Hi, On Tue, Nov 28, 2017 at 01:47:47PM +0100, Martin Buck wrote: > Are these differences to conventional Ethernet switches intentional (e.g. > for security reasons)? If not, I could probably provide patches to fix > them, at least for the 3rd problem.
Short answer: shortcomings in the implementation, and nobody had time (and the need) to really look into that and fix things. There's an open trac ticket that is about MAC learning on the TAP side on the server, and LAN hosts roaming from "TAP side" to "client side" not working nicely - which has not received any attention due to "lack of time" either. Phrased differently: I do not see any technical or security reasons why we shouldn't make this more like "a normal ethernet switch". ARP spoofing comes to mind, but since we *do* learn in the first place, we should do this correctly :-) (possibly logging if a given MAC address roams "too often", though I'm not sure this is easy to do given the current data structures - so maybe just a rate-limited notice for "MAC address roamed from <x> to <y>" instead) Further discussion should happen on the openvpn-devel@ mailing lists, as not all OpenVPN developers interested in "network" are subscribed to -users gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
