From owner-freebsd-security Thu Jul 18 13: 8:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACC9F37B405 for ; Thu, 18 Jul 2002 13:08:11 -0700 (PDT) Received: from apexch.apogeetelecom.com (apexch.apogeetelecom.com [64.245.60.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id B533243E97 for ; Thu, 18 Jul 2002 13:06:32 -0700 (PDT) (envelope-from CBoyd@apogeetelecom.com) Received: by apexch.apogeetelecom.com with Internet Mail Service (5.5.2653.19) id <313NPXDK>; Thu, 18 Jul 2002 15:15:54 -0500 Message-ID: <5A1E91591378D243B6B6C5425F2B2B3E1DE9B3@apexch.apogeetelecom.com> From: Chris Boyd To: 'Chris Knipe' , Jim Laurenson , Craig Miller , freebsd-security Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 15:15:53 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hm. I though that HSRP cloned the MAC as well, so as not to break all those retro source route bridged protocols. Time to go hit the books for me.... > -----Original Message----- > From: Chris Knipe [SMTP:savage@savage.za.org] > Sent: Thursday, July 18, 2002 1:10 PM > To: Jim Laurenson; Craig Miller; freebsd-security > Subject: Re: wierdness in my security report > > If it is Cisco, it's more than likely HSRP (Host Standby Router Protocol). > > It happens where two different routers are configured in a redundancy > scenario with a "virtual" IP. What will happen, is that x.x.x.1 is a > virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports. > > Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's MAC > address, however, when the router goes down, Router 2 reclaims the virtual > IP .1, on the MAC address of .3 > > Therefore, the MAC address changes, and to my understanding that is what > causes the message to be displayed. I can however, be wrong and the > change or "switching" of one IP to another MAC address may have nothing to > do with the cause of the log message. > > -- > me > > > > ----- Original Message ----- > From: Jim Laurenson > To: Craig Miller ; freebsd-security > > Sent: Thursday, July 18, 2002 7:53 PM > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds (4.3 I think). > The offending MAC address was found to be a Cisco router on my ISP's > network. I found no solution for it though. > > Jim Laurenson > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller > Sent: July 18, 2002 11:47 AM > To: freebsd-security > Subject: wierdness in my security report > > > Anyone have any ideas as to what might be causing the > following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to > 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved > from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to > 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved > from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, > but they don't match the MAC addresses of either of the two cards in my > free-bsd box. I have not checked the MAC addresses of the other network > cards on my network. > > Also, where does the "server /kernel" name come from. > "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message