Gary E. Miller wrote:
Yo Joe!
On Mon, 23 Sep 2002, Joe Touch wrote:
root has no problem seeing adjacent UDP even on a switch. Just
overflow the arp cache or poison it.
That all presumes the switch doesn't detect this as an attack and
shutdown that link, which is an entirely reasonable reaction.
resonable yes, practical, no.
The only way I know to prevent this is to hard code the MACs on the
switch. This is time consuming to install and to maintain.
It's sufficient to have the switch detect high rates of change, or large
numbers of MAC addresses as an attack. That's practical enough.
Barring that, please name ONE switch, or cite ONE credible reference
source, where arpspoofing is prevented at the switch by any means short
of harcoding the MACs.
Practical != economical. Further, there are MACs which are hardcoded
(i.e. to prevent overwrite of MAC addresses).
What I said was that it was EASY to get at multicast, not that it wasn't
impossible to get at unicast.
Joe