From owner-freebsd-security  Sat Apr 27 20:56:33 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx.agni.com (mx.agni.com [202.53.160.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5CA2837B405; Sat, 27 Apr 2002 20:56:27 -0700 (PDT)
Received: from venus.agni.com (venus.agni.com [202.53.160.200])
	by mx.agni.com (8.12.1/8.12.1) with ESMTP id g3S3uMhX015772;
	Sun, 28 Apr 2002 09:56:22 +0600
Received: (from mojahed@localhost)
	by venus.agni.com (8.11.6/8.11.6) id g3S3xGj95083;
	Sun, 28 Apr 2002 09:59:16 +0600 (BDT)
	(envelope-from mojahed)
Date: Sun, 28 Apr 2002 09:59:16 +0600
From: Mojahedul Hoque Abul Hasanat <mojahed@agni.com>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ARP queries with target hardware address set
Message-ID: <20020428095916.F94650@venus.agni.com>
References: <20020427180406.A91046@venus.agni.com> <20020427165708.B37618@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020427165708.B37618@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Sat, Apr 27, 2002 at 04:57:08PM -0700
X-Scanned-By: MIMEDefang 2.2 (www dot roaringpenguin dot com slash mimedefang)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, Apr 27, 2002 at 04:57:08PM -0700, Crist J. Clark wrote:
> > should have its target hardware address set to all zeros.
> 
> Can you quote some standard or RFC that states this? AFA_I_K, the
> target hardware address field is undefined. It can just as well be
> random junk as all zeros. RFC 826 just says,

Oops! my fault.  I shouldn't have said "should have its target HA
set to all zeros".  But this is the general case, isn't it?  All the
arp queries I can see in this LAN have their THA set to zeros,
except some queries from this host.

> > 0:e0:7d:a1:8:75 Broadcast arp 60: arp who-has 202.168.255.85 (68:74:2e:4d:20:74) tell a.host.ip.address
> > 
> > The MAC inside the parenthesis was never in my LAN.  Almost all the
>
> Why does 'a.host.ip.address' think 202.168.255.85 is a local address
> if it isn't?

There is absolutely no reason for this.  Routing tables are correct,
no dynamic routing protocols either.

Now I am more inclined to think that someone is injecting these
Ethernet frames.  But to what effect, I haven't got a clue.


-- 
Mojahed
System Administrator, Agni Systems Limited

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message