From owner-freebsd-net@FreeBSD.ORG  Thu Mar 17 04:26:17 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BF97A16A4CE
	for <freebsd-net@freebsd.org>; Thu, 17 Mar 2005 04:26:17 +0000 (GMT)
Received: from be-research.ucsd.edu (be-research.ucsd.edu [132.239.236.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E214543D54
	for <freebsd-net@freebsd.org>; Thu, 17 Mar 2005 04:26:16 +0000 (GMT)
	(envelope-from nlandys@bioeng.ucsd.edu)
Received: from localhost (nlandys@localhost)
	by be-research.ucsd.edu (8.11.1/8.11.1) with ESMTP id j2H4Q1f15846135;
	Wed, 16 Mar 2005 20:26:03 -0800 (PST)
Date: Wed, 16 Mar 2005 20:26:00 -0800
From: Nerius Landys <nlandys@bioeng.ucsd.edu>
To: Maxim Konovalov <maxim@macomnet.ru>
In-Reply-To: <20050317025907.G69637@mp2.macomnet.net>
Message-ID: <Pine.SGI.4.58.0503162022160.15854026@be-research.ucsd.edu>
References: <Pine.SGI.4.58.0503161125380.15799222@be-research.ucsd.edu>
 <20050317025907.G69637@mp2.macomnet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: Nerius Landys <nlandys@bioeng.ucsd.edu>
cc: freebsd-net@freebsd.org
Subject: Re: transparent bridge and ARP proxy confusion
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2005 04:26:17 -0000

> [...]
> > On host 192.168.0.2, the tcpdump output:
> >
> >   00:10:53.445868 0:2:b3:da:50:ba Broadcast arp 60:
> >                     arp who-has 192.168.0.2 tell 192.168.0.6
> >   00:10:53.445888 0:e:c:68:e3:94 0:2:b3:da:50:ba arp 42:
> >                     arp reply 192.168.0.2 is-at 0:e:c:68:e3:94
> >   00:10:53.446615 0:2:b3:da:50:bb 0:e:c:68:e3:94 ip 98:
> >                     192.168.0.6 > 192.168.0.2: icmp: echo request
> >   00:10:53.446634 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 98:
> >                     192.168.0.2 > 192.168.0.6: icmp: echo reply
> >   00:10:58.442471 0:e:c:68:e3:94 0:2:b3:da:50:ba arp 42:
> >                     arp who-has 192.168.0.6 tell 192.168.0.2
> >   00:10:58.442925 0:2:b3:da:50:bb 0:e:c:68:e3:94 arp 60:
> >                     arp reply 192.168.0.6 is-at 0:2:b3:da:50:bb
>
> What's the behaviour is observed with TCP or UDP?  Is it the same?

Here is the behavior of TCP and UDP.  Using SSH for TCP and DNS for UDP.
(Please refer to my original email for a network topology diagram and
other information.)

As the FreeBSD bridge machine 192.168.0.6 is booting up, it sends a
single gratuitous ARP (and several ipv6 packets):

  19:02:31.363826 0:2:b3:da:50:ba Broadcast arp 60:
      arp who-has 192.168.0.6 tell 192.168.0.6

After bootup, the ARP cache on FreeBSD bridge:

  # arp -na
  ? (192.168.0.6) at 00:02:b3:da:50:ba on fxp0 permanent [ethernet]

SSH from 192.168.0.2 to 192.168.0.6, captured on 192.168.0.2 interface
(at SSH password prompt, hit ^C):

