From: Denys Fedoryschenko <denys@visp.net.lb>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org, David Miller <davem@davemloft.net>
Subject: Re: [RFC] arp announce, arp_proxy and windows ip conflict verification
Date: Fri, 3 Jul 2009 02:46:17 +0300 [thread overview]
Message-ID: <200907030246.18054.denys@visp.net.lb> (raw)
In-Reply-To: <m1ws6qu0te.fsf@fess.ebiederm.org>
On Friday 03 July 2009 02:23:09 Eric W. Biederman wrote:
> What IOS is irrelevant to this discussion.
Directly relevant, Cisco usually following standards very well.
> Especially when I don't see the "ip proxy-arp" command.
>From Cisco IOS manual:
ip proxy-arp
....
Defaults
Enabled
It will show in config only "no ip proxy arp"
For example
show running
....
interface FastEthernet2/0
ip address 10.0.2.2 255.255.255.0
duplex half
....
Router(config)#inter FastEthernet 2/0
Router(config-if)#no ip proxy-arp
show running
....
interface FastEthernet2/0
ip address 10.0.2.2 255.255.255.0
no ip proxy-arp
duplex half
....
>
> Having two networks:
> 10.0.0.0/24 physical segment
> 10.0.1.0/24 physical segment
>
> It is correct for proxy arp to answer to for 10.0.0.66
> when it is plugged into the 10.0.1.0/24 network.
It is not defined in standart, correct or not.
>
> Because in that case 10.0.0.66 is on the wrong subnet, and your
> network is misconfigured.
What Linux does care about this?
It is not police inspector to block me from taking this ip in wrong subnet.
And without emotions - it is not his job to give answers for wrong request
(ARP Announce), from wrong ip (not linux with proxy arp enabled interface
subnet). Especially because there is no use for current behavior, other than
making problems.
And most important what you are telling violates RFC again, i finally found
this in RFC 1027:
..."The gateway
is acting as an agent for host B, which is why this technique is
called "Proxy ARP"; we will refer to this as a transparent subnet
gateway or ARP subnet gateway.
"...
" An ARP subnet gateway implementation must not reply if the physical
networks of the source and target of an ARP request are the same.
In this case, either the target host is presumably either on the
same physical network as the source host and can answer for itself,
or the target host lies in the same direction from the gateway as
does the source host, and an ARP reply from the would cause a loop.
"
Also not very clear, but maybe it is a reason why Cisco doesn't answer to ip
who is not reachable from this interface
"
If the IP networks of the source and target hosts of an ARP request
are different, an ARP subnet gateway implementation should not
reply. This is to prevent the ARP subnet gateway from being used to
reach foreign IP networks and thus possibly bypass security checks
provided by IP gateways.
"
>
> Eric
next prev parent reply other threads:[~2009-07-02 23:46 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-01 11:44 [RFC] arp announce, arp_proxy and windows ip conflict verification Denys Fedoryschenko
2009-03-13 23:02 ` David Miller
2009-06-30 22:55 ` Eric W. Biederman
2009-06-30 22:54 ` Denys Fedoryschenko
[not found] ` <m1iqicyjmr.fsf@fess.ebiederm.org>
2009-07-01 9:00 ` Denys Fedoryschenko
2009-07-01 9:42 ` Denys Fedoryschenko
2009-07-01 17:40 ` Eric W. Biederman
2009-07-01 18:12 ` Denys Fedoryschenko
2009-07-01 19:01 ` Denys Fedoryschenko
2009-07-02 20:36 ` Eric W. Biederman
2009-07-02 20:51 ` Eric W. Biederman
2009-07-02 21:22 ` Denys Fedoryschenko
2009-07-02 22:18 ` Eric W. Biederman
2009-07-02 23:03 ` Denys Fedoryschenko
2009-07-02 23:23 ` Eric W. Biederman
2009-07-02 23:46 ` Denys Fedoryschenko [this message]
2009-07-03 1:38 ` David Miller
2009-07-03 3:14 ` Eric W. Biederman
2009-07-03 11:02 ` Denys Fedoryschenko
2009-07-03 20:20 ` David Miller
2009-07-03 20:37 ` Denys Fedoryschenko
2009-07-04 0:46 ` Eric W. Biederman
2009-07-04 7:55 ` Denys Fedoryschenko
2009-07-04 15:00 ` Eric W. Biederman
2009-07-04 15:03 ` Denys Fedoryschenko
2009-07-04 21:57 ` Eric W. Biederman
2009-07-04 22:00 ` Denys Fedoryschenko
2009-07-04 23:22 ` Mark Smith
2009-07-05 0:07 ` Eric W. Biederman
2009-07-05 0:28 ` Denys Fedoryschenko
2009-07-05 6:16 ` Mark Smith
2009-07-04 23:47 ` Eric W. Biederman
2009-07-03 1:34 ` David Miller
2009-07-02 23:13 ` Denys Fedoryschenko
2009-07-01 2:27 ` [PATCH] Revert "ipv4: arp announce, arp_proxy and windows ip conflict verification" Eric W. Biederman
2009-07-01 3:10 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200907030246.18054.denys@visp.net.lb \
--to=denys@visp.net.lb \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).