Charter ARP Leak
jra at baylink.com
Mon Dec 29 17:27:04 UTC 2014
----- Original Message -----
> From: "Rampley Jr, Jim F" <jim.rampley at charter.com>
> On 12/29/14, 10:49 AM, "Valdis.Kletnieks at vt.edu"
> <Valdis.Kletnieks at vt.edu>
> >On Mon, 29 Dec 2014 03:44:48 +0000, "Stephen R. Carter" said:
> >> Here is a small excerpt I am seeing.
> >> 06:04:04.760869 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype
> >>ARP (0x0806), length 60: arp who-has 188.8.131.52 tell 184.108.40.206
> >> 06:04:04.761950 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype
> >>ARP (0x0806), length 60: arp who-has 220.127.116.11 tell 18.104.22.168
> >The interesting thing is that they're all .1 addresses. It's almost
> >as if
> >the one broadcast domain has at least 7 different address spaces on
> Valdis, you are correct. What your seeing is caused by multiple IP
> blocks being assigned to the same CMTS interface.
Am I incorrect, though, in believing that ARP packets should only be visible
within a broadcast domain, and that because of that, they should not be
being passed through a cablemodem attached to such a CMTS interface unless
they're within the IP network in which that interface lives (which is
probably not 0/0)?
This sounds like a firmware bug in either the CMTS or the cablemodem.
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
More information about the NANOG