Charter ARP Leak

Jay Ashworth jra at baylink.com
Mon Dec 29 17:27:04 UTC 2014


----- Original Message -----
> From: "Rampley Jr, Jim F" <jim.rampley at charter.com>

> On 12/29/14, 10:49 AM, "Valdis.Kletnieks at vt.edu"
> <Valdis.Kletnieks at vt.edu>
> wrote:
> 
> >On Mon, 29 Dec 2014 03:44:48 +0000, "Stephen R. Carter" said:
> >> Here is a small excerpt I am seeing.
> >>
> >> 06:04:04.760869 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype
> >>ARP (0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1
> >> 06:04:04.761950 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype
> >>ARP (0x0806), length 60: arp who-has 75.135.155.27 tell 75.135.152.1
> >
> >The interesting thing is that they're all .1 addresses. It's almost
> >as if
> >the one broadcast domain has at least 7 different address spaces on
> >it.
> 
> Valdis, you are correct. What your seeing is caused by multiple IP
> blocks being assigned to the same CMTS interface.

Am I incorrect, though, in believing that ARP packets should only be visible
within a broadcast domain, and that because of that, they should not be
being passed through a cablemodem attached to such a CMTS interface unless
they're within the IP network in which that interface lives (which is
probably not 0/0)? 

This sounds like a firmware bug in either the CMTS or the cablemodem.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274



More information about the NANOG mailing list