-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/05/14 21:51, Gert Doering wrote:
> Hi,
>
> On Sun, May 04, 2014 at 08:08:54PM +0100, Jonathan Tripathy wrote:
>> I still think the OP has asked a very good question.
>>
>> Whilst the traffic won't physically go to C (at least for TUN
>> networ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/05/14 22:31, Jason Haar wrote:
> The way I look at it (and hopefully I'm correct - I've never used
> tap so I haven't tested that), "tun" interfaces are like
> traditional physical point-to-point WAN links - and one WAN link
> cannot see the traf
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/05/14 05:05, david wrote:
>
>> -Original Message- From: Gert Doering
>> [mailto:g...@greenie.muc.de] Sent: Monday, 5 May 2014 5:51 AM To:
>> Jonathan Tripathy Cc: openvpn-users@lists.sourceforge.net
>> Subject: Re: [Openvpn-users] doubt
Hi,
On Mon, May 05, 2014 at 07:57:50PM +0200, David Sommerseth wrote:
> But, that doesn't mean that all kind of attacks will work. Because
> OpenVPN does some checks on the packets it receives and forwards. So
> there is a chance OpenVPN won't make ARP spoofing work too easily,
> compared to swi
Hi,
On Mon, May 05, 2014 at 07:51:23PM +0200, David Sommerseth wrote:
> > ARP spoofing might indeed work. So don't use TAP. Don't use TAP
> > anyway, unless you have a very strong reason to do so, and this is
> > usually along the lines of "I need dynamic routing protocols to
> > work across Ope
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/05/14 20:12, Gert Doering wrote:
> Hi,
>
> On Mon, May 05, 2014 at 07:57:50PM +0200, David Sommerseth wrote:
>> But, that doesn't mean that all kind of attacks will work.
>> Because OpenVPN does some checks on the packets it receives and
>> forw
-Original Message-
Hi,
On Mon, May 05, 2014 at 07:51:23PM +0200, David Sommerseth wrote:
> > ARP spoofing might indeed work. So don't use TAP. Don't use TAP
> > anyway, unless you have a very strong reason to do so, and this is
> > usually along the lines of "I need dynamic routing pro
Hi,
On Mon, May 05, 2014 at 08:31:19PM +0200, David Sommerseth wrote:
> > Which OpenVPN does not do (and neither do most switches, even
> > fairly expensive L3 switch stuff). In TAP mode, all it cares about
> > is MAC addresses.
>
> I see ... but if a spoofed packet is sent, wouldn't return pack
Hi,
On Mon, May 05, 2014 at 06:38:35PM +, Andy Wang wrote:
> with that in hand, I would consider mac-cert-remoteipandport have a very
> strong binding and it is not easy to break it by just ARP spoofing.
*ARP* spoofing does not target the "switch" (OpenVPN) but the communication
endpoints.
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: May-05-14 2:53 PM
To: Andy Wang
Cc: 'Gert Doering'; openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] doubts about possible sniffing
Hi,
On Mon, May 05, 2014 at 06:38:35PM +, Andy Wang wrote:
>
Hi,
On Mon, May 05, 2014 at 07:10:42PM +, Andy Wang wrote:
> *ARP* spoofing does not target the "switch" (OpenVPN) but the communication
> endpoints.
>
> You tell A "the mac address for B is C".
>
> You tell B "the mac address for A is C".
>
> And both will happily send all their packets f
There's a lot of good chatter going on about this topic, but at the end
of the day all that matters is whether any of this *conjecture* is real
or not. Someone actually using TAP mode and interested in this subject
should actually *test it* and see what happens
In the immortal words of djb: "profi
12 matches
Mail list logo
