Date: Thu, 18 Jul 2002 20:10:18 +0200 From: "Chris Knipe" <savage@savage.za.org> To: "Jim Laurenson" <j.laurenson@epicmail.ca>, "Craig Miller" <craig@millerfam.net>, "freebsd-security" <freebsd-security@freebsd.org> Subject: Re: wierdness in my security report Message-ID: <002f01c22e86$6507caa0$fe01a8c0@genocide> References: <LJEFLBLMLGPNAJOOKOHLGEJLCDAA.j.laurenson@epicmail.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0026_01C22E97.22FA3EC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
If it is Cisco, it's more than likely HSRP (Host Standby Router =
Protocol).
It happens where two different routers are configured in a redundancy =
scenario with a "virtual" IP. What will happen, is that x.x.x.1 is a =
virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports.
Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's =
MAC address, however, when the router goes down, Router 2 reclaims the =
virtual IP .1, on the MAC address of .3 =20
Therefore, the MAC address changes, and to my understanding that is what =
causes the message to be displayed. I can however, be wrong and the =
change or "switching" of one IP to another MAC address may have nothing =
to do with the cause of the log message.
--
me
----- Original Message -----=20
From: Jim Laurenson=20
To: Craig Miller ; freebsd-security=20
Sent: Thursday, July 18, 2002 7:53 PM
Subject: RE: wierdness in my security report
I have found the same logs on one of my older builds (4.3 I think). =
The offending MAC address was found to be a Cisco router on my ISP's =
network. I found no solution for it though.
Jim Laurenson
-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG =
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller
Sent: July 18, 2002 11:47 AM
To: freebsd-security
Subject: wierdness in my security report
Anyone have any ideas as to what might be causing the following to =
appear in my security report?
arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 =
on dc0
> Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from =
00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to =
00:b0:64:b7:6f:54 on dc0
> Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from =
00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
I thought those : delimited fields would be MAC addresses, but they =
don't match the MAC addresses of either of the two cards in my free-bsd =
box. I have not checked the MAC addresses of the other network cards on =
my network.
Also, where does the "server /kernel" name come from. "kernel" is =
not the name I gave my kernel, so I am suspicious.
Thanks,
--Craig
------=_NextPart_000_0026_01C22E97.22FA3EC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>If it is Cisco, it's more than likely =
HSRP (Host=20
Standby Router Protocol).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>It happens where two different routers =
are=20
configured in a redundancy scenario with a "virtual" IP. What will =
happen,=20
is that x.x.x.1 is a virtual IP, while x.x.x.2 and x.x.x.3 is assigned =
to the=20
Ethernet ports.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Router 1 which is x.x.x.2 will have the =
virtual IP=20
of x.x.x.1 on .2's MAC address, however, when the router goes down, =
Router 2=20
reclaims the virtual IP .1, on the MAC address of .3 </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Therefore, the MAC address changes, and =
to my=20
understanding that is what causes the message to be displayed. I =
can=20
however, be wrong and the change or "switching" of one IP to another MAC =
address=20
may have nothing to do with the cause of the log message.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>me</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dj.laurenson@epicmail.ca =
href=3D"mailto:j.laurenson@epicmail.ca">Jim=20
Laurenson</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dcraig@millerfam.net=20
href=3D"mailto:craig@millerfam.net">Craig Miller</A> ; <A=20
title=3Dfreebsd-security@freebsd.org=20
href=3D"mailto:freebsd-security@freebsd.org">freebsd-security</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, July 18, 2002 =
7:53=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: wierdness in my =
security=20
report</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DTahoma color=3D#0000ff size=3D2><SPAN =
class=3D055135217-18072002>I=20
have found the same logs on one of my older builds (4.3 I think). The=20
offending MAC address was found to be a Cisco router on my ISP's =
network. I=20
found no solution for it though.</SPAN></FONT></DIV>
<DIV><FONT face=3DTahoma size=3D2></FONT> </DIV>
<DIV><FONT face=3DTahoma size=3D2>Jim Laurenson</FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> <A=20
=
href=3D"mailto:owner-freebsd-security@FreeBSD.ORG">owner-freebsd-security=
@FreeBSD.ORG</A>=20
[mailto:owner-freebsd-security@FreeBSD.ORG]<B>On Behalf Of </B>Craig =
Miller<BR><B>Sent:</B> July 18, 2002 11:47 AM<BR><B>To:</B>=20
freebsd-security<BR><B>Subject:</B> wierdness in my security=20
report<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Anyone have any ideas as to what =
might be=20
causing the following to appear in my security report?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to=20
00:b0:64:b7:6f:a8 on dc0<BR>> Jul 17 05:47:56 server /kernel: =
arp:=20
12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on=20
dc0<BR>> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20
00:b0:64:b7:6f:54 on dc0<BR>> Jul 17 05:47:57 server /kernel: =
arp:=20
12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on=20
dc0<BR></DIV>
<DIV><FONT face=3DArial size=3D2>I thought those : delimited fields =
would be MAC=20
addresses, but they don't match the MAC addresses of either of the =
two cards=20
in my free-bsd box. I have not checked the MAC addresses of =
the other=20
network cards on my network.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Also, where does the "server =
/kernel" name come=20
from. "kernel" is not the name I gave my kernel, so I am=20
suspicious.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>--Craig</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2></FONT> </DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0026_01C22E97.22FA3EC0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002f01c22e86$6507caa0$fe01a8c0>