Hi, we've just stumbled over an interesting denial-of-service case at IETF. I was playing with a custom startup script to auto-configure local interfaces, part of which sent out an ARP request "borrowing" the IP address of the gateway as source address (e.g. "who-has X tell X").
It seems that most/all BSDs do ARP snooping, and will happily add the apparent "new" MAC address of the gateway to their ARP table, possibly flushing the existing one of the default gateway. This of course causes everybody's packets to fall on the floor until the fake ARP entry times out. (RFC826 seems to imply that snooping is allowed, the "packet reception" section doesn't seem to limit *how* packets are received.) Maybe ARP entries should only be updated when replies are received in response to locally originated requests? Initial latency might be a bit higher, since the ARP table won't be pre-loaded, but it will add some protection against this particular DOS attack. Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature
