lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jul 2009 02:46:17 +0300 From: Denys Fedoryschenko <denys@...p.net.lb> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: netdev@...r.kernel.org, David Miller <davem@...emloft.net> Subject: Re: [RFC] arp announce, arp_proxy and windows ip conflict verification On Friday 03 July 2009 02:23:09 Eric W. Biederman wrote: > What IOS is irrelevant to this discussion. Directly relevant, Cisco usually following standards very well. > Especially when I don't see the "ip proxy-arp" command. >From Cisco IOS manual: ip proxy-arp .... Defaults Enabled It will show in config only "no ip proxy arp" For example show running .... interface FastEthernet2/0 ip address 10.0.2.2 255.255.255.0 duplex half .... Router(config)#inter FastEthernet 2/0 Router(config-if)#no ip proxy-arp show running .... interface FastEthernet2/0 ip address 10.0.2.2 255.255.255.0 no ip proxy-arp duplex half .... > > Having two networks: > 10.0.0.0/24 physical segment > 10.0.1.0/24 physical segment > > It is correct for proxy arp to answer to for 10.0.0.66 > when it is plugged into the 10.0.1.0/24 network. It is not defined in standart, correct or not. > > Because in that case 10.0.0.66 is on the wrong subnet, and your > network is misconfigured. What Linux does care about this? It is not police inspector to block me from taking this ip in wrong subnet. And without emotions - it is not his job to give answers for wrong request (ARP Announce), from wrong ip (not linux with proxy arp enabled interface subnet). Especially because there is no use for current behavior, other than making problems. And most important what you are telling violates RFC again, i finally found this in RFC 1027: ..."The gateway is acting as an agent for host B, which is why this technique is called "Proxy ARP"; we will refer to this as a transparent subnet gateway or ARP subnet gateway. "... " An ARP subnet gateway implementation must not reply if the physical networks of the source and target of an ARP request are the same. In this case, either the target host is presumably either on the same physical network as the source host and can answer for itself, or the target host lies in the same direction from the gateway as does the source host, and an ARP reply from the would cause a loop. " Also not very clear, but maybe it is a reason why Cisco doesn't answer to ip who is not reachable from this interface " If the IP networks of the source and target hosts of an ARP request are different, an ARP subnet gateway implementation should not reply. This is to prevent the ARP subnet gateway from being used to reach foreign IP networks and thus possibly bypass security checks provided by IP gateways. " > > Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists