Bugtraq mailing list archives

Re: Buggy ARP handling in Windoze

From: steve () CELL2000 NET (Steven Alexander)
Date: Thu, 29 Jun 2000 15:29:10 -0700


Bugtraq readers,

Paul's post brings up an interesting issue.  Static ARP entries aren't
actually regulated by RFC 826 (The ARP specification).  Static can be
interpreted in two ways in the context of the ARP cache.  It can be seen as
unchangeable vs. changeable (for security), or it can be seen as permanent
vs. temporary (for performance).

Likely, when ARP was originally designed the latter would have been more
desireable.  I might have a fileserver on my LAN that I would set static ARP
entries for so that everybody has it in their cache all of the time, a
slight performance increase.  However, if that fileserver goes down I may
wish to replace it without manually changing ARP entries on every machine in
my network.  With gratuitous ARP I am able to bring a new machine up to
replace the downed machine and everyone will update their ARP cache to
reflect the new MAC address.  If the machines on the network do not update
the static ARP cache entries I would have to change each one manually
(likely to be difficult).

Unfortunately, network environments are much less friendly than when ARP was
designed (1982) and they are also much faster.  The performance gain that
results from static entries is miniscule compared with the security risk
that results from being able to poison the ARP cache.  However, there is
also the valid point that I may wish to bring up a backup server in the
event that one of my machines fails and I may not be able to update all of
the ARP entries on each machine manually.

It would probably be beneficial in an ARP implementation to be able to set
two seperate attributes to the ARP cache, both permanent (no timeout) and
unchangeable (without manual intervention anyway).  What does everyone else
think?

-steven alexander
steve () cell2000 net

Paul Starzetz wrote:

: Buggy ARP handling in Windoze

I discovered a strange bug in the ARP handling under Windows 98/latest
Winsock patch (IGMP). Win98 (at almost Win95 as far as tested) would not
handle static ARP entries correctly. Setting up an static ARP cache
entry like:


<snip>

Current thread:

Multiple vulnerabilities in Sybergen Secure Desktop, (continued)
- - - Multiple vulnerabilities in Sybergen Secure Desktop anders.ingeborn () INFOSEC SE (Jun 30)
    - SecureXpert Advisory [SX-20000620-2] SecureXpert DIRECT Sender (Jun 30)
  - Re: WuFTPD: Providing *remote* root since at least1994 Bernd Luevelsmeyer (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Lars Mathiesen (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Robert Bihlmeyer (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Ben Pfaff (Jun 29)
  - Update to Integrity Protection Driver Available IPD (Jun 29)
  - Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 29)
  - Buggy ARP handling in Windoze Paul Starzetz (Jun 29)
    - Re: Buggy ARP handling in Windoze Jurjen Oskam (Jun 29)
    - Re: Buggy ARP handling in Windoze Steven Alexander (Jun 29)
    - vpopmail-3.4.11 problems H D Moore (Jun 29)
    - CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump Conectiva Security (Jun 30)