More ARP things and a semi-required patch

Dagmar d'Surreal dagmar.wants at nospam.com
Tue Feb 17 10:00:43 PST 2004


For those of you who are now looking into the magic that is ARP, there's
a patch you may very well want to apply to your kernel to reduce some of
your pain and frustration with the inobviously strange way Linux handles
ARP.  Not that this behaviour is explicitly _wrong_, but that on an
incorrectly run network, it can break when otherwise it might be useful
(there are uses for its behaviour, although at the moment I can't
remember any good ones).  Enabling this patch breaks nothing you
wouldn't expect it to (if you're doing an HA or
multi-homed/multi-interface configuration, you probably already know
about this anyway).

The issue is that, by default, Linux will reply to ARP queries on _any_
interface for all IP addresses it's interfaces are bound to.  This can
cause both you and the administrators of networks you are connected to
some headaches, particularly if there's clueless losers on your external
network allowing private network traffic to leak out.

For example, you're on a network in an apartment complex where you've
got your masquerading firewall up, and you're using a private netblock
behind it.  Some other clueless loser is on the network using a
masquerading firewall with only one interface and counting on segmenting
and routing to keep his traffic from wandering too far.  Their equipment
starts ARP querying for 192.168.1.1, which happens to be the internal
interface of your firewall.  Your Linux machine (without this patch)
will happily respond to the ARP query saying "I have 192.168.1.1" on
it's _external_ interface and then start getting _their_ traffic (if you
win the race condition, which Linux boxes, being pretty spry, tend to
do).  This is both a problem for them (since their packets will bounce
off your external interface and promptly *die*, if you're lucky) and for
you because 1) you've leaked info about your private internal addressing
space and 2) your machine is now likely logging a lot of dropped packets
it doesn't need to concern itself with.

So... not having this patch poses a threat to Confidentiality of your
private addressing information on a firewall/router, as well as an
(accidental) threat to the Availability and Integrity of your logs
because of the crap traffic that will unnecessarily consume your disks.

...and for those of you who are wondering, yes, ARP tables tend to
completely override routing tables because machines which "know" an
ARP-to-IP translation for a destination which doesn't need a gateway
will send packets directly to the device with that MAC address. 
(Welcome to Man-In-The-Middle Attacks 101--It *is* possible in certain
circumstances for someone to deliberately publish phony ARP information
on a local segment, too.)

The patch can usually be obtained at the following location (although
amusingly enough one when searching Google more readily finds a post to
the NLUG list from me grousing about its documentation) and all it
really requires is to be applied to the kernel, a quick recompile, and
then you stuff 1's into the new "hidden" files in /proc/sys/net/...

http://www.ssi.bg/~ja/#hidden

-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list