Date: Thu, 15 Feb 2007 12:12:17 -0500 From: Sten Daniel Soersdal <sten.daniel.sorsdal@gmail.com> To: ea@sellinet.net Cc: freebsd-isp@freebsd.org Subject: Re: [Strange behavior with arp permanent entries] Message-ID: <45D49471.8020505@gmail.com> In-Reply-To: <33702.82.199.192.218.1171541735.squirrel@82.199.192.218> References: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> <45D34E49.8090808@gmail.com> <33702.82.199.192.218.1171541735.squirrel@82.199.192.218>
next in thread | previous in thread | raw e-mail | index | archive | help
ea@sellinet.net wrote: >> ea@sellinet.net wrote: >>> Hello, Guys! >>> >>> I'm trying to restrict some LAN access by arp permanent entries. But it >>> didn't work or it didn't work as I realize it. For example I have the >>> following perm entries: >>> >>> >>> user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan] >>> user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan] >>> >>> >>> And from what I realize if the user1 attempts to use user2's IP address. >>> The Router should block all packets which coming from wrong physical >>> address. But actually that didn't happen and user1 can use user2's IP >>> address without any problems. >> The router wont block packets coming from anyone. It should however >> prevent packets going *to* the wrong user. But that depends heavily on >> whether the layer2 network cooperates and the bad hosts network stack. > > Scenario 1: > > user1: 10.2.0.2 00:14:85:84:af:c8 perm > user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm > > User2 can't use user1's IP address. > > Scenario 2: > > user1: 10.2.0.2 00:0a:e6:f7:8a:81 perm > user2: 10.2.0.3 00:0f:ea:a4:60:c5 perm > > User2 can use user1's IP address. > > So, maybe there is some truth in your words, but why this happen? What is > the difference between two physical addresses? > When a bridge/switch does not know which port to direct a unicast packet it will broadcast it to all ports, except the port it was received. It might be that the mac-address of user1 in scenario.2 is unknown on the layer2 network (i.e. user1 is no longer logged on) and therefore the bridges/switches will broadcast all traffic destined to user1's ip address. If user2's network card has naive OS, rotten drivers, a cheesy NIC and/or the NIC is simply put in promiscuous mode then the network stack would receive the packets and process them since the IP addresses match. [ Now coincidentally since the router always believes that user1 is always reachable, even when user1 is offline, then when someone floods user1 while user1 is offline then you'd have broadcast storm on your network. ] >> Tip: If you want the effect of each user having their own physical lan >> (so they can't steal each others ip addresses) you need to segregate >> them in a manner that effectively gives each user a physical lan. Vlans >> might help, if done correctly. > > > Unfortunately, this can't be done in our case. That is very unfortunate. I have been in that position and the problems never end until everyone has their own virtual network. You have my sympathy. -- Sten Daniel Soersdal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D49471.8020505>