From: Denys Fedoryschenko <denys@visp.net.lb>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Mark Smith <lk-netdev@lk-netdev.nosense.org>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org
Subject: Re: [RFC] arp announce, arp_proxy and windows ip conflict verification
Date: Sun, 5 Jul 2009 03:28:09 +0300 [thread overview]
Message-ID: <200907050328.09788.denys@visp.net.lb> (raw)
In-Reply-To: <m13a9c2dsg.fsf@fess.ebiederm.org>
On Sunday 05 July 2009 03:07:11 Eric W. Biederman wrote:
>
> Multiple subnets on an ethernet segment sure. Multiple subnets
> subnets that don't communicate? Not telling your router about all of
> the subnets on the ethernet segment?
>
> The combination of not configuring the router to know about all of the
> subnets and enabling proxy arp is what is causing problems for Denys.
>
> That sure seems like a misconfiguration to me.
>
> Eric
Real example
Still a lot of letters, but i hope it will help to understand situation.
Big office network. We trust each other and we dont have much money. So
unmanaged switches. Network separated to two locations
Router in the middle.
eth0 - 10.0.0.2/24
eth1 - 10.0.1.1/24
default gateway is 10.0.0.1
arp_proxy enabled on both. Users have on machines netmask /22, so they can
communicate freely. DHCP assigning addresses for them.
I just install few Windows XP machines in same network, and planned to do some
tests only between them. I am just using same physical media, i dont think it
is reasonable to install new switch and cables just for them. Sure if i had
managed switches i can put them in separate VLAN, but it is just silly to do
that, because proper network equipment will not interfere with this tests.
So i assign them ip's 192.168.1.1 , 192.168.1.2, 1.3, 1.4 and etc. No default
gateway. I dont want my traffic go outside.
But whoops, on boot i got IP address conflict. Nice. Ok, let's say i manage
it, it can be disabled in registry.
I am trying to do tests, and packets supposed to go from 192.168.1.1 to
192.168.1.2 are being forwarded to router! WTF! In fact router by answering
any ARP request, and is can be called "ARP spoofing", forwarding my packets
to default gateway, and sure they wont come back. It makes difficult also to
find problem, because ARP reply will be given by both hosts, legitimate and
router who is violating RFC, and depends which come first and which last, it
will work properly or not. Sure i can enable delay on sending proxy_arp
request, but if windows host was down at this moment, it will give again,
invalid "target" in MAC address.
On your logics i must reconfigure router each time when i do tests and assign
some ip's. Actually i am bringing and plugging to network a lot of different
equipment, with different default ips. I cannot plug them sometimes directly
over crossover cable to my PC, and have to use network.
It doesn't look logic to reconfigure office router for each of those devices
or to make isolation. Thats why in RFC mentioned " The default route must not
be used when checking for a route to the target host of an ARP
request. If the default route were used, the check would always
succeed. But the host specified by the default route is unlikely to
know about subnet routing (since it is usually an Internet gateway),
and thus packets sent to it will probably be lost."
next prev parent reply other threads:[~2009-07-05 0:28 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-01 11:44 [RFC] arp announce, arp_proxy and windows ip conflict verification Denys Fedoryschenko
2009-03-13 23:02 ` David Miller
2009-06-30 22:55 ` Eric W. Biederman
2009-06-30 22:54 ` Denys Fedoryschenko
[not found] ` <m1iqicyjmr.fsf@fess.ebiederm.org>
2009-07-01 9:00 ` Denys Fedoryschenko
2009-07-01 9:42 ` Denys Fedoryschenko
2009-07-01 17:40 ` Eric W. Biederman
2009-07-01 18:12 ` Denys Fedoryschenko
2009-07-01 19:01 ` Denys Fedoryschenko
2009-07-02 20:36 ` Eric W. Biederman
2009-07-02 20:51 ` Eric W. Biederman
2009-07-02 21:22 ` Denys Fedoryschenko
2009-07-02 22:18 ` Eric W. Biederman
2009-07-02 23:03 ` Denys Fedoryschenko
2009-07-02 23:23 ` Eric W. Biederman
2009-07-02 23:46 ` Denys Fedoryschenko
2009-07-03 1:38 ` David Miller
2009-07-03 3:14 ` Eric W. Biederman
2009-07-03 11:02 ` Denys Fedoryschenko
2009-07-03 20:20 ` David Miller
2009-07-03 20:37 ` Denys Fedoryschenko
2009-07-04 0:46 ` Eric W. Biederman
2009-07-04 7:55 ` Denys Fedoryschenko
2009-07-04 15:00 ` Eric W. Biederman
2009-07-04 15:03 ` Denys Fedoryschenko
2009-07-04 21:57 ` Eric W. Biederman
2009-07-04 22:00 ` Denys Fedoryschenko
2009-07-04 23:22 ` Mark Smith
2009-07-05 0:07 ` Eric W. Biederman
2009-07-05 0:28 ` Denys Fedoryschenko [this message]
2009-07-05 6:16 ` Mark Smith
2009-07-04 23:47 ` Eric W. Biederman
2009-07-03 1:34 ` David Miller
2009-07-02 23:13 ` Denys Fedoryschenko
2009-07-01 2:27 ` [PATCH] Revert "ipv4: arp announce, arp_proxy and windows ip conflict verification" Eric W. Biederman
2009-07-01 3:10 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200907050328.09788.denys@visp.net.lb \
--to=denys@visp.net.lb \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=lk-netdev@lk-netdev.nosense.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).