lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 20 Dec 2013 23:30:40 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Stephen Hemminger <stephen@...workplumber.org>
Cc:	Salam Noureddine <noureddine@...stanetworks.com>,
	"David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	James Morris <jmorris@...ei.org>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org
Subject: Re: [PATCH 1/1] ipv4: arp: Always update neighbour address when a gratuitous arp is received

On Fri, Dec 20, 2013 at 02:06:17PM -0800, Stephen Hemminger wrote:
> On Fri, 20 Dec 2013 10:59:22 -0800
> Salam Noureddine <noureddine@...stanetworks.com> wrote:
> 
> > Gratuitous arp packets are useful in switchover scenarios to update
> > client arp tables as quickly as possible. Currently, the mac address
> > of a neighbour is only updated after a locktime period has elapsed
> > since the last update. In most use cases such delays are unacceptable
> > for network admins. Moreover, the "updated" field of the neighbour
> > stucture doesn't record the last time the address of a neighbour
> > changed but records any change that happens to the neighbour. This is
> > clearly a bug since locktime uses that field as meaning "addr_updated".
> > With this observation, I was able to perpetuate a stale address by
> > sending a stream of gratuitous arp packets spaced less than locktime
> > apart.
> > 
> > Signed-off-by: Salam Noureddine <noureddine@...stanetworks.com>
> 
> Doesn't this make the system more vulnerable to ARP spoofing?

Yes it does, but also it is supposed to work like this with garp, I fear.
Making this conditional on some sysctl would not help either, because
normal behaviour for clients should be, that e.g. the router switches
and sends out garp, that the client should pick those announcements up
as soon as possible. That is also how arp_notify is supposed to work.

Greetings,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