From: Richard Underwood <richard@aspectgroup.co.uk>
To: "'David S. Miller'" <davem@redhat.com>,
Stephan von Krawczynski <skraw@ithnet.com>
Cc: willy@w.ods.org, alan@lxorguk.ukuu.org.uk, carlosev@newipnet.com,
lamont@scriptkiddie.org, davidsen@tmr.com, bloemsaa@xs4all.nl,
marcelo@conectiva.com.br, netdev@oss.sgi.com,
linux-net@vger.kernel.org, layes@loran.com, torvalds@osdl.org,
linux-kernel@vger.kernel.org
Subject: RE: [2.4 PATCH] bugfix: ARP respond on all devices
Date: Tue, 19 Aug 2003 13:02:20 +0100 [thread overview]
Message-ID: <353568DCBAE06148B70767C1B1A93E625EAB57@post.pc.aspectgroup.co.uk> (raw)
David S. Miller wrote:
>
> > _And_ you did not explain so far why these implementations should
> > not be RFC-conform or else illegal.
>
> Both responding and not responding on all interfaces for ARPs
> is RFC conformant. This means both Linux and other systems
> are within the rules.
>
Firstly, can I point out that you have consistently talked about
REPLIES when everyone else has been talking about REQUESTS. I suspect that
this may be confusing more people than you realise.
The RFC I quoted (985) says the ARP packets generated by Linux
should be dropped. Sure, the RFC isn't a standard, but there ARE plenty of
implementations that obey it for perfectly valid security reasons.
> Under Linux, by default, IP addresses are owned by the system
> not by interfaces. This increases the likelyhood of successful
> communication on a subnet.
>
This is crap.
ARP is local to a broadcast net. The ARP standard explicitly
prohibits responding to an ARP request on a different interface.
If you broadcast a request asking for a reply on an entirely
different subnet, you're asking for trouble. You REDUCE the likelyhood of a
successful ARP reply, not increase it.
All you can possibly achieve by sending REQUESTS from the wrong IP
number is assist screwed up networks where you've got multiple subnets on
the same copper and cause a shed-load of security issues.
> For scenerios where this doesn't work, we have ways to make the
> kernel behave the way you want it to.
>
There are many ways of "fixing" it. I've chosen a static ARP entry
for my next-hop. I really don't care. The issue is that the Linux ARP code
is, apparently by design, flawed.
> There is no discussion about changing the default, because that
> might break things for some people. So this discussion is pretty
> useless.
Can you give one good example where this is the case?
What makes all this worse is that once an ARP request has been
queued using the wrong IP number, further connections that would otherwise
have generated a valid ARP request will be blocked as Linux won't queue a
second request - despite it coming from a different IP number.
This means that connectivity is non-deterministic, and while
everything may work for 99.9% of the time, when an ARP entry gets deleted
and the next ARP request comes from the wrong IP number you lose
connectivity.
I wonder how many unsolved random network problems there have been
due to this. "Just reboot it, it'll work again." Great!
If you insist on leaving the code as it is, at the very least allow
multiple incomplete ARP requests, one per source IP.
Thanks,
Richard
next reply other threads:[~2003-08-19 12:02 UTC|newest]
Thread overview: 173+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-19 12:02 Richard Underwood [this message]
2003-08-19 12:35 ` [2.4 PATCH] bugfix: ARP respond on all devices Alan Cox
2003-08-19 18:30 ` Daniel Gryniewicz
2003-08-19 18:29 ` David S. Miller
2003-08-19 19:12 ` Daniel Gryniewicz
2003-08-19 19:10 ` David S. Miller
2003-08-20 16:49 ` Bill Davidsen
2003-08-20 17:00 ` David S. Miller
2003-08-20 17:44 ` Ben Greear
2003-08-20 17:48 ` David S. Miller
