| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4E835E35.3030503@gmx.at> Date: Wed, 28 Sep 2011 19:49:41 +0200 From: skandranon <skandranon@....at> To: netdev@...r.kernel.org Subject: Problem with ARP-replies on Kernels 2.6 (possibly 3.0, but not 2.4!) Hi, I sure hope that this is the right forum to find help with my problem. If not, please someone provide me with a pointer! Following up to a complaint, I found some strange behavior with ARP replies being sent out for IP addresses via interfaces that have no relation to the IP addresses being queried. The setup is about as follows: I have a machine connected to multiple physically disconnected networks, neither doing any routing, bridging or anything similar. MyMachine:eth0: 10.1.1.1/24 MyMachine:eth1: 192.168.1.2/24 MyMachine:eth2: 172.20.7.7/24 Network 10.1.1.0/24 is not controlled by me, and someone decided to setup a Windows machine doing multinetworking:similar to HisMachine:eth0: 10.1.1.15/24 HisMachine:eth0:0: 192.168.1.2/24 Now, HisMachine is detecting another server using IP address 192.168.1.2, and it is giving the MAC address of MyMachine:eth0 as the offender. Some investigation showed that MyMachine is responding to ARP-broadcasts coming in on interface eth0 if those ARP packets have a source address of either 0.0.0.0 or some IP address from 10.1.1.0/24 irrespective of the IP address that is being queried: example queries: "ARP: who has 192.168.1.2 tell 0.0.0.0", received on MyMachine:eth0 => MyMachine sends a reply with the MAC-address of its eth0 "ARP: who has 192.168.1.2 tell 10.1.1.15", received on MyMachine:eth0 => MyMachine send a reply with the MAC-address of its eth0 "ARP: who has 192.168.1.2 tell 192.168.1.x" (x=1..254), received on MyMachine:eth0 => no reply is being sent Similar behaviour can be seen for other combination of IP addresses and interfaces (e.g. "ARP: who has 10.1.1.1 tell 0.0.0.0" received on interface eth1 would also be answered - via eth1, of course) I've tested this using arping -I <interface> -s <source> <IP address> arping -I <interface> -D <IP address> for several different systems (SuSE SLES 8- 2.421, SuSE SLES 9 - 2.6.5, SuSE SLES 10 - 2.6.16, SuSE SLES 11 - 2.6.32, Open Suse 11.3 - 2.6.34, OpenSuSE 11.4 - 2.6.37, several different Ubuntu versions...), and found that any 2.6-based system displayed similar behaviour, but not the old 2.4-based ones. Basically, I would have expected MyMachine to answer ARP queries received via eth0 only if an address was queried that was assigned to eth0 (also secondary IP addresses assigned by "ip" or virtual interfaces generated by ifconfig). So: Is this a bug or a feature? In any case: many thanks to each of you developers (but for you, I wouldn't have my current job), and also many thanks to each of you taking the time to answer questions on this list! Best Regards, Frank Mayer -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists