the IP address inside the switch according to the target IP address of the packet. If there is a corresponding MAC address retained last time, the packet will be forwarded to the host with the corresponding MAC address.If there is no MAC address corresponding to the target address in the switch, the switch will map the target IP address to the MAC address according to the correspondence in the "Table" according to the ARP protocol, and the packet will be forwarded to the host with the corresponding MAC address[4]。
effect
Announce
edit
MAC address is mainly used to identify and locate network equipment in network communication.When data needs to be uploaded and transmitted on the network, the sender will encapsulate the MAC address of the target device in the head of the data frame so that the network device can address and forward according to the MAC address.MAC address ensures that data can be accurately transmitted to the target device, rather than being broadcast to the entire network[8]。
IP addresses are logic based, flexible, not limited by hardware, and easy to remember.The MAC address is consistent with the hardware to a certain extent. It is physically based and can identify specific network nodes.These two addresses have their own advantages, and different addresses are used due to different conditions[5]。
Most of the ways to access the Internet are to organize the hosts through the LAN, and then connect to the Internet through switches or routers and other devices.Thus, the problem of how to distinguish specific users and prevent IP address theft arises.Since the IP address is only a logical identifier and can be modified by anyone, it cannot be used to identify a user.The MAC address is not. It is fixed in the network card.Theoretically, unless the hardware is stolen, that is, the network card, it is generally not allowed to be impersonated.Based on this feature of MAC address, the LAN adopts the method of identifying specific users with MAC address[6]。
In the specific communication process, the MAC address and IP address are corresponded one by one through the exchange table inside the switch.When there is a packet sent to a host in the local area network, the switch first receives the packet, maps the IP address in the packet to the MAC address according to the corresponding relationship in the switch table, and then forwards the packet to the host with the corresponding MAC address.In this way, even if a host embezzles the IP address, the host cannot receive packets because it does not have a corresponding MAC address. The sending process is similar to the receiving process[5]。
So, whetherLANWhen computers in the WAN communicate with each other, the final performance is to start from an initial node on a link of some form, transfer data packets from one node to another, and finally transfer data packets to the destination node.The ARP (Address Resolution Protocol) is responsible for mapping the IP address to the MAC address to complete the transmission of data packets between these nodes[5]。
ID card is used to prove a person's identity.The role of ID card in weekdays is not very important, but when it comes to some critical moments, there must be an ID card to explain everything about a person.Then, the binding of IP address and MAC address is like the relationship between a person and ID card in daily life.Because the IP address can be arbitrary, but the MAC address is the only one that indicates the identity of the IP address.For example, in order to prevent the IP address from being stolen, the port binding of the switch (the MAC table of the port uses a static table entry) can prevent the modification of the MAC address from being stolen when only one host is connected to each switch port. If it is a three-layer device, it can also provide the binding of the switch port, IP address and MAC address[6]。
characteristic
Announce
edit
Uniqueness: MAC address of each network device is unique in the world, which is uniformly assigned by IEEE (Institute of Electrical and Electronics Engineers).The uniqueness of MAC address ensures that each device can be accurately identified and located in the network.
Fixity: The MAC address has been burned into the EPROM of the device when the device leaves the factory. It is fixed and cannot be changed by the user.This means that the MAC address has long-term stability and will not change due to the change of device location.
For LAN broadcast: MAC address is mainly used for communication between devices in the local LAN.When the device needs to send data, it will encapsulate the MAC address of the target device in the head of the data frame, and send the data frame to all devices through LAN broadcast.After receiving the data frame, the target device will check whether the MAC address of the head of the data frame matches its own MAC address. If it does, it will receive the data frame.
The length is 48 bits: MAC address is composed of 48 bits of binary numbers, usually represented by 12 hexadecimal numbers.This length makes the MAC address have enough space to uniquely identify each device on the network.
Physical layer identification: MAC addresses are identified at the physical layer, that is, at the data link layer.This means that the MAC address is recognized and processed during the transmission of data frames, not at the network layer or transport layer.
