Proxy ARP detection (was re: best practice for advertising peering fabric routes)

[Clay Fiske <clay () bloomcounty org>]

On Jan 15, 2014, at 12:46 PM, Niels Bakker <niels=nanog () bakker net> wrote:

> * clay () bloomcounty org (Clay Fiske) [Wed 15 Jan 2014, 20:34 CET]:
> > Semi-related tangent: Working in an IXP setting I have seen weird corner cases cause issues in conjunction with the 
> > IXP subnet existing in BGP. Say someone’s got proxy ARP enabled on their router (sadly, more common than it should 
> > be, and not just from noobs at startups). Now say your IXP is growing and you expand the subnet. No matter how much 
> > you harp on the customers to make the change, they don’t all do it at once. Someone announces the new, larger subnet 
> > in BGP. Now when anyone ARPs for IPs in the new part of the range, proxy ARP guy (still on the smaller subnet) says 
> > “hey I have a route for that, send it here”. That was fun to troubleshoot. :)
>
> Proper run IXPs pay engineers to hunt down people with Proxy ARP enabled on their peering interfaces.

Yes, yes, I expected a smug reply like this. I just didn’t expect it to take so long.

But how can I detect proxy ARP when detecting proxy ARP was patented in 1996?

http://www.google.com/patents/US5708654


Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or 
they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And 
while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it 
just to find local proxy ARP offenders on my network.

-c