On Sat, 20 Jul 2002, Lars Eggert wrote:
Jun-ichiro itojun Hagino wrote:
I looked through RFC826 and it seems that the operation performed by
Lars was a Bad Thing. RFC826 input processing explicitly suggests us
to update ARP cache entry without checking arp operation type.
therefore, it is unsafe to transmit ARP_REQUEST with spoofed IP
source address - it will overwrite ARP entries of neighbors.
I re-read it, too, and you are of course right.
It's sad though how easy a DoS attack can be - as easy as mistyping the
IP address of your machine.
It might be worthwhile to investigate if 826 should be updated. Someone
at IETF mentioned that Linux explicitly violates 826 and does not update
the local cache based on the contents of spoofed packets, and thus seems
more resilient than the BSDs (against this particular bug).
How does one tell, in principle, that the source IP address (ar$spa) in
an ARP packet is in fact spoofed?
//cmh