Subject: Re: Needing help with preventing IP theft
To: None <tech-net@netbsd.org, wolfgang@wsrcc.com>
From: Sean Doran <smd@ebone.net>
List: tech-net
Date: 08/11/2000 22:17:43
Mmmm, great, so we have the problem of a LAN bridged to
heaven-knows-where, with possibly several unfriendly parties on
the LAN trying to out-ARP each other.   The bad ARP responses are
bad stuff, but the solution is not to flood the LAN with ever 
higher rates of traffic, *especially* if any part of the bridged
network acts as a bandwidth bottleneck, or behaves badly in the
presence of multicast/broadcast LAN frames.

A better approach is not to throw frames into the LAN until
it congests, but rather to seek to avoid using ARP at all if
unfriendly or misconfigured parties can answer ARPs improperly. 

Why not use DHCP to hardwire some IP-address-to-MAC-address mappings,
particularly of critical things like the gateway?

Likewise, why must the gateway use ARP at all, if it is under the
control of authority granting IP addresses (via DHCP, for example)
in the first place?

Given that in your type of environment, the frequency of endnodes
seeking conversations with other endnodes is dwarfed by the frequency
of endnodes seeking conversations with the router(s), the amount of
static ARP table entries you might feel you need to configure in
your host should be small.

	Sean.