Hi, On Mon, May 05, 2014 at 07:10:42PM +0000, Andy Wang wrote: > *ARP* spoofing does not target the "switch" (OpenVPN) but the communication > endpoints. > > You tell A "the mac address for B is C". > > You tell B "the mac address for A is C". > > And both will happily send all their packets for each other to *C*. > > No L2 switch will be able to notice that anything unusual is happening, and > only very few L3 switches can filter this. > > gert > > ======================= > > It is not true for the OpenVPN as the 'mac address' are actually bound (I am > assuming, sorry :-) to the 'cert' and 'remote ip and port'. So a normal L2 > switch will happy to send both traffic to C but the OpenVPN server would only > stop and say 'sorry, man, I would only forward target B's mac to remote B' so > it is using B's cert to encrypt the packets and send it to remote B. (I am > hoping it is true)
Uh. Please try to understand what I said.
There is a strong binding between "MAC" and "remote IP", but there is no
binding between "TAP adapter IP" and "MAC".
So if you want to sniff A and B's communication, you poison the ARP cache
*on the TAP interface* on host A and B, so both think that their communication
partner has the TAP (!) MAC address of "C".
Since OpenVPN doesn't know anything about the *inside* IP address, it will
send the packet to the (what it thinks) right tunnel, which is "to C",
encrypted with C's key. C will then read the packet, replace the dest MAC
address with the address of the "real" communication partner, and the
source MAC with it's own, and send it back to the OpenVPN tunnel - and
OpenVPN will happily forward the packet to the other endpoint.
From OpenVPN's point of view, the binding between "remote IP" and "MAC"
is perfectly honoured - but if you make the *inside* packets go to the
wrong MAC address (which is what "ettercap" will do, for example),
OpenVPN will never notice, unless it would also read ARP packets and
build a strong binding between *inside* IP addresses and MAC addresses.
Which it does not do.
If you disagree, please show me the relevant bits in the code that ties
inside IP to MAC.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpz0wLuUq9Ha.pgp
Description: PGP signature
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
