[10625] in bugtraq
Re: NetBSD Security Advisory 1999-010
daemon@ATHENA.MIT.EDU (Russell Street)
Tue May 25 14:26:19 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199905250842.UAA10303@mailhost.auckland.ac.nz>
Date: Tue, 25 May 1999 20:42:22 +1200
Reply-To: Russell Street <russells@AUCKLAND.AC.NZ>
From: Russell Street <russells@AUCKLAND.AC.NZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <8825677B.005A67C4.00@gwwest.sybase.com> from Ryan Russell at
"May 24, 99 09:27:11 am"
I recently researched this and could find any reference in the RFCs or
common TCP/IP books on using multicast addresses in ARP replies. The
ARP RFC (RFC826) does not say one way or the other.
> My personal opinion is that ARP should be fixed on all IP stacks (well..
> ARP "stack") so that they won't accept multicasts addresses.. I can't
> think of any reason why they should.
One thing that can be configured to use multicast Ethernet addresses
for unicast IP addresses is Microsoft's WLBS (Windows Load Balancing
Server/Service).
Briefly:
- a set of machines appear to have a single IP address and the
machines somehow load balance incoming requests
It does this by
- when the cluster's IP address is ARP'd for the cluster responds with
a made up MAC address
- all the machines participating in the cluster are expected to see
the packets to the cluster MAC address and then agree among themselves
who is handling it
- the response (TCP ACK or whatever) comes out with a different MAC
address from one cluster member.
It relies on all cluster hosts seeing the inbound packets. Works
wonderfully on a hub. If the cluster hosts are connected to a switch
it requires the switch to flood the unknown cluster MAC address to all
ports. This will happen because the MAC address in the ARP reply
never appears as a source address.
Some older switches will only flood to a backbone port, so this does
not work at all.
Clever switches have flood limits that choke it off, viewing it as
broadcast storm that needs to be controlled. So WLBS works until the
traffic load goes high enough to kick in flood limits.
WLBS lets you use a multicast Ethernet address for the cluster MAC
address. Presumably so you could configure a modern Ethernet switches
to send that multicast to minimal set of ports. More likely as a
gross hack around limits of some switches ;) This is off by default
because some routers do not like it; the help file does not say which ones.
Russell
(The people who installed this onto our network only discovered all
this after the network team read the help file to them... over shouts
of "this network stinks" and "we need more bandwidth!")
