On Tue, Dec 21, 2010 at 09:34:01AM +0100, David Coppa wrote:
quoted text
> On Tue, Dec 21, 2010 at 2:23 AM, Fernando Quintero
> <fernando.a.quintero@gmail.com> wrote:
> > some comment?
> >
> > http://seclists.org/bugtraq/2010/Dec/200
> 
> I'm not able to provide a solution, but this is of course a bug that
> needs to be fixed.

If you look at my commit message from 3 years ago,
you'll see that we are well aware of this:

 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.152

If someone comes up with a replay protection that works without the help
of synchronized clocks, I'm happy to fix this.

OTOH, I'm still not convinced that it's worth the effort to fix a
L2-only attack. There's still enough other ways for a DoS on L2.