Proxy ARP detection (was re: best practice for advertising peering fabric routes)
clay at bloomcounty.org
Wed Jan 15 23:31:28 UTC 2014
On Jan 15, 2014, at 12:46 PM, Niels Bakker <niels=nanog at bakker.net> wrote:
> * clay at bloomcounty.org (Clay Fiske) [Wed 15 Jan 2014, 20:34 CET]:
>> Semi-related tangent: Working in an IXP setting I have seen weird corner cases cause issues in conjunction with the IXP subnet existing in BGP. Say someone’s got proxy ARP enabled on their router (sadly, more common than it should be, and not just from noobs at startups). Now say your IXP is growing and you expand the subnet. No matter how much you harp on the customers to make the change, they don’t all do it at once. Someone announces the new, larger subnet in BGP. Now when anyone ARPs for IPs in the new part of the range, proxy ARP guy (still on the smaller subnet) says “hey I have a route for that, send it here”. That was fun to troubleshoot. :)
> Proper run IXPs pay engineers to hunt down people with Proxy ARP enabled on their peering interfaces.
Yes, yes, I expected a smug reply like this. I just didn’t expect it to take so long.
But how can I detect proxy ARP when detecting proxy ARP was patented in 1996?
Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 220.127.116.11 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network.
More information about the NANOG