Get Method
Announce
edit
Enter the command "ipconfig/all" at the command prompt and enter. Some network information of the current computer will be displayed. The "Physical Address" is the MAC address of the network card in the current computer.Of course, if there are multiple network cards installed in the computer, there will be multiple "Physical Address" words[4]。
Different from IP address
Announce
edit
The IP address and MAC address are unique because they are the same. The different characteristics are mainly as follows:
1. For a certain device on the network, such as a computer or a router, its IP address is designed based on the network topology. On the same device or computer, it is easy (but must be unique) to change the IP address, while the MAC is recorded by the manufacturer, and generally cannot be changed.We can assign any IP address to a host as needed. For example, we can assign an IP address of 192.168.0.112 to a computer on the LAN, or change it to 192.168.0.200.Once any network device (such as network card and router) is produced, its MAC address cannot be modified by the configuration in the local connection.If the network card of a computer is broken, the MAC address of the computer changes after the network card is replaced[4]。
2. Different lengths.IP address is 32 bits, MAC address is 48 bits[4]。
3. The distribution basis is different.IP address allocation is based on the network topology, and MAC address allocation is based on the manufacturer[7]。
4. The addressing protocol layer is different.IP addresses are used in OSI Layer 3, the network layer, while MAC addresses are used in OSI Layer 2, the data link layer.The data link layer protocol enables data to be transferred from one node to another node of the same link (via MAC address), while the network layer protocol enables data to be transferred from one network to another network (ARP finds the MAC address of the intermediate node according to the destination IP address, and transmits it through the intermediate node to finally reach the destination network)[1]。
MAC attack
Announce
edit
(1) MAC flooding attack
Definition: The attacker keeps sending different MAC addresses (a large number of packets with unknown source MAC) in the LAN, and then the switch keeps learning the MAC addresses sent from this port. Since the capacity of each switch's MAC address table is limited, when the entries in the MAC table are full,It is impossible to learn the corresponding address information. Later, when the data sent by the LAN user arrives at the switch, because there is no corresponding MAC table entry, the data packet will be flooded (the switch will flood a large amount of normal business data, which may lead to network downtime, and the hacker can monitor it after receiving it).
Impact: Data security is reduced, data is monitored and stolen;Cause network equipment downtime and network paralysis;This leads to a traffic storm, which takes up network bandwidth and device resources.
Defense method: Disable the MAC address learning function - that is, use the static MAC address table (learning by default), limit the number of MAC address learning, and enable the port security function
(2) MAC spoofing attack
Definition: The attacker forges an existing MAC address sending switch on the existing network, causing the MAC record of the switch to be inconsistent with the MAC address corresponding to the real host, thus causing the switch to incorrectly forward the message to the attacker.
Impact: This attack will generally cause MAC address drift (MAC learned by one interface is received by other interfaces in the same Vlan)
Defense method: MAC Spoofing Depend, MAC address drift technology, opening port security function
MAC Security
Announce
edit
(1) MAC Spoofing Depend technology
The trusted port is configured to prevent MAC address drift. When the interface is configured as a trusted port, the MAC address learned from this interface will not be learned from other interfaces.By default, all interfaces are untrusted ports.
Related configuration:
1. Enable this function in mac spoofing defend enable global mode
2. In the mac spoofing defend enable interface mode, configure this interface as a trusted port
Note: If the device connected by the trusted interface is replaced, the MAC address of the new device cannot be learned by other interfaces.
(2) MAC address drift technology
The priority of the interface is configured to prevent MAC address drift, which can be divided into two types: first, for the same MAC address, what is learned from the high priority interface will overwrite what is learned from the low priority interface;Second, when the interface priorities are the same, the learning from the later will not overwrite the learning from the earlier (the default will be overwritten).
Related configuration:
1. Mac learning priority 1 Configure the priority of the interface (default is 0, the bigger the priority is)
2. Mac learning priority flapping default action discard When MAC address drift is prohibited, the message processing action is discard
3. Undo mac learning priority 2 allow flapping allows interfaces with the same priority of 2 to drift
Note: When MAC address drift is prohibited, the message can be dropped and forwarded. By default, it is forwarded
(3) Prohibit/restrict MAC address learning configuration
1. Mac address learning active disable
2. Mac limit maximum 10 Limit the number of MAC address learning
