[168228] in North American Network Operators' Group
Re: Proxy ARP detection
daemon@ATHENA.MIT.EDU (Clay Fiske)
Wed Jan 15 18:58:55 2014
From: Clay Fiske <clay@bloomcounty.org>
In-Reply-To: <20140115234702.GF67472@burnout.tpb.net>
Date: Wed, 15 Jan 2014 15:58:39 -0800
To: Niels Bakker <niels=nanog@bakker.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 15, 2014, at 3:47 PM, Niels Bakker <niels=3Dnanog@bakker.net> =
wrote:
> * clay@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]:
> [...]
>> Seriously though, it=92s not so simple. You only get replies if the =
IP you ARP for is in the offender=92s route table (or they have a =
default route). I=92ve seen different routers respond depending on which =
non-local IP was ARPed for. And while using something like 8.8.8.8 might =
be an obvious choice, I don=92t care to hose up everyone=92s =
connectivity to it just to find local proxy ARP offenders on my network.
>=20
> You'll never be entirely sure but obviously you're not limited to =
sending only one ARP request - this isn't The Hunt For The Red October =
movie. We're talking a common misconfiguration here in this thread - or =
at least you were, two mails upthread.
>=20
> How will checking for Proxy ARP possibly hose up anybody's =
connectivity? You realise that ARP replies are unicast, right? And =
that IXPs generally have dedicated servers for monitoring from which =
they can source packets?
This is where theory diverges nicely from practice. In some cases the =
offender broadcast his reply, and guess what else? A lot of routers =
listen to unsolicited ARP replies.
So no, even though I consider it someone else=92s bad behavior to =
broadcast an ARP reply, I=92m not willing to take the chance with an IP =
that doesn=92t belong to me.
-c=
