Hi, On Mon, May 05, 2014 at 07:57:50PM +0200, David Sommerseth wrote: > But, that doesn't mean that all kind of attacks will work. Because > OpenVPN does some checks on the packets it receives and forwards. So > there is a chance OpenVPN won't make ARP spoofing work too easily, > compared to switches and physical NICs. But a more thorough code > study and testing is needed to really confirm this.
The nasty thing about ARP *spoofing* is that there is basically nothing
at all a layer2 device can do about it, unless it is able to look into
the IP<->MAC mapping inside the packet, and validate the packets.
Which OpenVPN does not do (and neither do most switches, even fairly expensive
L3 switch stuff). In TAP mode, all it cares about is MAC addresses.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpw5whwXvST3.pgp
Description: PGP signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
