Date: Thu, 18 Jul 2002 20:10:18 +0200 From: "Chris Knipe" <savage@savage.za.org> To: "Jim Laurenson" <j.laurenson@epicmail.ca>, "Craig Miller" <craig@millerfam.net>, "freebsd-security" <freebsd-security@freebsd.org> Subject: Re: wierdness in my security report Message-ID: <002f01c22e86$6507caa0$fe01a8c0@genocide> References: <LJEFLBLMLGPNAJOOKOHLGEJLCDAA.j.laurenson@epicmail.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
If it is Cisco, it's more than likely HSRP (Host Standby Router Protocol).
It happens where two different routers are configured in a redundancy scenario with a "virtual" IP. What will happen, is that x.x.x.1 is a virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports.
Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's MAC address, however, when the router goes down, Router 2 reclaims the virtual IP .1, on the MAC address of .3
Therefore, the MAC address changes, and to my understanding that is what causes the message to be displayed. I can however, be wrong and the change or "switching" of one IP to another MAC address may have nothing to do with the cause of the log message.
--
me
----- Original Message -----
From: Jim Laurenson
To: Craig Miller ; freebsd-security
Sent: Thursday, July 18, 2002 7:53 PM
Subject: RE: wierdness in my security report
I have found the same logs on one of my older builds (4.3 I think). The offending MAC address was found to be a Cisco router on my ISP's network. I found no solution for it though.
Jim Laurenson
-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller
Sent: July 18, 2002 11:47 AM
To: freebsd-security
Subject: wierdness in my security report
Anyone have any ideas as to what might be causing the following to appear in my security report?
arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
> Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network.
Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious.
Thanks,
--Craig
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2716.2200" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>If it is Cisco, it's more than likely HSRP (Host
Standby Router Protocol).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It happens where two different routers are
configured in a redundancy scenario with a "virtual" IP. What will happen,
is that x.x.x.1 is a virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the
Ethernet ports.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Router 1 which is x.x.x.2 will have the virtual IP
of x.x.x.1 on .2's MAC address, however, when the router goes down, Router 2
reclaims the virtual IP .1, on the MAC address of .3 </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Therefore, the MAC address changes, and to my
understanding that is what causes the message to be displayed. I can
however, be wrong and the change or "switching" of one IP to another MAC address
may have nothing to do with the cause of the log message.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--</FONT></DIV>
<DIV><FONT face=Arial size=2>me</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=j.laurenson@epicmail.ca href="mailto:j.laurenson@epicmail.ca">Jim
Laurenson</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=craig@millerfam.net
href="mailto:craig@millerfam.net">Craig Miller</A> ; <A
title=freebsd-security@freebsd.org
href="mailto:freebsd-security@freebsd.org">freebsd-security</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, July 18, 2002 7:53
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: wierdness in my security
report</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Tahoma color=#0000ff size=2><SPAN class=055135217-18072002>I
have found the same logs on one of my older builds (4.3 I think). The
offending MAC address was found to be a Cisco router on my ISP's network. I
found no solution for it though.</SPAN></FONT></DIV>
<DIV><FONT face=Tahoma size=2></FONT> </DIV>
<DIV><FONT face=Tahoma size=2>Jim Laurenson</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> <A
href="mailto:owner-freebsd-security@FreeBSD.ORG">owner-freebsd-security@FreeBSD.ORG</A>
[mailto:owner-freebsd-security@FreeBSD.ORG]<B>On Behalf Of </B>Craig
Miller<BR><B>Sent:</B> July 18, 2002 11:47 AM<BR><B>To:</B>
freebsd-security<BR><B>Subject:</B> wierdness in my security
report<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Anyone have any ideas as to what might be
causing the following to appear in my security report?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to
00:b0:64:b7:6f:a8 on dc0<BR>> Jul 17 05:47:56 server /kernel: arp:
12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on
dc0<BR>> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to
00:b0:64:b7:6f:54 on dc0<BR>> Jul 17 05:47:57 server /kernel: arp:
12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on
dc0<BR></DIV>
<DIV><FONT face=Arial size=2>I thought those : delimited fields would be MAC
addresses, but they don't match the MAC addresses of either of the two cards
in my free-bsd box. I have not checked the MAC addresses of the other
network cards on my network.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Also, where does the "server /kernel" name come
from. "kernel" is not the name I gave my kernel, so I am
suspicious.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>--Craig</FONT></DIV>
<DIV><FONT face=Arial
size=2></FONT> </DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002f01c22e86$6507caa0$fe01a8c0>