ietf
[Top] [All Lists]

Re: ARPOP_REQUEST with spoofed IP address (joe, turn it off!)

2002-07-23 07:24:01
From: Lars Eggert <larse(_at_)ISI(_dot_)EDU>

How does one tell, in principle, that the source IP address (ar$spa) in
an ARP packet is in fact spoofed?

Not without cryptographic authentication, in general.

But for this particular issue, not updating the local cache based on 
snooped ARP exchanges (i.e. what Linux does) may make sense. Also, under 
this particular misconfiguration, there'll very likely be two ARP 
responses for a lookup of the IP address in question, so maybe could be 
used as an indicator that there's a problem.

If you ignore gratuitous ARP, then what happens when a station goes down
and then comes back up with a different MAC address?  That happens when
the station is given new hardware or in some fail-over schemes.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com