Gary E. Miller wrote: > Yo Joe! > > On Mon, 23 Sep 2002, Joe Touch wrote: > > >>>root has no problem seeing adjacent UDP even on a switch. Just >>>overflow the arp cache or poison it. >> >>That all presumes the switch doesn't detect this as an attack and >>shutdown that link, which is an entirely reasonable reaction. > > resonable yes, practical, no. > > The only way I know to prevent this is to hard code the MACs on the > switch. This is time consuming to install and to maintain. It's sufficient to have the switch detect high rates of change, or large numbers of MAC addresses as an attack. That's practical enough. > Barring that, please name ONE switch, or cite ONE credible reference > source, where arpspoofing is prevented at the switch by any means short > of harcoding the MACs. Practical != economical. Further, there are MACs which are hardcoded (i.e. to prevent overwrite of MAC addresses). What I said was that it was EASY to get at multicast, not that it wasn't impossible to get at unicast. Joe
