On Tue, Dec 21, 2010 at 09:34:01AM +0100, David Coppa wrote: > On Tue, Dec 21, 2010 at 2:23 AM, Fernando Quintero > <fernando.a.quint...@gmail.com> wrote: > > some comment? > > > > http://seclists.org/bugtraq/2010/Dec/200 > > I'm not able to provide a solution, but this is of course a bug that > needs to be fixed.
If you look at my commit message from 3 years ago, you'll see that we are well aware of this: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.152 If someone comes up with a replay protection that works without the help of synchronized clocks, I'm happy to fix this. OTOH, I'm still not convinced that it's worth the effort to fix a L2-only attack. There's still enough other ways for a DoS on L2.