Ironically, the hard part of this project for me is all about making the gateway resilient to people arp-spoofing client MAC addresses. The traditional attack, as I understand it, is to arp-spoof the gateway, and I've offered no fancy scripts to defend against that.
I justify this irony in two ways. First, it's trivial to move on to arp-spoofing clients if people get wise to your arp-spoofing the gateway and start statically configuring the gateway MAC into their personal machines. Spoofing clients is also useful to an attacker and disruptive to the spoofee, even if it's not the usual attack. And without my tricks, client spoofing is a hard problem to solve while gateway spoofing is not.
Second, I see this arpless stuff as the first step in making more attack-resistant broadcast networks. It is easy to say, use an L3 switch, or put every client machine on its own switchport and every switchport in a two-port VLAN, but I am a fan of The Ether. Full Duplex Ethernet Is Not Ethernet! I'm not ready to just punt and give up on the old idea by buying expensive vendor crap. This arpless trick makes your transaction with the dhcp server into binding yourself to the logical network. It is still possible to inject spoofed traffic, but it's impossible to hide traffic from you. I envision a broadcast medium where multiple machines can have the same IP address on the same wire but be bound to different logical networks, and everything will work predictably. Instead of speedily recognizing what traffic on the wire is meant for yourself by looking at MAC address, and then once past the MAC filter looking at IP address, you will have to filter with IPsec. ``i'm 10.0.0.5. oh, but that packet was meant for the other 10.0.0.5; i'll drop it'' is something your host will realize when the packet doesn't match an IPsec SA.
In this hypothetical future world, the only thing you can do to attack the shared broadcast medium is to spew a bunch of garbage onto it and use up all the transmission opportunity. That's boring and well-understood, compared to the plethora of odd behavior we have now, where there is no clear concept of binding to a logical network. The arpless trick doesn't achieve that hypothetical world. For one thing, you can run another dhcp server, try to convince clients onto your leases, and then get your own lease from the real dhcp server, routing the captured client's traffic back onto the real network. You could either use NAT, or you could try to re-lease someone else the IP address you were leased by the real dhcp server. However, although this attack is still realistic and still lets you do the man-in-the-middle and switched-network-monitoring of the old arp tricks, i think arpless is a first step toward thinking about broadcast media as binding to logical networks, not just blindly hopping onto the wire.
Or you can just buy a goddamn L3 switch. Please don't do that, though. That's so boring.