lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200907012112.40396.denys@visp.net.lb>
Date:	Wed, 1 Jul 2009 21:12:40 +0300
From:	Denys Fedoryschenko <denys@...p.net.lb>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	netdev@...r.kernel.org, David Miller <davem@...emloft.net>
Subject: Re: [RFC] arp announce, arp_proxy and windows ip conflict verification

On Wednesday 01 July 2009 20:40:08 Eric W. Biederman wrote:
>
> Of course a Gratuitous ARP is not intended to solicit a reply.  Because
> two machines should not be configured to have the same IP address.
>
> In the case of two machines being configured with the same IP address
> replying to gratuitous ARP is correct behaviour.  As it allows discovery
> of the network misconfiguration.
Yes, and it is doing that with my patch also. It is answering if there is same 
_local address_, so it is definitely ip conflict. 

But Proxy ARP answering to ARP Announce without checking if destination 
address taken - wrong.  Because it should check if host in destination 
(proxied) network really is taken and should not answer if it is not. 

>
> The problem is that you have a proxy machine configured to proxy for
> the ip that is also assigned to another machine in the same broadcast
> domain.  That is a bug.
Where it is defined as bug? 
Sometimes it can be used on purpose, to filter traffic in local segment with 
lot of unmanaged switches.


>
> The only case where I can imagine proxying the default route would even
> approach being correct is on a point to point link.  But that seems
> pointless as you could simply have a default route to the other side.
Examples just came in mind:
1)Mobile IP. 

2)Port isolated setup, available on some switches and on wireless access 
points, when hosts cannot talk one to each other via broadcast domain, only 
via gateway. In this case gateway must give reply to legitimate arp requests, 
but ignore arp announce(gratuitous ARP).

I will search more respectable sources of information for this case. Btw it is 
difficult to find out this days "generic" gateway host without default 
gateway :-)

And last case, it breaks things for high availability ONLY because it doesn't 
update neighbor table. That can be fixed easily and i sent patches for that.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