nanog mailing list archives

Re: Sending ARP request to unicast MAC instead of broadcast MAC address?


From: "Crist Clark" <Crist.Clark () globalstar com>
Date: Thu, 17 Jun 2010 10:57:46 -0700

On 6/16/2010 at  3:57 PM, Chris Woodfield <rekoil () semihuman com> wrote:
OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but 
there's a reason for it, I swear...

Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted 
ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC 
address, is instead sent to the already-known unicast MAC address of the host? 


Next, what would be your utility of choice for crafting such a packet? Or is 
this something one would need to code up by hand in a lower-level language?

Unicast ARP requests are considered normal. See Section 2.3.2.1 of
RFC1122, "ARP Cache Validation." Specifically,

            IMPLEMENTATION:
                 Four mechanisms have been used, sometimes in
                 combination, to flush out-of-date cache entries.

                 [snip]

                 (2)  Unicast Poll -- Actively poll the remote host by
                      periodically sending a point-to-point ARP Request
                      to it, and delete the entry if no ARP Reply is
                      received from N successive polls.  Again, the
                      timeout should be on the order of a minute, and
                      typically N is 2.





Current thread: