[j-nsp] Odd issue with ARP in different subnet

Chris Adams cmadams at hiwaay.net
Wed Mar 9 23:02:30 EST 2011


Once upon a time, Brandon Ross <bross at torreypoint.com> said:
> *sigh* Since no one else actually seems to be answering the question 
> you've actually asked.

Well, I was wondering if I was wording my problem wrong or something.
Basically, there is obviously a problem between Linux and JUNOS on an EX
(haven't tried a router in this setup), and I wanted to know if this is
a JUNOS bug or some switch-specific behavior that I had missed.

> Yes, this appears to be a bug.  Juniper could argue that they have simply 
> interpreted the RFC differently than Linux and Cisco, and it's probably a 
> reasonable argument.  I haven't personally studied the RFC in detail, but 
> if they don't mention a requirement of checking the source IP to make sure 
> it's on-net, then I see no reason why doing so would be a good idea.

Being an older RFC (from 1982), it is much less structured than current
format, but it is pretty straight-forward in how an incoming ARP request
is to be handled:

   ?Do I have the hardware type in ar$hrd?
   Yes: (almost definitely)
     [optionally check the hardware length ar$hln]
     ?Do I speak the protocol in ar$pro?
     Yes:
       [optionally check the protocol length ar$pln]
       Merge_flag := false
       If the pair <protocol type, sender protocol address> is
           already in my translation table, update the sender
           hardware address field of the entry with the new
           information in the packet and set Merge_flag to true.
       ?Am I the target protocol address?
       Yes:
         If Merge_flag is false, add the triplet <protocol type,
             sender protocol address, sender hardware address> to
             the translation table.
         ?Is the opcode ares_op$REQUEST?  (NOW look at the opcode!!)
         Yes:
           Swap hardware and protocol fields, putting the local
               hardware and protocol addresses in the sender fields.
           Set the ar$op field to ares_op$REPLY
           Send the packet to the (new) target hardware address on
               the same hardware on which the request was received.

There's nothing in there that says to filter based on the source
protocol address (which is still just my guess as to what JUNOS is
doing).

I guess I'll try JTAC tomorrow.
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


More information about the juniper-nsp mailing list