Matt Crawford wrote:
Barring that, please name ONE switch, or cite ONE credible reference
source, where arpspoofing is prevented at the switch by any means short
of harcoding the MACs.
Never mind, even hard-coding the MACs to the right ports doesn't
solve the problem. Eve on port X can keep up a steady stream of ARP
replies to Alice on port Y and Bob on port Z, telling each that the
MAC address corresponding to their intended peer is that of Eve's
machine. It works even if Alice and Bob are both on port Y.
Now Eve has to guess 32 bits, which is de-facto harder than guessing a
multicast address of 28 bits.
Further, again, this assumes the switch complies. Some switches at ISPs
reject ARP traffic from the port altogether, generating it internally
instead.
Joe