Re: Proxy ARP detection
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 01:25 CET]: On Jan 15, 2014, at 4:03 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. I've never seen this. Please name vendor and product, if only so other subscribers to this list can avoid doing business with them. This was some time ago, but the two I was able to dig up from that case were both Junipers. Perhaps it’s something that only happens when proxy ARP is enabled? Maybe. I don't think I've ever dealt with a situation in which Proxy ARP was enabled on a Juniper router. I've certainly not seen them reply to a request with a broadcast, and frankly that sounds like such a weird implementation decision that I'm going to need to see pcaps before I believe it. Even if this were a regular occurrence - which it evidently is not - it's still better to trigger this when you know you're doing something rather than have to step in later when another misconfiguration triggers routing problems like described in an earlier mail, renumbering into a larger subnet. -- Niels. -- It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account. -- roy edroso, alicublog.blogspot.com
Re: Proxy ARP detection
Cisco ASA's still have proxy ARP enabled by default when certain NAT types are configured. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html Default Settings (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. See the Routing NAT Packets section for more information. On 1/15/2014 7:54 PM, Eric Rosen wrote: Cisco PIX's used to do this if the firewall had a route and saw a ARP request in that IP range it would proxy arp. - Original Message - On Jan 15, 2014, at 4:03 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. I've never seen this. Please name vendor and product, if only so other subscribers to this list can avoid doing business with them. This was some time ago, but the two I was able to dig up from that case were both Junipers. Perhaps it’s something that only happens when proxy ARP is enabled? -c -- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854
Re: Proxy ARP detection
* vrist...@ramapo.edu (Vlade Ristevski) [Thu 16 Jan 2014, 17:46 CET]: Cisco ASA's still have proxy ARP enabled by default when certain NAT types are configured. That wasn't the question. The question was what equipment would send proxy ARP replies as broadcasts, possibly causing poisoning in other routers (which still sounds far-fetched to me). -- Niels. -- It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account. -- roy edroso, alicublog.blogspot.com
Re: Proxy ARP detection
I seem to recall some video encoders doing that, but I can't remember the vendor. Sent from my Mobile Device. Original message From: Niels Bakker niels=na...@bakker.net Date: 01/16/2014 8:54 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: Proxy ARP detection * vrist...@ramapo.edu (Vlade Ristevski) [Thu 16 Jan 2014, 17:46 CET]: Cisco ASA's still have proxy ARP enabled by default when certain NAT types are configured. That wasn't the question. The question was what equipment would send proxy ARP replies as broadcasts, possibly causing poisoning in other routers (which still sounds far-fetched to me). -- Niels. -- It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account. -- roy edroso, alicublog.blogspot.com
Re: Proxy ARP detection
On Thu, Jan 16, 2014 at 10:51 AM, Niels Bakker niels=na...@bakker.netwrote: That wasn't the question. The question was what equipment would send proxy ARP replies as broadcasts, possibly causing poisoning in other routers (which still sounds far-fetched to me). Which current routers will actually _listen_ to a broadcast ARP response involving an IP address that is outside the subnet assigned to that IP interface, and override the routing table with that entry? -- -J
Proxy ARP detection (was re: best practice for advertising peering fabric routes)
On Jan 15, 2014, at 12:46 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Wed 15 Jan 2014, 20:34 CET]: Semi-related tangent: Working in an IXP setting I have seen weird corner cases cause issues in conjunction with the IXP subnet existing in BGP. Say someone’s got proxy ARP enabled on their router (sadly, more common than it should be, and not just from noobs at startups). Now say your IXP is growing and you expand the subnet. No matter how much you harp on the customers to make the change, they don’t all do it at once. Someone announces the new, larger subnet in BGP. Now when anyone ARPs for IPs in the new part of the range, proxy ARP guy (still on the smaller subnet) says “hey I have a route for that, send it here”. That was fun to troubleshoot. :) Proper run IXPs pay engineers to hunt down people with Proxy ARP enabled on their peering interfaces. Yes, yes, I expected a smug reply like this. I just didn’t expect it to take so long. But how can I detect proxy ARP when detecting proxy ARP was patented in 1996? http://www.google.com/patents/US5708654 Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network. -c
Re: Proxy ARP detection
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]: [...] Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network. You'll never be entirely sure but obviously you're not limited to sending only one ARP request - this isn't The Hunt For The Red October movie. We're talking a common misconfiguration here in this thread - or at least you were, two mails upthread. How will checking for Proxy ARP possibly hose up anybody's connectivity? You realise that ARP replies are unicast, right? And that IXPs generally have dedicated servers for monitoring from which they can source packets? -- Niels. -- It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account. -- roy edroso, alicublog.blogspot.com
