[c-nsp] Nmap(way ot)

[Gert Doering]

Hi,

On Wed, May 04, 2005 at 11:07:54PM +0200, nevot wrote:
> What do you mean when you say 'most cisco routers do proxy arp by
> default'? in what cases do you mean?

proxy arp on cisco is enabled by default.  It will answer ARP requests 
for anything that it hears, assumes to be non-local (due to local routing
entries), and that it has a routing table entry for.

While this is useful at times, over the last years I've come to the
conclusion that this is a VERY STUPID idea to have "enabled by default".

Why?  Because it means that people can get away with doing very stupid
things (like "ip route 0.0.0.0 0.0.0.0 eth0") that would normally just 
*not* work (and then you need to find the problem and fix it immediately).

With "helpful things" like proxy arp, stupid configurations quite often
happen to "sort of" work - it looks like everything is set up perfectly,
but you run into problems later on, like "ARP table on router or hosts
overflowing", or "packet loss" (due to excessive ARPing), etc.

(But of course this has nothing to do whatsoever with nmap results, it
just was a nice opportunity to rant a bit - having spent half a day 
recently looking for a really weird problem that in the end boiled 
down due to combinations of "funny ARP cache on AIX" and "proxy arp on
Cisco" - the underlying cause was a wrong netmask on the AIX system, 
but due to the wonders of proxy ARP, nobody noticed *that* in the first
place)

gert
-- 
Gert Doering
Mobile communications ... right now writing from * RIPE 50 @ Stockholm *