Re: [Openvpn-users] doubts about possible sniffing

David Sommerseth Mon, 05 May 2014 11:33:40 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/05/14 20:12, Gert Doering wrote:
> Hi,
> 
> On Mon, May 05, 2014 at 07:57:50PM +0200, David Sommerseth wrote:
>> But, that doesn't mean that all kind of attacks will work.
>> Because OpenVPN does some checks on the packets it receives and
>> forwards.  So there is a chance OpenVPN won't make ARP spoofing
>> work too easily, compared to switches and physical NICs.  But a
>> more thorough code study and testing is needed to really confirm
>> this.
> 
> The nasty thing about ARP *spoofing* is that there is basically
> nothing at all a layer2 device can do about it, unless it is able
> to look into the IP<->MAC mapping inside the packet, and validate
> the packets.
> 
> Which OpenVPN does not do (and neither do most switches, even
> fairly expensive L3 switch stuff).  In TAP mode, all it cares about
> is MAC addresses.


I see ... but if a spoofed packet is sent, wouldn't return packets be
sent back to the *real* client?  I'm basing this upon what I can see
in log files

May  4 08:56:10 ovpngw openvpn[2193]: Jane_Doe/39.164.34.39:64493
     MULTI: Learn: 00:ff:23:22:a6:53 -> Jane_Doe/39.164.34.39:64493

So I would expect if I spoofed my connection to use 00:ff:23:22:a6:53,
OpenVPN would process this as a packet from Jane_Doe (despite having
the wrong public source IP) and return the result to that client
instead of my client.

If it would re-learn then it's surely an ugly thing, as OpenVPN
shouldn't really expect clients to change the MAC address during a
session.

> Either way "what a normal switch does".  Don't use TAP.

Agreed!


- -- 
kind regards,

David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNn2PcACgkQDC186MBRfrqLmACbBlUpicfjx1MFOJdkcFzjgKwp
KV0An3v4MUQg3xPg1w+5Pvb5dUJLh0Md
=+XcW
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] doubts about possible sniffing

Reply via email to