Hi, On Mon, May 05, 2014 at 06:38:35PM +0000, Andy Wang wrote: > with that in hand, I would consider mac-cert-remoteipandport have a very > strong binding and it is not easy to break it by just ARP spoofing.
*ARP* spoofing does not target the "switch" (OpenVPN) but the communication
endpoints.
You tell A "the mac address for B is C".
You tell B "the mac address for A is C".
And both will happily send all their packets for each other to *C*.
No L2 switch will be able to notice that anything unusual is happening, and
only very few L3 switches can filter this.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpbYPfAcV5oH.pgp
Description: PGP signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
