> Mmmm, great, so we have the problem of a LAN bridged to
> heaven-knows-where, with possibly several unfriendly parties on
> the LAN trying to out-ARP each other.   The bad ARP responses are
> bad stuff, but the solution is not to flood the LAN with ever 
> higher rates of traffic, *especially* if any part of the bridged
> network acts as a bandwidth bottleneck, or behaves badly in the
> presence of multicast/broadcast LAN frames.

If someone tries to impersonate my machine I really have to assume
that something serious is up.  If I don't defend my IP it will allow
the attacker to steal my mail or impersonate my machine.  If it is the
prelude to a break-in elsewhere I'll have a heck of a time proving
that I didn't break into somewhere from this IP.  (I could really do
without Joe Gumshoe confiscating my computer and all backup tapes as
evidence in some trial that gets scheduled 1 year down the road.)

> A better approach is not to throw frames into the LAN until
> it congests, but rather to seek to avoid using ARP at all if
> unfriendly or misconfigured parties can answer ARPs improperly. 

Whenever an arp contest between the gateway and some imposter happens
I do wire down all the important MAC addresses that I know.  I've got
a script file all set up to go.  I clearly don't want to wire them
down as a matter of course because equipment does get replaced.

-wolfgang
-- 
Wolfgang Rupprecht    <wolfgang@wsrcc.com>     http://www.wsrcc.com/wolfgang/
Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/