From owner-freebsd-net@FreeBSD.ORG Mon Sep 19 02:34:19 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50C5816A41F for ; Mon, 19 Sep 2005 02:34:19 +0000 (GMT) (envelope-from gjp@in-addr.com) Received: from noop.colo.erols.net (noop.colo.erols.net [207.96.1.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2FB043D49 for ; Mon, 19 Sep 2005 02:34:18 +0000 (GMT) (envelope-from gjp@in-addr.com) Received: from uucp by noop.colo.erols.net with local-rmail (Exim 4.51 (FreeBSD)) id 1EHBU1-000OOm-UD; Sun, 18 Sep 2005 22:34:17 -0400 Received: from localhost.home.in-addr.com ([127.0.0.1]:49551) by rimmer.home.in-addr.com with esmtp (Exim 4.52 (FreeBSD)) id 1EHBTu-000LgS-9u; Mon, 19 Sep 2005 03:34:10 +0100 Message-ID: <432E23A2.8000801@in-addr.com> Date: Mon, 19 Sep 2005 03:34:10 +0100 From: Gary Palmer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.11) Gecko/20050914 X-Accept-Language: en-gb, en, en-us MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20050919.004531.92589257.mshindo@mshindo.net> <432D9249.9090202@mac.com> <432DA0AC.8010802@thedarkside.nl> In-Reply-To: <432DA0AC.8010802@thedarkside.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ARP behavior in FreeBSD vs Linux X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 02:34:19 -0000 Pieter de Boer wrote: >>> Is there any advantage/disadvantage in ARP implementation on FreeBSD >>> over that of Linux? Thanks. >> > I was unhappily surprised by this 'feature'. I find it pretty > counter-intuitive. I expect two interfaces to be seperated inside a > kernel, but Linux more or less binds them together. Incoming traffic > on the 'wrong' interface will gladly be accepted, too. This broke > things for me, because I didn't want to have that certain IP-address > accessible. > > That said, this happens only when you have two interfaces connected to > the same subnet, which is a bit evil anyhow. It may be beneficial for > Linux to do things this way, perhaps for redundancy-purposes (two > interfaces, one IP-address, IP reachable over both interfaces, when > one fails, the other takes over.. no idea if that works out-of-the-box). There is another side effect, which comes into view with certain configurations behind load balancers. Foundry has an option (I believe called "DSR" for Direct Server Return) which just fiddles with the MAC address of the destination. Other companies load balancers will probably have the same option, but I've no idea what they'll call it. For the connection to be accepted, all servers which are expected to answer for a particular load balanced IP address have to have that IP configured on one of their interfaces, typically loopback. The host sees that the connection is for one of its interfaces, accepts the connection and life is happy. The return path from the host to the originator bypasses the load balancer, and effectively halves the traffic that the LB is having to process and do table lookups on, etc. This obviously greatly increases the available capacity of the LB. With a Linux box answering ARP as described above, it is possible that the upstream router (or routers) COULD learn that the load balanced IP actually belongs on one of the servers rather than the load balancer. If that happens, your load balanced farm will quickly degrade and you'll be scratching your head for hours to try and figure out whats going on. Or the LB and the Linux box will get into an ARP war and random TCP connections will get RSTs from the Linux box.