nanog mailing list archives

Re: Proxy ARP detection

From: Clay Fiske <clay () bloomcounty org>
Date: Wed, 15 Jan 2014 15:58:39 -0800


On Jan 15, 2014, at 3:47 PM, Niels Bakker <niels=nanog () bakker net> wrote:

* clay () bloomcounty org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]:
[...]

Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table 
(or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. 
And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity 
to it just to find local proxy ARP offenders on my network.


You'll never be entirely sure but obviously you're not limited to sending only one ARP request - this isn't The Hunt 
For The Red October movie.  We're talking a common misconfiguration here in this thread - or at least you were, two 
mails upthread.

How will checking for Proxy ARP possibly hose up anybody's connectivity?  You realise that ARP replies are unicast, 
right?  And that IXPs generally have dedicated servers for monitoring from which they can source packets?


This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what 
else? A lot of routers listen to unsolicited ARP replies.

So no, even though I consider it someone else’s bad behavior to broadcast an ARP reply, I’m not willing to take the 
chance with an IP that doesn’t belong to me.

-c

Current thread:

Re: best practice for advertising peering fabric routes, (continued)
- - - Re: best practice for advertising peering fabric routes Jim Shankland (Jan 15)
    - Re: best practice for advertising peering fabric routes Joe Abley (Jan 15)
    - Re: best practice for advertising peering fabric routes Niels Bakker (Jan 15)
    - Re: best practice for advertising peering fabric routes Christopher Morrow (Jan 15)
    - Re: best practice for advertising peering fabric routes William Herrin (Jan 15)
    - Re: best practice for advertising peering fabric routes Michael Still (Jan 15)
    - Re: best practice for advertising peering fabric routes Clay Fiske (Jan 15)
    - Re: best practice for advertising peering fabric routes Niels Bakker (Jan 15)
    - Proxy ARP detection (was re: best practice for advertising peering fabric routes) Clay Fiske (Jan 15)
    - Re: Proxy ARP detection Niels Bakker (Jan 15)
    - Re: Proxy ARP detection Clay Fiske (Jan 15)
    - Re: Proxy ARP detection Niels Bakker (Jan 15)
    - Re: Proxy ARP detection Clay Fiske (Jan 15)
    - Re: Proxy ARP detection Eric Rosen (Jan 15)
    - Re: Proxy ARP detection Patrick W. Gilmore (Jan 15)
    - Re: Proxy ARP detection Jimmy Hess (Jan 15)
    - Re: Proxy ARP detection Vlade Ristevski (Jan 16)
    - Re: Proxy ARP detection Niels Bakker (Jan 16)
    - Re: Proxy ARP detection Warren Bailey (Jan 16)
    - Re: Proxy ARP detection Jimmy Hess (Jan 16)
    - Re: Proxy ARP detection Niels Bakker (Jan 16)

(Thread continues...)