2003-08-20 21:34 ` [RFC][2.4 PATCH] source address selection for ARP requests Willy Tarreau
2003-08-20 21:47 ` David S. Miller
2003-08-20 22:27 ` Willy Tarreau
2003-08-20 22:35 ` David S. Miller
2003-08-20 22:59 ` Willy Tarreau
2003-08-20 23:18 ` [2.4 PATCH] bugfix: ARP respond on all devices Julian Anastasov
2003-08-23 20:50 ` Bill Davidsen
2003-08-20 19:08 ` Bill Davidsen
2003-08-20 20:07 ` Bas Bloemsaat
2003-08-19 19:17 ` Discussion fucking closed WAS(Re: " jamal
2003-08-19 19:42 ` bill davidsen
2003-08-20 5:31 ` ARP and knowledge of IP addresses [Re: [2.4 PATCH] bugfix: ARP respond on all devices] Pekka Savola
2003-08-19 13:11 ` [2.4 PATCH] bugfix: ARP respond on all devices Bas Bloemsaat
2003-08-19 15:34 ` David S. Miller
2003-08-19 17:39 ` Lars Marowsky-Bree
2003-08-19 17:36 ` David S. Miller
2003-08-19 21:01 ` Harley Stenzel
2003-08-19 16:19 ` Stephan von Krawczynski
2003-08-19 16:54 ` David S. Miller
2003-08-19 17:15 ` Stephan von Krawczynski
2003-08-19 16:56 ` David S. Miller
2003-08-20 5:18 ` host vs interface address ownership [Re: [2.4 PATCH] bugfix: ARP respond on all devices] Pekka Savola
2003-08-20 5:38 ` Valdis.Kletnieks
-- strict thread matches above, loose matches on Subject: below --
2003-08-20 20:10 [2.4 PATCH] bugfix: ARP respond on all devices Richard Underwood
2003-08-20 8:58 Richard Underwood
2003-08-20 15:23 ` jamal
2003-08-20 15:28 ` jamal
2003-08-19 22:12 Richard Underwood
2003-08-19 22:11 ` David S. Miller
2003-08-19 23:15 ` Stephan von Krawczynski
[not found] <mfYi.374.31@gated-at.bofh.it>
[not found] ` <mkbE.6Rk.35@gated-at.bofh.it>
2003-08-19 20:00 ` Andi Kleen
2003-08-19 19:56 ` David S. Miller
2003-08-19 19:00 Richard Underwood
2003-08-19 18:58 ` David S. Miller
[not found] <mdtk.Zy.1@gated-at.bofh.it>
[not found] ` <mgUv.3Wb.39@gated-at.bofh.it>
[not found] ` <mgUv.3Wb.37@gated-at.bofh.it>
[not found] ` <miMw.5yo.31@gated-at.bofh.it>
2003-08-19 18:48 ` Andi Kleen
2003-08-19 19:17 ` Daniel Gryniewicz
2003-08-19 19:21 ` Andi Kleen
2003-08-19 19:27 ` Daniel Gryniewicz
2003-08-19 19:24 ` David S. Miller
2003-08-19 19:32 ` Andi Kleen
2003-08-19 19:28 ` David S. Miller
2003-08-20 9:53 ` Alan Cox
2003-08-20 15:41 ` Stephan von Krawczynski
2003-08-20 15:38 ` David S. Miller
2003-08-19 19:38 ` Valdis.Kletnieks
2003-08-19 19:37 ` David S. Miller
2003-08-19 20:44 ` Valdis.Kletnieks
2003-08-19 18:16 Richard Underwood
2003-08-19 18:13 ` David S. Miller
2003-08-19 18:30 ` Bas Bloemsaat
2003-08-19 18:05 Richard Underwood
2003-08-19 18:21 ` David S. Miller
2003-08-20 12:52 ` Harley Stenzel
2003-08-19 17:56 Richard Underwood
2003-08-19 17:53 ` David S. Miller
2003-08-19 16:54 Richard Underwood
2003-08-19 16:51 ` David S. Miller
2003-08-19 17:10 ` Stephan von Krawczynski
2003-08-19 17:07 ` David S. Miller
2003-08-19 19:57 ` bill davidsen
2003-08-19 14:34 Richard Underwood
2003-08-19 14:54 ` Willy Tarreau
2003-08-19 15:07 ` Stephan von Krawczynski
2003-08-19 15:57 ` David S. Miller
2003-08-19 16:52 ` Stephan von Krawczynski
2003-08-19 16:53 ` David S. Miller
2003-08-19 17:12 ` Stephan von Krawczynski
2003-08-19 17:09 ` David S. Miller
2003-08-19 19:04 ` Alan Cox
2003-08-19 19:01 ` David S. Miller
2003-08-19 19:19 ` Bas Bloemsaat
2003-08-19 19:16 ` David S. Miller
2003-08-20 8:49 ` Roman Pletka
2003-08-20 14:15 ` Stephan von Krawczynski
2003-08-20 14:43 ` Roman Pletka
2003-08-20 15:55 ` Stephan von Krawczynski
2003-08-20 16:47 ` Roman Pletka
2003-08-19 15:53 ` Bill Davidsen
2003-08-19 16:14 ` David S. Miller
2003-08-19 17:17 ` Bill Davidsen
2003-08-19 19:08 ` Alan Cox
2003-08-19 21:53 ` Stephan von Krawczynski
[not found] <e2Yb.5CB.17@gated-at.bofh.it>
[not found] ` <e43Y.6x0.17@gated-at.bofh.it>
[not found] ` <e43Y.6x0.19@gated-at.bofh.it>
[not found] ` <e43Y.6x0.21@gated-at.bofh.it>
