lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 28 Sep 2011 19:49:41 +0200
From:	skandranon <skandranon@....at>
To:	netdev@...r.kernel.org
Subject: Problem with ARP-replies on Kernels 2.6 (possibly 3.0, but not 2.4!)

Hi,

I sure hope that this is the right forum to find help with my problem.
If not, please someone provide me with a pointer!

Following up to a complaint, I found some strange behavior with ARP 
replies being sent out for IP addresses via interfaces that have no 
relation to the IP addresses being queried.

The setup is about as follows:
I have a machine connected to multiple physically disconnected networks, 
neither doing any routing, bridging or anything similar.
MyMachine:eth0: 10.1.1.1/24
MyMachine:eth1: 192.168.1.2/24
MyMachine:eth2: 172.20.7.7/24

Network 10.1.1.0/24 is not controlled by me, and someone decided to 
setup a Windows machine doing multinetworking:similar to
HisMachine:eth0: 10.1.1.15/24
HisMachine:eth0:0: 192.168.1.2/24

Now, HisMachine is detecting another server using IP address 
192.168.1.2, and it is giving the MAC address of MyMachine:eth0 as the 
offender.

Some investigation showed that MyMachine is responding to ARP-broadcasts 
coming in on interface eth0 if those ARP packets have a source address 
of either 0.0.0.0 or some IP address from 10.1.1.0/24 irrespective of 
the IP address that is being queried:
example queries:
"ARP: who has 192.168.1.2 tell 0.0.0.0", received on MyMachine:eth0 => 
MyMachine sends a reply with the MAC-address of its eth0
"ARP: who has 192.168.1.2 tell 10.1.1.15", received on MyMachine:eth0 => 
MyMachine send a reply with the MAC-address of its eth0
"ARP: who has 192.168.1.2 tell 192.168.1.x" (x=1..254), received on 
MyMachine:eth0 => no reply is being sent

Similar behaviour can be seen for other combination of IP addresses and 
interfaces (e.g. "ARP: who has 10.1.1.1 tell 0.0.0.0" received on 
interface eth1 would also be answered - via eth1, of course)

I've tested this using
arping -I <interface> -s <source> <IP address>
arping -I <interface> -D <IP address>
for several different systems (SuSE SLES 8- 2.421, SuSE SLES 9 - 2.6.5, 
SuSE SLES 10 - 2.6.16, SuSE SLES 11 - 2.6.32, Open Suse 11.3 - 2.6.34, 
OpenSuSE 11.4 - 2.6.37, several different Ubuntu versions...),
and found that any 2.6-based system displayed similar behaviour, but not 
the old 2.4-based ones.

Basically, I would have expected MyMachine to answer ARP queries 
received via eth0 only if an address was queried that was assigned to 
eth0 (also secondary IP addresses assigned by "ip" or virtual interfaces 
generated by ifconfig).

So: Is this a bug or a feature?

In any case: many thanks to each of you developers (but for you, I 
wouldn't have my current job), and also many thanks to each of you 
taking the time to answer questions on this list!

Best Regards,
   Frank Mayer

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