Jun-ichiro itojun Hagino wrote: > I looked through RFC826 and it seems that the operation performed by > Lars was a Bad Thing. RFC826 input processing explicitly suggests us > to update ARP cache entry without checking arp operation type. > > therefore, it is unsafe to transmit ARP_REQUEST with spoofed IP > source address - it will overwrite ARP entries of neighbors. I re-read it, too, and you are of course right. It's sad though how easy a DoS attack can be - as easy as mistyping the IP address of your machine. It might be worthwhile to investigate if 826 should be updated. Someone at IETF mentioned that Linux explicitly violates 826 and does not update the local cache based on the contents of spoofed packets, and thus seems more resilient than the BSDs (against this particular bug). Lars -- Lars Eggert <larse@isi.edu> USC Information Sciences Institute
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature