-----Original Message----- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: May-05-14 2:53 PM To: Andy Wang Cc: 'Gert Doering'; openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] doubts about possible sniffing
Hi, On Mon, May 05, 2014 at 06:38:35PM +0000, Andy Wang wrote: > with that in hand, I would consider mac-cert-remoteipandport have a very > strong binding and it is not easy to break it by just ARP spoofing. *ARP* spoofing does not target the "switch" (OpenVPN) but the communication endpoints. You tell A "the mac address for B is C". You tell B "the mac address for A is C". And both will happily send all their packets for each other to *C*. No L2 switch will be able to notice that anything unusual is happening, and only very few L3 switches can filter this. gert ======================= It is not true for the OpenVPN as the 'mac address' are actually bound (I am assuming, sorry :-) to the 'cert' and 'remote ip and port'. So a normal L2 switch will happy to send both traffic to C but the OpenVPN server would only stop and say 'sorry, man, I would only forward target B's mac to remote B' so it is using B's cert to encrypt the packets and send it to remote B. (I am hoping it is true) Andy ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
