From owner-freebsd-security  Thu Jul 18 11:11:26 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B8C3F37B400
	for <freebsd-security@freebsd.org>; Thu, 18 Jul 2002 11:11:18 -0700 (PDT)
Received: from kknd.mweb.co.za (kknd.mweb.co.za [196.2.45.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EECAE43E67
	for <freebsd-security@freebsd.org>; Thu, 18 Jul 2002 11:11:14 -0700 (PDT)
	(envelope-from savage@savage.za.org)
Received: from cpt-dial-196-30-179-228.mweb.co.za ([196.30.179.228] helo=netsonic.megalan.co.za)
	by kknd.mweb.co.za with esmtp (Exim 4.01)
	id 17VFdg-0000Kx-00; Thu, 18 Jul 2002 20:04:33 +0200
Received: from genocide.megalan.co.za ([192.168.1.254] helo=genocide)
	by netsonic.megalan.co.za with smtp (Exim 3.36 #2)
	id 17VFjX-000CnC-47; Thu, 18 Jul 2002 20:10:35 +0200
Message-ID: <002f01c22e86$6507caa0$fe01a8c0@genocide>
From: "Chris Knipe" <savage@savage.za.org>
To: "Jim Laurenson" <j.laurenson@epicmail.ca>,
	"Craig Miller" <craig@millerfam.net>,
	"freebsd-security" <freebsd-security@freebsd.org>
References: <LJEFLBLMLGPNAJOOKOHLGEJLCDAA.j.laurenson@epicmail.ca>
Subject: Re: wierdness in my security report
Date: Thu, 18 Jul 2002 20:10:18 +0200
Organization: MegaLAN Corporate Networking Services
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0026_01C22E97.22FA3EC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.

------=_NextPart_000_0026_01C22E97.22FA3EC0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

If it is Cisco, it's more than likely HSRP (Host Standby Router =
Protocol).

It happens where two different routers are configured in a redundancy =
scenario with a "virtual" IP.  What will happen, is that x.x.x.1 is a =
virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports.

Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's =
MAC address, however, when the router goes down, Router 2 reclaims the =
virtual IP .1, on the MAC address of .3 =20

Therefore, the MAC address changes, and to my understanding that is what =
causes the message to be displayed.  I can however, be wrong and the =
change or "switching" of one IP to another MAC address may have nothing =
to do with the cause of the log message.

--
me


  ----- Original Message -----=20
  From: Jim Laurenson=20
  To: Craig Miller ; freebsd-security=20
  Sent: Thursday, July 18, 2002 7:53 PM
  Subject: RE: wierdness in my security report


  I have found the same logs on one of my older builds (4.3 I think). =
The offending MAC address was found to be a Cisco router on my ISP's =
network. I found no solution for it though.

  Jim Laurenson
    -----Original Message-----
    From: owner-freebsd-security@FreeBSD.ORG =
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller
    Sent: July 18, 2002 11:47 AM
    To: freebsd-security
    Subject: wierdness in my security report


    Anyone have any ideas as to what might be causing the following to =
appear in my security report?

     arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 =
on dc0
    > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from =
00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
    > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to =
00:b0:64:b7:6f:54 on dc0
    > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from =
00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0

    I thought those : delimited fields would be MAC addresses, but they =
don't match the MAC addresses of either of the two cards in my free-bsd =
box.  I have not checked the MAC addresses of the other network cards on =
my network.

    Also, where does the "server /kernel" name come from.  "kernel" is =
not the name I gave my kernel, so I am suspicious.

    Thanks,

    --Craig


------=_NextPart_000_0026_01C22E97.22FA3EC0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>If it is Cisco, it's more than likely =
HSRP (Host=20
Standby Router Protocol).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>It happens where two different routers =
are=20
configured in a redundancy scenario with a "virtual" IP.&nbsp; What will =
happen,=20
is that x.x.x.1 is a virtual IP, while x.x.x.2 and x.x.x.3 is assigned =
to the=20
Ethernet ports.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Router 1 which is x.x.x.2 will have the =
virtual IP=20
of x.x.x.1 on .2's MAC address, however, when the router goes down, =
Router 2=20
reclaims the virtual IP .1, on the MAC address of .3&nbsp; </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Therefore, the MAC address changes, and =
to my=20
understanding that is what causes the message to be displayed.&nbsp; I =
can=20
however, be wrong and the change or "switching" of one IP to another MAC =
address=20
may have nothing to do with the cause of the log message.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>me</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dj.laurenson@epicmail.ca =
href=3D"mailto:j.laurenson@epicmail.ca">Jim=20
  Laurenson</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dcraig@millerfam.net=20
  href=3D"mailto:craig@millerfam.net">Craig Miller</A> ; <A=20
  title=3Dfreebsd-security@freebsd.org=20
  href=3D"mailto:freebsd-security@freebsd.org">freebsd-security</A> =
</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, July 18, 2002 =
7:53=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: wierdness in my =
security=20
  report</DIV>
  <DIV><BR></DIV>
  <DIV><FONT face=3DTahoma color=3D#0000ff size=3D2><SPAN =
class=3D055135217-18072002>I=20
  have found the same logs on one of my older builds (4.3 I think). The=20
  offending MAC address was found to be a Cisco router on my ISP's =
network. I=20
  found no solution for it though.</SPAN></FONT></DIV>
  <DIV><FONT face=3DTahoma size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DTahoma size=3D2>Jim Laurenson</FONT></DIV>
  <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
    <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> <A=20
    =
href=3D"mailto:owner-freebsd-security@FreeBSD.ORG">owner-freebsd-security=
@FreeBSD.ORG</A>=20
    [mailto:owner-freebsd-security@FreeBSD.ORG]<B>On Behalf Of </B>Craig =

    Miller<BR><B>Sent:</B> July 18, 2002 11:47 AM<BR><B>To:</B>=20
    freebsd-security<BR><B>Subject:</B> wierdness in my security=20
    report<BR><BR></FONT></DIV>
    <DIV><FONT face=3DArial size=3D2>Anyone have any ideas as to what =
might be=20
    causing the following to appear in my security report?</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV>&nbsp;arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to=20
    00:b0:64:b7:6f:a8 on dc0<BR>&gt; Jul 17 05:47:56 server /kernel: =
arp:=20
    12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on=20
    dc0<BR>&gt; arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to=20
    00:b0:64:b7:6f:54 on dc0<BR>&gt; Jul 17 05:47:57 server /kernel: =
arp:=20
    12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on=20
    dc0<BR></DIV>
    <DIV><FONT face=3DArial size=3D2>I thought those : delimited fields =
would be MAC=20
    addresses, but they don't match the MAC addresses of either of the =
two cards=20
    in my free-bsd box.&nbsp; I have not checked the MAC addresses of =
the other=20
    network cards on my network.</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>Also, where does the "server =
/kernel" name come=20
    from.&nbsp; "kernel" is not the name I gave my kernel, so I am=20
    suspicious.</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>--Craig</FONT></DIV>
    <DIV><FONT face=3DArial=20
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0026_01C22E97.22FA3EC0--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message