> From: Lars Eggert <larse@ISI.EDU> > > How does one tell, in principle, that the source IP address (ar$spa) in > > an ARP packet is in fact spoofed? > > Not without cryptographic authentication, in general. > > But for this particular issue, not updating the local cache based on > snooped ARP exchanges (i.e. what Linux does) may make sense. Also, under > this particular misconfiguration, there'll very likely be two ARP > responses for a lookup of the IP address in question, so maybe could be > used as an indicator that there's a problem. If you ignore gratuitous ARP, then what happens when a station goes down and then comes back up with a different MAC address? That happens when the station is given new hardware or in some fail-over schemes. Vernon Schryver vjs@rhyolite.com