  19:26:13.922517 0:e:c:68:e3:94 Broadcast arp 42:
      arp who-has 192.168.0.6 tell 192.168.0.2
  19:26:13.923391 0:2:b3:da:50:bb 0:e:c:68:e3:94 arp 60:
      arp reply 192.168.0.6 is-at 0:2:b3:da:50:bb
  19:26:13.923399 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 74:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          S 3653647611:3653647611(0) win 5840
          <mss 1460,sackOK,timestamp 170488 0,nop,wscale 0> (DF)
  19:26:13.923765 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 78:
      192.168.0.6.ssh > 192.168.0.2.32797:
          S 3187858300:3187858300(0) ack 3653647612 win 65535
          <mss 1460,nop,wscale 1,nop,nop,timestamp 83567
              170488,nop,nop,sackOK> (DF)
  19:26:13.923786 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 66:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          . ack 1 win 5840
          <nop,nop,timestamp 170488 83567> (DF)
  19:26:13.950622 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 107:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 1:42(41) ack 1 win 33304
          <nop,nop,timestamp 83570 170488> (DF)
  19:26:13.950783 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 66:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          . ack 42 win 5840
          <nop,nop,timestamp 170491 83570> (DF)
  19:26:13.951007 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 90:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 1:25(24) ack 42 win 5840
          <nop,nop,timestamp 170491 83570> (DF)
  19:26:13.990094 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 666:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 42:642(600) ack 25 win 33304
          <nop,nop,timestamp 83574 170491> (DF)
  19:26:13.990110 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 610:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 25:569(544) ack 642 win 6600
          <nop,nop,timestamp 170495 83574> (DF)
  19:26:14.085653 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.ssh > 192.168.0.2.32797:
          . ack 569 win 33304
          <nop,nop,timestamp 83584 170495> (DF)
  19:26:14.085661 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 90:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 569:593(24) ack 642 win 6600
          <nop,nop,timestamp 170504 83584> (DF)
  19:26:14.148608 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 346:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 642:922(280) ack 593 win 33304
          <nop,nop,timestamp 83590 170504> (DF)
  19:26:14.159408 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 338:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 593:865(272) ack 922 win 7800
          <nop,nop,timestamp 170511 83590> (DF)
  19:26:14.236796 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 850:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 922:1706(784) ack 865 win 33304
          <nop,nop,timestamp 83599 170511> (DF)
  19:26:14.253296 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 82:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 865:881(16) ack 1706 win 9408
          <nop,nop,timestamp 170521 83599> (DF)
  19:26:14.345719 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.ssh > 192.168.0.2.32797:
          . ack 881 win 33304
          <nop,nop,timestamp 83610 170521> (DF)
  19:26:14.345733 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 114:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 881:929(48) ack 1706 win 9408
          <nop,nop,timestamp 170530 83610> (DF)
  19:26:14.346467 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 114:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 1706:1754(48) ack 929 win 33304
          <nop,nop,timestamp 83610 170530> (DF)
  19:26:14.346657 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 130:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 929:993(64) ack 1754 win 9408
          <nop,nop,timestamp 170530 83610> (DF)
  19:26:14.361707 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 130:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 1754:1818(64) ack 993 win 33304
          <nop,nop,timestamp 83611 170530> (DF)
  19:26:14.361905 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 162:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          P 993:1089(96) ack 1818 win 9408
          <nop,nop,timestamp 170532 83611> (DF)
  19:26:14.455641 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.ssh > 192.168.0.2.32797:
          . ack 1089 win 33304
          <nop,nop,timestamp 83621 170532> (DF)
  19:26:14.472379 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 130:
      192.168.0.6.ssh > 192.168.0.2.32797:
          P 1818:1882(64) ack 1089 win 33304
          <nop,nop,timestamp 83622 170532> (DF)
  19:26:14.509502 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 66:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          . ack 1882 win 9408
          <nop,nop,timestamp 170547 83622> (DF)
  19:27:06.974152 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 66:
      192.168.0.2.32797 > 192.168.0.6.ssh:
          F 1089:1089(0) ack 1882 win 9408
          <nop,nop,timestamp 175793 83622> (DF)
  19:27:06.974458 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.ssh > 192.168.0.2.32797:
          . ack 1090 win 33304
          <nop,nop,timestamp 88873 175793> (DF)

Only the second frame has a source address of 0:2:b3:da:50:bb.

Now if we bring all systems down, and then bring them back up again,
and this time SSH in the opposite direction, namely from
192.168.0.6 (FreeBSD) to 192.168.0.2, and capture Ethernet frames on
host 192.168.0.2 using tcpdump:

