Apple devices spoofing default gateway?
Jimmy Hess
mysidia at gmail.com
Thu Mar 14 21:19:04 UTC 2019
On Thu, Mar 14, 2019 at 7:29 AM Simon Lockhart <simon at slimey.org> wrote:
> Apple devices, but what's more strange is that we're only seeing it where
> those Apple devices are connected to Cisco 1810 and 1815 APs, and where those
> APs are connected to a Cisco WLC running v8.5 software. If we downgrade the
> WLC to v8.2 the problem goes away (but v8.2 doesn't support 1815 APs, so we
Apple's Bonjour protocols include something called Apple Bonjour Sleep Proxy
for Wake on Demand --- When a device goes to sleep, the Proxy that
runs on various
Apple devices is supposed to seize all the IP and MAC addresses that
device had registered,
so it can wait for an incoming TCP SYN, (and if one's received, then
signal the
sleeping device to wake up and process the connection.)
Bonjour and the related mDNS protocols used for AirPlay/AirPrint/etc
are built on Link-Local
multicast. I wonder what would happen if some random Wireless LAN
controllers malfunctioned,
and decided that it would like to ignore that Link-Local restriction
and proxy those packets b/w
subnets anyways, as if they had been unrestricted multicast or
Unicast, Possibly with the
source IP address on registration Mangled to or "gateway'd" from the
router's IP address.
(Or perhaps they wanted to have a feature to let someone AirPlay from
a different VLAN than
another device?)
Either way.... playing around with the source IP address on the
Link-local m/c packets
might accidentally get them a Default Gateway IP address registered
with other workstations
as a mobile device that's gone to sleep and needs a proxy.
--
-JH
More information about the NANOG
mailing list