[c-nsp] security
Paul Cosgrove
paul.cosgrove at heanet.ie
Tue Dec 2 10:29:58 EST 2008
Michael Simpson wrote:
> On 12/2/08, Adam Greene <maillist at webjogger.net> wrote:
>
>> How does one get around the side-effect of not allowing broadcasts; i.e.
>> wouldn't this break ARP functionality?
>>
>>
> Not within the subnet
> using ethernet arp is only on the local segment and won't traverse the router
> no ip directed broadcast stops broadcasts from a different subnet
>
> snipped from <http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245>
>
> An IP directed broadcast is an IP packet whose destination address is
> a valid broadcast address for some IP subnet, but which originates
> from a node that is not itself part of that destination subnet.
>
> A router that is not directly connected to its destination subnet
> forwards an IP directed broadcast in the same way it would forward
> unicast IP packets destined to a host on that subnet. When a directed
> broadcast packet reaches a router that is directly connected to its
> destination subnet, that packet is "exploded" as a broadcast on the
> destination subnet. The destination address in the IP header of the
> packet is rewritten to the configured IP broadcast address for the
> subnet, and the packet is sent as a link-layer broadcast.
>
> mike
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
Or to put it another way...
Arp uses a destination IP of 255.255.255.255, which is the 'limited
broadcasts address'. Packets with this destination are never routed
between subnets.
Directed broadcast destination IPs begin with a subnet's network prefix,
so for an interface with IP 192.168.10.1/24 the directed broadcast
address of its attached subnet is 192.168.10.255. These can be routed
between subnets.
Paul.
More information about the cisco-nsp
mailing list