[168225] in North American Network Operators' Group
Proxy ARP detection (was re: best practice for advertising peering
daemon@ATHENA.MIT.EDU (Clay Fiske)
Wed Jan 15 18:34:24 2014
From: Clay Fiske <clay@bloomcounty.org>
In-Reply-To: <20140115204625.GD67472@burnout.tpb.net>
Date: Wed, 15 Jan 2014 15:31:28 -0800
To: Niels Bakker <niels=nanog@bakker.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 15, 2014, at 12:46 PM, Niels Bakker <niels=3Dnanog@bakker.net> =
wrote:
> * clay@bloomcounty.org (Clay Fiske) [Wed 15 Jan 2014, 20:34 CET]:
>> Semi-related tangent: Working in an IXP setting I have seen weird =
corner cases cause issues in conjunction with the IXP subnet existing in =
BGP. Say someone=92s got proxy ARP enabled on their router (sadly, more =
common than it should be, and not just from noobs at startups). Now say =
your IXP is growing and you expand the subnet. No matter how much you =
harp on the customers to make the change, they don=92t all do it at =
once. Someone announces the new, larger subnet in BGP. Now when anyone =
ARPs for IPs in the new part of the range, proxy ARP guy (still on the =
smaller subnet) says =93hey I have a route for that, send it here=94. =
That was fun to troubleshoot. :)
>=20
> Proper run IXPs pay engineers to hunt down people with Proxy ARP =
enabled on their peering interfaces.
Yes, yes, I expected a smug reply like this. I just didn=92t expect it =
to take so long.
But how can I detect proxy ARP when detecting proxy ARP was patented in =
1996?
http://www.google.com/patents/US5708654
Seriously though, it=92s not so simple. You only get replies if the IP =
you ARP for is in the offender=92s route table (or they have a default =
route). I=92ve seen different routers respond depending on which =
non-local IP was ARPed for. And while using something like 8.8.8.8 might =
be an obvious choice, I don=92t care to hose up everyone=92s =
connectivity to it just to find local proxy ARP offenders on my network.
-c
