lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20240410082153.7d12bba1@hermes.local>
Date: Wed, 10 Apr 2024 08:21:53 -0700
From: Stephen Hemminger <stephen@...workplumber.org>
To: netdev@...r.kernel.org
Subject: Fw: [Bug 218700] New: the arp table may contain a fake IP address

This looks like a side effect of the Linux neighbor table
and weak host model. So don't get too worried about it.

Begin forwarded message:

Date: Wed, 10 Apr 2024 07:08:57 +0000
From: bugzilla-daemon@...nel.org
To: stephen@...workplumber.org
Subject: [Bug 218700] New: the arp table may contain a fake IP address


https://bugzilla.kernel.org/show_bug.cgi?id=218700

            Bug ID: 218700
           Summary: the arp table may contain a fake IP address
           Product: Networking
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: IPV4
          Assignee: stephen@...workplumber.org
          Reporter: a_s_y@...a.ru
        Regression: No

An entry from an incorrect interface may get into the arp table:

# arp -n|grep 100.64.1.113
100.64.1.113   ether   50:ff:20:26:fa:14  C ether9.3109
100.64.1.113           (incomplete)         ether1.2115

# ip -4 a s dev ether9.3109
1829: ether9.3109@...er9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    inet 100.64.3.62/30 brd 100.64.3.63 scope global ether9.3109
       valid_lft forever preferred_lft forever

# ip -4 a s dev ether1.2115
1822: ether1.2115@...er1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    inet 100.64.1.114/30 brd 100.64.1.115 scope global ether1.2115
       valid_lft forever preferred_lft forever

ether9.3109 and ether1.2115 are 802.1q VLAN, I don't know if it's important.

The ether9.3109 interface receives traffic from forgotten hardware (tcpdump -e
-ni ether9 host 100.64.1.113):

10:57:08.861954 50:ff:20:26:fa:14 > Broadcast, ethertype 802.1Q (0x8100),
length 64: vlan 3109, p 0, ethertype ARP, Request who-has 100.64.1.114 tell
100.64.1.113, length 46

kernel reply is
1) exists, although the ether9.3109 interface does not contain 100.64.1.114
2) contain the MAC of ether9.3109:

10:57:08.861972 3c:ec:ef:4d:94:ee > 50:ff:20:26:fa:14, ethertype 802.1Q
(0x8100), length 46: vlan 3109, p 0, ethertype ARP, Reply 100.64.1.114 is-at
3c:ec:ef:4d:94:ee, length 28

# ip a| grep 100.64.1.114
    inet 100.64.1.114/30 brd 100.64.1.115 scope global ether1.2115

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