  19:52:17.469144 0:2:b3:da:50:ba Broadcast arp 60:
      arp who-has 192.168.0.2 tell 192.168.0.6
  19:52:17.469167 0:e:c:68:e3:94 0:2:b3:da:50:ba arp 42:
      arp reply 192.168.0.2 is-at 0:e:c:68:e3:94
  19:52:17.469892 0:2:b3:da:50:bb 0:e:c:68:e3:94 ip 78:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          S 1713946399:1713946399(0) win 65535
          <mss 1460,nop,nop,sackOK,nop,wscale
              1,nop,nop,timestamp 3432 0> (DF)
  19:52:17.469916 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 74:
      192.168.0.2.ssh > 192.168.0.6.64269:
          S 1004911580:1004911580(0) ack 1713946400 win 5792
          <mss 1460,sackOK,timestamp 326843 3432,nop,wscale 0> (DF)
  19:52:17.470142 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          . ack 1 win 33304
          <nop,nop,timestamp 3432 326843> (DF)
  19:52:17.471057 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 91:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 1:26(25) ack 1 win 5792
          <nop,nop,timestamp 326843 3432> (DF)
  19:52:17.480010 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 107:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 1:42(41) ack 26 win 33304
          <nop,nop,timestamp 3433 326843> (DF)
  19:52:17.480056 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 66:
      192.168.0.2.ssh > 192.168.0.6.64269:
          . ack 42 win 5792
          <nop,nop,timestamp 326844 3433> (DF)
  19:52:17.480887 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 674:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 42:650(608) ack 26 win 33304
          <nop,nop,timestamp 3433 326844> (DF)
  19:52:17.480902 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 66:
      192.168.0.2.ssh > 192.168.0.6.64269:
          . ack 650 win 6688
          <nop,nop,timestamp 326844 3433> (DF)
  19:52:17.481654 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 610:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 26:570(544) ack 650 win 6688
          <nop,nop,timestamp 326844 3433> (DF)
  19:52:17.482383 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 90:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 650:674(24) ack 570 win 33304
          <nop,nop,timestamp 3433 326844> (DF)
  19:52:17.484248 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 218:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 570:722(152) ack 674 win 6688
          <nop,nop,timestamp 326844 3433> (DF)
  19:52:17.496622 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 210:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 674:818(144) ack 722 win 33304
          <nop,nop,timestamp 3435 326844> (DF)
  19:52:17.503382 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 722:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 722:1378(656) ack 818 win 6688
          <nop,nop,timestamp 326846 3435> (DF)
  19:52:17.602925 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          . ack 1378 win 33304
          <nop,nop,timestamp 3446 326846> (DF)
  19:52:19.938407 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 82:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 818:834(16) ack 1378 win 33304
          <nop,nop,timestamp 3679 326846> (DF)
  19:52:19.969506 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 66:
      192.168.0.2.ssh > 192.168.0.6.64269:
          . ack 834 win 6688
          <nop,nop,timestamp 327093 3679> (DF)
  19:52:19.969757 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 114:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 834:882(48) ack 1378 win 33304
          <nop,nop,timestamp 3682 327093> (DF)
  19:52:19.969770 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 66:
      192.168.0.2.ssh > 192.168.0.6.64269:
          . ack 882 win 6688
          <nop,nop,timestamp 327093 3682> (DF)
  19:52:19.970210 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 114:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 1378:1426(48) ack 882 win 6688
          <nop,nop,timestamp 327093 3682> (DF)
  19:52:19.970756 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 130:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 882:946(64) ack 1426 win 33304
          <nop,nop,timestamp 3682 327093> (DF)
  19:52:19.973369 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 146:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 1426:1506(80) ack 946 win 6688
          <nop,nop,timestamp 327093 3682> (DF)
  19:52:19.973879 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 162:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          P 946:1042(96) ack 1506 win 33304
          <nop,nop,timestamp 3683 327093> (DF)
  19:52:19.974074 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 146:
      192.168.0.2.ssh > 192.168.0.6.64269:
          P 1506:1586(80) ack 1042 win 6688
          <nop,nop,timestamp 327093 3683> (DF)
  19:52:20.072812 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          . ack 1586 win 33304
          <nop,nop,timestamp 3693 327093> (DF)
  19:52:22.103008 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          F 1042:1042(0) ack 1586 win 33304
          <nop,nop,timestamp 3896 327093> (DF)
  19:52:22.103600 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 66:
      192.168.0.2.ssh > 192.168.0.6.64269:
          F 1586:1586(0) ack 1043 win 6688
          <nop,nop,timestamp 327306 3896> (DF)
  19:52:22.104133 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 66:
      192.168.0.6.64269 > 192.168.0.2.ssh:
          . ack 1587 win 33303
          <nop,nop,timestamp 3896 327306> (DF)

Only the third frame has a reference to MAC address 0:2:b3:da:50:bb;
all other frames use the 'ba' address.

Now for a UDP test.
Bringing the hosts down and up again and doing, on the FreeBSD bridge:

  # dig @192.168.0.2 foo.bar

Gives the following tcpdump output on host 192.168.0.2:

  20:07:50.450628 0:2:b3:da:50:ba Broadcast arp 60:
      arp who-has 192.168.0.2 tell 192.168.0.6
  20:07:50.450650 0:e:c:68:e3:94 0:2:b3:da:50:ba arp 42:
      arp reply 192.168.0.2 is-at 0:e:c:68:e3:94
  20:07:50.451375 0:2:b3:da:50:bb 0:e:c:68:e3:94 ip 67:
      192.168.0.6.64269 > 192.168.0.2.domain:
          19763+ A? foo.bar. (25)
  20:07:50.451398 0:e:c:68:e3:94 0:2:b3:da:50:ba ip 95:
      192.168.0.2 > 192.168.0.6:
          icmp: 192.168.0.2 udp port domain unreachable [tos 0xc0]
  20:07:55.449502 0:e:c:68:e3:94 0:2:b3:da:50:ba arp 42:
      arp who-has 192.168.0.6 tell 192.168.0.2
  20:07:55.449977 0:2:b3:da:50:bb 0:e:c:68:e3:94 arp 60:
      arp reply 192.168.0.6 is-at 0:2:b3:da:50:bb
  20:07:55.458850 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 67:
      192.168.0.6.64269 > 192.168.0.2.domain:
          19763+ A? foo.bar. (25)
  20:07:55.458864 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 95:
      192.168.0.2 > 192.168.0.6:
          icmp: 192.168.0.2 udp port domain unreachable [tos 0xc0]
  20:08:00.468581 0:2:b3:da:50:ba 0:e:c:68:e3:94 ip 67:
      192.168.0.6.64269 > 192.168.0.2.domain:
          19763+ A? foo.bar. (25)
  20:08:00.468598 0:e:c:68:e3:94 0:2:b3:da:50:bb ip 95:
      192.168.0.2 > 192.168.0.6:
          icmp: 192.168.0.2 udp port domain unreachable [tos 0xc0]

Again we see 0:2:b3:da:50:bb being used in the third and sixth frames.

- Nerius