Re: Proxy ARP detection
On Jan 15, 2014, at 3:47 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]: [...] Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network. You'll never be entirely sure but obviously you're not limited to sending only one ARP request - this isn't The Hunt For The Red October movie. We're talking a common misconfiguration here in this thread - or at least you were, two mails upthread. How will checking for Proxy ARP possibly hose up anybody's connectivity? You realise that ARP replies are unicast, right? And that IXPs generally have dedicated servers for monitoring from which they can source packets? This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. So no, even though I consider it someone else’s bad behavior to broadcast an ARP reply, I’m not willing to take the chance with an IP that doesn’t belong to me. -c
Re: Proxy ARP detection
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. I've never seen this. Please name vendor and product, if only so other subscribers to this list can avoid doing business with them. So no, even though I consider it someone else’s bad behavior to broadcast an ARP reply, I’m not willing to take the chance with an IP that doesn’t belong to me. So do an ARP request for www.equinix.com, or (and!) for an unused address on your Peering LAN. Standard tools like arpwatch should alert you to fishy things going on, loudly. -- Niels. -- It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account. -- roy edroso, alicublog.blogspot.com
Re: Proxy ARP detection
On Jan 15, 2014, at 4:03 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. I've never seen this. Please name vendor and product, if only so other subscribers to this list can avoid doing business with them. This was some time ago, but the two I was able to dig up from that case were both Junipers. Perhaps it’s something that only happens when proxy ARP is enabled? -c
Re: Proxy ARP detection
Cisco PIX's used to do this if the firewall had a route and saw a ARP request in that IP range it would proxy arp. - Original Message - On Jan 15, 2014, at 4:03 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. I've never seen this. Please name vendor and product, if only so other subscribers to this list can avoid doing business with them. This was some time ago, but the two I was able to dig up from that case were both Junipers. Perhaps it’s something that only happens when proxy ARP is enabled? -c -- Eric Rosen CCIE Security #17821 Information Security Analyst Red Hat, Inc ero...@redhat.com 919.890.8555 x48555 IRC erosen
Re: Proxy ARP detection
Excellent. So all everyone has to do is not buy cisco _or_ juniper. Wait a minute -- TTFN, patrick On Jan 15, 2014, at 19:54 , Eric Rosen ero...@redhat.com wrote: Cisco PIX's used to do this if the firewall had a route and saw a ARP request in that IP range it would proxy arp. - Original Message - On Jan 15, 2014, at 4:03 PM, Niels Bakker niels=na...@bakker.net wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. I've never seen this. Please name vendor and product, if only so other subscribers to this list can avoid doing business with them. This was some time ago, but the two I was able to dig up from that case were both Junipers. Perhaps it’s something that only happens when proxy ARP is enabled? -c -- Eric Rosen CCIE Security #17821 Information Security Analyst Red Hat, Inc ero...@redhat.com 919.890.8555 x48555 IRC erosen
Re: Proxy ARP detection
On Wed, Jan 15, 2014 at 10:21 PM, Patrick W. Gilmore patr...@ianai.netwrote: Excellent. So all everyone has to do is not buy cisco _or_ juniper. Or make the LANs IPv6-only adressed, since ARP is not used. G And it is probably unlikely that someone will turn on a ND Proxy by accident. Wait a minute -- TTFN, patrick -- -JH
Re: Proxy ARP detection (was re: best practice for advertising peering fabric routes)
On 1/15/2014 6:31 PM, Clay Fiske wrote: Yes, yes, I expected a smug reply like this. I just didn’t expect it to take so long. But how can I detect proxy ARP when detecting proxy ARP was patented in 1996? http://www.google.com/patents/US5708654 Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network. -c Shouldn't ARP inspection be a common feature?
Re: Proxy ARP detection (was re: best practice for advertising peering fabric routes)
On Wed, Jan 15, 2014 at 10:49 PM, ML m...@kenweb.org wrote: Shouldn't ARP inspection be a common feature? Dynamic ARP inspection is mostly useful only when the trusted ports receive their MAC to IP address mapping from a trusted DHCP server, and the trusted mapping is established using DHCP snooping. Or else, you have a manually entered entries in the secure ARP database of MAC to IP mappings. Which most operators would be resistant to dealing with, because of all the extra work. -It's not as if the switches know what the valid subnets are and suppress ARP requests for outside networks. Therefore, in most cases; ARP inspection won't be used, except for DHCP clients. Arp inspection goes hand-in-hand with increasing resistance against a Man in the Middle attack from a compromised workstation on a LAN, using ARP hijacking to capture traffic or distribute malware to a neighboring workstation. In most cases, DHCP-based configuration will not be used for routers (the very devices that might inadvertently have proxy-arp) -- -JH
