Home page logo
/

nanog logo nanog mailing list archives

Re: IP4 address conservation method
From: William Herrin <bill () herrin us>
Date: Fri, 7 Jun 2013 01:36:45 -0400

On Fri, Jun 7, 2013 at 12:06 AM, Jimmy Hess <mysidia () gmail com> wrote:
On 6/6/13, William Herrin <bill () herrin us> wrote:
Yes, the system default may be tuned for host/desktop usage
No, it doesn't default to reasonable desktop settings for ARP... it
defaults to a version of wrong that on a desktop with one NIC and one
IP doesn't happen to break anything. It'd be nice if it defaulted to
RFC compliant instead and let the few folks with wacky needs move it
off the standard behavior.

An interpretation that applies in the design of Linux networking, is
that IP addresses belong to the host,   and IP addresses do not belong
to IP interfaces  (excepting 'scope local' IPs, such as IPv6
link-local).

I find Linux's arp defaults annoying also,  but they're not "wrong"
or "non-RFC compliant".

Hi Jimmy,

I reread RFC 826 and much to my annoyance it doesn't directly speak to
this question. But it does speak to it in a backhanded way, setting a
requirement that makes sense only if the ARP source address is part of
the subnet on which the arp request is made.

826 says, "The Address Resolution module then sets the [...] ar$spa
with the protocol address of itself." "Itself" is never explicitly
defined.

But 826 also says, "The sender hardware address and sender protocol
address are absolutely necessary.  It is these fields that get put in
a translation table." It says that in a context that appears to apply
to both request and response ARPs. RFC 5227 confirms this
interpretation, insisting that gratuitous arps and defensive arps are
arp-request packets, not arp-reply packets.

That would yield a nonsensical activity from the ARP request message
*unless* the source layer 3 address is part of the subnet defined on
that layer 2 network. Not just any source address will do; it must be
one of the machine's addresses that would form a valid entry in the
target's arp cache.


Linux's default behavior copies the source IP address of the outgoing
IP packet to the ARP request, regardless of whether that IP is valid
for that particular LAN subnet. So, I reiterate that Linux's default
for selecting the ARP source address does not match what the RFC says.

Postel's law cuts Linux some slack with respect to accepting ARPs on
the wrong interface. Even though that's almost always the wrong thing
to do. On the other hand, it reinforces the errant nature of Linux's
behavior with respect to source address selection when originating ARP
requests.

-Bill



-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]