[177106] in North American Network Operators' Group
Re: Charter ARP Leak
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Mon Dec 29 12:27:26 2014
X-Original-To: nanog@nanog.org
Date: Mon, 29 Dec 2014 12:27:04 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <D0C6E668.796D7%jim.rampley@charter.com>
Errors-To: nanog-bounces@nanog.org
----- Original Message -----
> From: "Rampley Jr, Jim F" <jim.rampley@charter.com>
> On 12/29/14, 10:49 AM, "Valdis.Kletnieks@vt.edu"
> <Valdis.Kletnieks@vt.edu>
> wrote:
>
> >On Mon, 29 Dec 2014 03:44:48 +0000, "Stephen R. Carter" said:
> >> Here is a small excerpt I am seeing.
> >>
> >> 06:04:04.760869 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype
> >>ARP (0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1
> >> 06:04:04.761950 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype
> >>ARP (0x0806), length 60: arp who-has 75.135.155.27 tell 75.135.152.1
> >
> >The interesting thing is that they're all .1 addresses. It's almost
> >as if
> >the one broadcast domain has at least 7 different address spaces on
> >it.
>
> Valdis, you are correct. What your seeing is caused by multiple IP
> blocks being assigned to the same CMTS interface.
Am I incorrect, though, in believing that ARP packets should only be visible
within a broadcast domain, and that because of that, they should not be
being passed through a cablemodem attached to such a CMTS interface unless
they're within the IP network in which that interface lives (which is
probably not 0/0)?
This sounds like a firmware bug in either the CMTS or the cablemodem.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
