[c-nsp] Nmap(way ot)

Kern, Tom tkern at CHARMER.COM
Thu May 5 15:05:38 EDT 2005


Its bad behavior for many reasons.

one reason is if you point the default route to an int,say an eth int, that router will then route everything not local out the eth int.
think about what that means-
the router will think everything on 0.0.0.0 0.0.0.0 is local to the eth int and will do an arp for every address. the upstream router will then proxy arp for the first router. the first router's arp cache will fill up and then age out to fill up new entries and mem and cpu will go sky high and performance will degrade.


thats one reason why proxy arp is bad.
it lets you get away with that config because the upstream router will "hear" the arp requests and respond to them with its mac thus casuing the downstem router's cache to fill up.





nevot wrote:
> I didn't know this *awful* behaviour, but, if i'm right, an ARP
> request will only be made if the destination IP is covered by the mask
> of the sender's IP configuration.
> That is, if client PC is 172.16.1.1/16, it will only send ARP request
> if destination IP is in 172.16.0.0/16 network, but not sent if
> destination is, for example, 66.11.66.101
> So if the client machine has no default gateway, this won't work.
> 
> (correct me if i'm not right).
> 
> 
> 
> 2005/5/5, Gert Doering <gert at greenie.muc.de>:
>> Hi,
>> 
>> On Wed, May 04, 2005 at 11:07:54PM +0200, nevot wrote:
>>> What do you mean when you say 'most cisco routers do proxy arp by
>>> default'? in what cases do you mean?
>> 
>> proxy arp on cisco is enabled by default.  It will answer ARP
>> requests for anything that it hears, assumes to be non-local (due to
>> local routing entries), and that it has a routing table entry for.
>> 
>> While this is useful at times, over the last years I've come to the
>> conclusion that this is a VERY STUPID idea to have "enabled by
>> default". 
>> 
>> Why?  Because it means that people can get away with doing very
>> stupid things (like "ip route 0.0.0.0 0.0.0.0 eth0") that would
>> normally just *not* work (and then you need to find the problem and
>> fix it immediately). 
>> 
>> With "helpful things" like proxy arp, stupid configurations quite
>> often happen to "sort of" work - it looks like everything is set up
>> perfectly, but you run into problems later on, like "ARP table on
>> router or hosts overflowing", or "packet loss" (due to excessive
>> ARPing), etc. 
>> 
>> (But of course this has nothing to do whatsoever with nmap results,
>> it just was a nice opportunity to rant a bit - having spent half a
>> day recently looking for a really weird problem that in the end
>> boiled 
>> down due to combinations of "funny ARP cache on AIX" and "proxy arp
>> on Cisco" - the underlying cause was a wrong netmask on the AIX
>> system, 
>> but due to the wonders of proxy ARP, nobody noticed *that* in the
>> first place) 
>> 
>> gert
>> --
>> Gert Doering
>> Mobile communications ... right now writing from * RIPE 50 @
>> Stockholm * _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list