[not found] ` <e43Y.6x0.23@gated-at.bofh.it>
[not found] ` <e43Y.6x0.25@gated-at.bofh.it>
[not found] ` <e43Y.6x0.15@gated-at.bofh.it>
[not found] ` <e4nd.6K9.5@gated-at.bofh.it>
[not found] ` <e4ne.6K9.11@gated-at.bofh.it>
[not found] ` <e4x3.6RV.23@gated-at.bofh.it>
[not found] ` <e4Qe.7cR.3@gated-at.bofh.it>
[not found] ` <e503.7kj.23@gated-at.bofh.it>
[not found] ` <e5jh.7yW.5@gated-at.bofh.it>
[not found] ` <edJU.6nT.25@gated-at.bofh.it>
2003-07-28 20:45 ` Julien Oster
2003-07-27 20:52 Bas Bloemsaat
2003-07-27 22:12 ` David S. Miller
2003-07-28 2:31 ` Ben Greear
2003-07-28 7:33 ` Bas Bloemsaat
2003-07-27 23:40 ` Carlos Velasco
2003-07-27 23:46 ` David S. Miller
2003-07-27 23:58 ` Carlos Velasco
2003-07-27 23:58 ` David S. Miller
2003-07-28 0:11 ` Carlos Velasco
2003-07-28 0:14 ` David S. Miller
2003-07-28 0:35 ` Carlos Velasco
2003-07-28 0:36 ` David S. Miller
2003-07-28 0:53 ` Carlos Velasco
2003-07-28 0:55 ` David S. Miller
2003-07-28 1:23 ` Carlos Velasco
2003-07-28 1:35 ` David S. Miller
2003-07-28 10:43 ` Carlos Velasco
2003-07-28 17:09 ` Phil Oester
2003-07-28 18:56 ` Bas Bloemsaat
2003-07-28 4:37 ` David Lang
2003-07-28 4:39 ` David S. Miller
2003-07-28 10:49 ` Carlos Velasco
2003-07-29 2:51 ` Bill Davidsen
2003-07-29 4:48 ` Lamont Granquist
2003-08-04 6:10 ` Pekka Savola
2003-08-17 13:09 ` Carlos Velasco
2003-08-17 13:16 ` Carlos Velasco
2003-08-17 13:41 ` Alan Cox
2003-08-17 13:55 ` Carlos Velasco
2003-08-17 15:12 ` Bernd Eckenfels
2003-08-17 15:28 ` Alan Cox
2003-08-17 15:57 ` Bas Bloemsaat
2003-08-17 15:59 ` Carlos Velasco
2003-08-17 16:26 ` Alan Cox
2003-08-17 16:27 ` Carlos Velasco
2003-08-17 17:24 ` Alan Cox
2003-08-17 22:48 ` Willy Tarreau
2003-08-18 5:22 ` David S. Miller
2003-08-18 6:56 ` Willy Tarreau
2003-08-18 7:01 ` David S. Miller
2003-08-18 7:29 ` Willy Tarreau
2003-08-18 7:43 ` Willy Tarreau
2003-08-18 5:31 ` David S. Miller
2003-08-18 11:39 ` Stephan von Krawczynski
2003-08-18 11:44 ` David S. Miller
2003-08-18 12:34 ` Stephan von Krawczynski
2003-08-18 12:30 ` David S. Miller
2003-08-18 12:51 ` Mr. James W. Laferriere
2003-08-18 12:53 ` Stephan von Krawczynski
2003-08-18 12:55 ` David S. Miller
2003-08-18 13:17 ` Stephan von Krawczynski
2003-08-18 13:14 ` David S. Miller
2003-08-18 14:23 ` Stephan von Krawczynski
2003-08-18 14:19 ` David S. Miller
2003-08-18 15:46 ` Stephan von Krawczynski
2003-08-18 13:23 ` jamal
2003-08-18 13:21 ` David S. Miller
2003-08-18 13:40 ` Stephan von Krawczynski
2003-08-20 6:55 ` Bas Bloemsaat
2003-08-18 21:54 ` Bill Davidsen
2003-08-18 13:40 ` Dominik Kubla
2003-08-18 12:51 ` Willy Tarreau
2003-08-18 12:53 ` David S. Miller
2003-08-18 14:28 ` Willy Tarreau
2003-08-18 14:28 ` David S. Miller
2003-08-18 12:08 ` Bas Bloemsaat
2003-08-18 12:03 ` David S. Miller
2003-08-18 21:32 ` Bill Davidsen
2003-08-19 3:21 ` Ben Greear
2003-08-19 15:22 ` David S. Miller
2003-08-19 7:58 ` Bas Bloemsaat
2003-08-17 16:51 ` David T Hollis
2003-08-17 16:45 ` Carlos Velasco
2003-08-17 17:13 ` Arjan van de Ven
2003-08-17 19:46 ` insecure
2003-08-18 5:11 ` David S. Miller
2003-08-18 5:29 ` David S. Miller
2003-08-17 13:59 ` Bas Bloemsaat
2003-08-18 10:48 ` Robert Collier
2003-08-17 13:38 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=353568DCBAE06148B70767C1B1A93E625EAB57@post.pc.aspectgroup.co.uk \
--to=richard@aspectgroup.co.uk \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bloemsaa@xs4all.nl \
--cc=carlosev@newipnet.com \
--cc=davem@redhat.com \
--cc=davidsen@tmr.com \
--cc=lamont@scriptkiddie.org \
--cc=layes@loran.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-net@vger.kernel.org \
--cc=marcelo@conectiva.com.br \
--cc=netdev@oss.sgi.com \
--cc=skraw@ithnet.com \
--cc=torvalds@osdl.org \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).