[c-nsp] Followup: ARP on ASR9k 4.3.2

Michael Loftis mloftis at wgops.com
Wed Feb 12 10:42:01 EST 2014 

Not surprising to me actually since this behavior is the default for
Linux.  Linux will also respond to ARPs where it shouldn't (set an IP
on an lo interface or just another interface, and it will ARP reply
for that IP on other interfaces that it does not belong on).

On Wed, Feb 12, 2014 at 2:36 AM, Florian Lohoff <f at zz.de> wrote:
>
>> Andrew Koch wrote:
>> > PS: I made some sysctl tweaks on the linux machine to behave a little
>> > more nice but still i see a bug here.
>>
>> We did the same while waiting for the SMU.  The SMU should not be needed
>> for 4.3.2 - the "arp learning local" interface command should be built-in,
>> so hopefully you are good to go.
>>
>> Our biggest concern over this incident was receiving malicious ARPs on
>> transit and peering links that have routes to large swaths of the network.
>> If the route goes away, the ARP will be retained for long periods and the
>> router will black-hole traffic until that clears.  Cisco PSIRT evaluated
>> the concern but evaluated it as a fairly concern.
>
> After insisting that learning out of subnet ARP entries was a sever Bug
> we today got this reponse:
>
>         "[...] as I explained before the default (intended) behaviour for IOS-XR
>         (till this moment ) is to accept out-of-subnet ARP requests."
>
> So okay - IOS-XR is "Broken by Design" and its intendet to be like this. Just
> to continue:
>
>         "Please be informed that, IOS-XR behaviour will be changed starting
>         with 5.1.2 and 5.2.0 to have "arp learning local" as a default behaviour."
>
> Okay - So we "Broke it by Design" and you may be a happy customer that
> we fix it for you 2 years later. Huh?
>
> 3.x was okay - 4.1 was okay - 4.3 broke it and now 5.1/5.2 fixes it.
>
> Flo
> --
> Florian Lohoff                                                 f at zz.de
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIVAwUBUvtOqZDdQSDLCfIvAQjTwhAAhH+pJCAHhEWnmlHGVX37xERSvBdGkEwG
> H0cegKMNDFivh0dUv12+Ix1U+3u2mVfAsp5lzk6aD6VrYmrICuF1eFQX07kUAGp+
> +kG2YOrLsBZf0+buZ0ac+sRePFx6/3Hz/mJrAtp2dcgevEWZpJosSJm35LNuEHJG
> oFgHkaitjX/0HD4vtiqEdZrpNs/PfrD3ap60oFEkPYlapg241HwRieqXEjaxvgPt
> 7U7gHf/+BqAoTZ/p1TLPz+toZw9kRCGZ6Lmn3vRiouQlIyim2WWMufa6gwkJmuAt
> nlr9WxLKSEKJNwBYOsLLAApl4ZALO61igVA3CR5K1/reWqLGf7tLg6OLNwb5iijd
> guN2w7cJ9EfA5xzKWRaKyTfML0i+zZhl3HGQAlsTCoPIM+ln1/z229NivgtU6yaW
> ZBQfBG7BzNkt6O99/07wrQGglK3+MCSr1MMP9ZqAF4tfX8XJPErLXu8qWgkQAkxq
> O3x1Ubz0EShjhoII/ouYZme2ycKVBnmSEv+tffGeVL5647D9MdsQDpEBqbFazvqK
> s5we0FiyC94TOsXjSYUm68fIvTXE+jR/PQf//2UbM3n+j9CLV49EYsKARDAlj0UG
> e15F3gxDwWrIcSeQZvzyXLGIyNktPbnK3Bpvg+n8S1BTSxisSAm7ZDypF5NYncUY
> BwqYByWDkUA=
> =smRn
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

More information about the cisco-nsp mailing list