ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ARPOP_REQUEST with spoofed IP address (joe, turn it off!)

2002-07-20 01:29:56
from [Lars Eggert] [Permanent Link] 
Jun-ichiro itojun Hagino wrote:

        I looked through RFC826 and it seems that the operation performed by
        Lars was a Bad Thing.  RFC826 input processing explicitly suggests us
        to update ARP cache entry without checking arp operation type.

        therefore, it is unsafe to transmit ARP_REQUEST with spoofed IP
        source address - it will overwrite ARP entries of neighbors.


I re-read it, too, and you are of course right.
It's sad though how easy a DoS attack can be - as easy as mistyping the IP address of your machine.
It might be worthwhile to investigate if 826 should be updated. Someone at IETF mentioned that Linux explicitly violates 826 and does not update the local cache based on the contents of spoofed packets, and thus seems more resilient than the BSDs (against this particular bug). 

Lars
--
Lars Eggert <larse(_at_)isi(_dot_)edu>           USC Information Sciences 
Institute

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Jabber BOF afterthoughts, Carl Malamud
Next by Date:  Re: Jabber BOF afterthoughts, Pete Resnick
Previous by Thread:  Re: ARPOP_REQUEST with spoofed IP address (joe, turn it off!), Matt Crawford
Next by Thread:  Re: ARPOP_REQUEST with spoofed IP address (joe, turn it off!), C. M. Heard
Indexes:  [Date] [Thread] [Top] [All Lists]