Proxy ARP detection

Clay Fiske clay at bloomcounty.org
Wed Jan 15 23:58:39 UTC 2014


On Jan 15, 2014, at 3:47 PM, Niels Bakker <niels=nanog at bakker.net> wrote:

> * clay at bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]:
> [...]
>> Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network.
> 
> You'll never be entirely sure but obviously you're not limited to sending only one ARP request - this isn't The Hunt For The Red October movie.  We're talking a common misconfiguration here in this thread - or at least you were, two mails upthread.
> 
> How will checking for Proxy ARP possibly hose up anybody's connectivity?  You realise that ARP replies are unicast, right?  And that IXPs generally have dedicated servers for monitoring from which they can source packets?

This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies.

So no, even though I consider it someone else’s bad behavior to broadcast an ARP reply, I’m not willing to take the chance with an IP that doesn’t belong to me.

-c



More information about the NANOG mailing list