lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 3 Nov 2017 11:39:04 +0100
From:   Eelco Chaudron <echaudro@...hat.com>
To:     David Miller <davem@...emloft.net>
Cc:     netdev@...r.kernel.org
Subject: Re: [PATCH net-next] arp: Ignore packets with an all zero sender mac
 address

On 27/10/17 15:48, David Miller wrote:
> From: Eelco Chaudron <echaudro@...hat.com>
> Date: Thu, 26 Oct 2017 10:37:01 +0200
>
>> Some applications/devices seem to forget their MAC address when
>> performing some kind of a failover which triggers (something that
>> looks like) a gratuities arp.
>>
>> The ARP packet looks something like this:
>>
>>    Address Resolution Protocol (reply)
>>        Hardware type: Ethernet (1)
>>        Protocol type: IPv4 (0x0800)
>>        Hardware size: 6
>>        Protocol size: 4
>>        Opcode: reply (2)
>>        Sender MAC address: 00:00:00:00:00:00
>>        Sender IP address: 10.0.0.1
>>        Target MAC address: 00:00:00:00:00:00
>>        Target IP address: 255.255.255.255
>>
>> This will result in existing arp entries being overwritten with an all
>> zero mac address. Until the arp entry times out this host can no
>> longer initiate a connection to this device.
>>
>> Checking for and ignoring invalid mac addresses will solve this
>> problem.
>>
>> Signed-off-by: Eelco Chaudron <echaudro@...hat.com>
> I really have trouble justifying this fully.
>
> I looked at a bunch of ARP implementations, and I see no special
> checks about the link level address other than to make sure it isn't
> "our" address.
>
> Whatever is generating these weird ARP packets should be fixed
> instead.
Looking for any mentioning of an all-zero MAC address being invalid, the 
only reference I could find was in the original first Xerox Wire 
Specification. The IEEE specifications do not mention this at all, and 
according to it, the all-zero address is a valid MA-L address assigned 
to Xerox.

Looking at the packet more, it might be an attempt to do an unARP (RFC 
1868) but forgot to implement to set the Hardware Address Length to zero.

I'm sure adding an arptables entry can be used to solve this instead, in 
case the offending device cannot be fixed.

Please ignore this patch...

Cheers,

Eelco

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