C. M. Heard wrote: > How does one tell, in principle, that the source IP address (ar$spa) in > an ARP packet is in fact spoofed? Not without cryptographic authentication, in general. But for this particular issue, not updating the local cache based on snooped ARP exchanges (i.e. what Linux does) may make sense. Also, under this particular misconfiguration, there'll very likely be two ARP responses for a lookup of the IP address in question, so maybe could be used as an indicator that there's a problem. Lars -- Lars Eggert <larse@isi.edu> USC Information Sciences Institute
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature