Matt Crawford wrote: >>Barring that, please name ONE switch, or cite ONE credible reference >>source, where arpspoofing is prevented at the switch by any means short >>of harcoding the MACs. > > Never mind, even hard-coding the MACs to the right ports doesn't > solve the problem. Eve on port X can keep up a steady stream of ARP > replies to Alice on port Y and Bob on port Z, telling each that the > MAC address corresponding to their intended peer is that of Eve's > machine. It works even if Alice and Bob are both on port Y. Now Eve has to guess 32 bits, which is de-facto harder than guessing a multicast address of 28 bits. Further, again, this assumes the switch complies. Some switches at ISPs reject ARP traffic from the port altogether, generating it internally instead. Joe