nanog mailing list archives

Re: Apple devices spoofing default gateway?

From: Matt Freitag <mlfreita () mtu edu>
Date: Fri, 7 Jun 2019 15:59:26 -0400

For those of us with Aruba wireless, www boy, could you share some more
info about your setup/code version/configuration/specific APs/controller
model(s)/etc?

Matt Freitag
Network Engineer
Michigan Tech IT
Michigan Technological University

We can help.
mtu.edu/it
(906) 487-1111


On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes <
mattlists () rivervalleyinternet net> wrote:

Turn on client isolation on the access points?

On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo () slabnet com> wrote:

On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy () gmail com> wrote:

I just joined nanog to allow me to respond to a thread that Simon

posted in

March. .
(Not sure if this is how to respond)

We have the exact same problem with Aruba Access points and with

multiple

MacBooks and a iMac.
Where the device will spoof the default gateway and the effect is that

vlan

is not usable.

I also have raised a case with Apple but so far no luck.

What is the status of your issue?  Any luck working out exactly what the
cause is?


We appeared to hit this with Cisco kit:

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html


They don't say *exactly* that the Apple devices are spoofing the

gateway, but some behaviour in what they send out results in the proxy arp
being performed by the APs to update the ARP entry for the gateway address
to the clients':

* This is not a malicious attack, but triggered by an interaction

between the macOS device while in sleeping mode, and specific broadcast
traffic generated by newer Android devices

* AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching)

services by default.  Due to their address learning design, they will
modify table entries based on this traffic leading to default gateway ARP
entry modification


The fix was to disable ARP caching on the APs so they don't proxy ARP

but ARP replies pass directly between client devices.


--
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal

Current thread:

Re: Apple devices spoofing default gateway? www boy (Jun 07)
- Re: Apple devices spoofing default gateway? Hugo Slabbert (Jun 07)
  - Re: Apple devices spoofing default gateway? Matt Hoppes (Jun 07)
    - Re: Apple devices spoofing default gateway? Owen DeLong (Jun 07)
    - Re: Apple devices spoofing default gateway? Matt Freitag (Jun 07)
    - Re: Apple devices spoofing default gateway? www boy (Jun 10)
- Re: Apple devices spoofing default gateway? William Herrin (Jun 07)