Apple devices spoofing default gateway?

www boy wwwboy at gmail.com
Tue Jun 11 03:45:55 UTC 2019


Good day Matt,

We have a combination of IAP-135 and IAP-125's , we are running a older
firmware (yeah i know it needs updating something for next month or so)

Worst luck I couldnt work out how to modify local arp caches on the access
points.

I have just enabled "Deny inter user bridging" and that seems to have
stopped the network from crashing when a client steals the router IP.
 (this solution may not be the best for some environments tho)
Worst luck Apple is being very slow with a solution and even admitting
there is a issue.

But I just wanted to make sure i updated this thread so at least people in
the future can find it when they google.

If anyone else has any good ideas or solutions let me know.   I am keen to
try the latest firmware to see if that has any other features that might
prevent this.

Regards,
Mike

On Sat, Jun 8, 2019 at 5:59 AM Matt Freitag <mlfreita at mtu.edu> wrote:

> For those of us with Aruba wireless, www boy, could you share some more
> info about your setup/code version/configuration/specific APs/controller
> model(s)/etc?
>
> Matt Freitag
> Network Engineer
> Michigan Tech IT
> Michigan Technological University
>
> We can help.
> mtu.edu/it
> (906) 487-1111
>
>
> On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes <
> mattlists at rivervalleyinternet.net> wrote:
>
>> Turn on client isolation on the access points?
>>
>> > On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
>> >
>> >
>> >> On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy at gmail.com> wrote:
>> >>
>> >> I just joined nanog to allow me to respond to a thread that Simon
>> posted in
>> >> March. .
>> >> (Not sure if this is how to respond)
>> >>
>> >> We have the exact same problem with Aruba Access points and with
>> multiple
>> >> MacBooks and a iMac.
>> >> Where the device will spoof the default gateway and the effect is that
>> vlan
>> >> is not usable.
>> >>
>> >> I also have raised a case with Apple but so far no luck.
>> >>
>> >> What is the status of your issue?  Any luck working out exactly what
>> the
>> >> cause is?
>> >
>> > We appeared to hit this with Cisco kit:
>> >
>> https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html
>> >
>> > They don't say *exactly* that the Apple devices are spoofing the
>> gateway, but some behaviour in what they send out results in the proxy arp
>> being performed by the APs to update the ARP entry for the gateway address
>> to the clients':
>> >
>> >> * This is not a malicious attack, but triggered by an interaction
>> between the macOS device while in sleeping mode, and specific broadcast
>> traffic generated by newer Android devices
>> >> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching)
>> services by default.  Due to their address learning design, they will
>> modify table entries based on this traffic leading to default gateway ARP
>> entry modification
>> >
>> > The fix was to disable ARP caching on the APs so they don't proxy ARP
>> but ARP replies pass directly between client devices.
>> >
>> > --
>> > Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
>> > pgp key: B178313E   | also on Signal
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190611/60e8898a/attachment.html>


More information about the NANOG mailing list