Date: Mon, 23 Sep 2002 17:58:21 -0500
From: Matt Crawford <crawdad@fnal.gov>
Message-ID: <200209232258.g8NMwMC12109@gungnir.fnal.gov>
| Eve on port X can keep up a steady stream of ARP
| replies to Alice on port Y and Bob on port Z, telling each that the
| MAC address corresponding to their intended peer is that of Eve's
| machine. It works even if Alice and Bob are both on port Y.
But this one is visible at the end nodes, which makes it a stretch on
snooping... All the end node needs to do is treat a gratuitous ARP
reply as a hint to send a new ARP request, instead of using it to replace
the ARP cache (don't most people do that these days?)
There's nothing Eve can do to prevent Alice from replying to Bob's ARP
query, so either Eve keeps quiet, and so doesn't get packets, or Eve
also replies, and Bob sees two different ARP replies - which is a sure
sign of something bogus happening (more like cannon fire announcing the
charge, than someone snooping on what is happening).
kre