[168227] in North American Network Operators' Group
Re: Proxy ARP detection
daemon@ATHENA.MIT.EDU (Niels Bakker)
Wed Jan 15 18:47:18 2014
Date: Thu, 16 Jan 2014 00:47:02 +0100
From: Niels Bakker <niels=nanog@bakker.net>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <AF5AC7C2-F705-4E23-BF69-F89C569F17F7@bloomcounty.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* clay@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]:
[...]
>Seriously though, it’s not so simple. You only get replies if the IP
>you ARP for is in the offender’s route table (or they have a default
>route). I’ve seen different routers respond depending on which
>non-local IP was ARPed for. And while using something like 8.8.8.8
>might be an obvious choice, I don’t care to hose up everyone’s
>connectivity to it just to find local proxy ARP offenders on my
>network.
You'll never be entirely sure but obviously you're not limited to
sending only one ARP request - this isn't The Hunt For The Red October
movie. We're talking a common misconfiguration here in this thread -
or at least you were, two mails upthread.
How will checking for Proxy ARP possibly hose up anybody's
connectivity? You realise that ARP replies are unicast, right?
And that IXPs generally have dedicated servers for monitoring from
which they can source packets?
-- Niels.
--
"It's amazing what people will do to get their name on the internet,
which is odd, because all you really need is a Blogspot account."
-- roy edroso, alicublog.blogspot.com
