Date: Sat, 9 Oct 1999 16:14:33 -0500 (CDT) From: Mohit Aron <aron@cs.rice.edu> To: julian@whistle.com (Julian Elischer) Cc: sthaug@nethelp.no, freebsd-net@freebsd.org, justin@apple.com, alc@cs.rice.edu, wollman@khavrinen.lcs.mit.edu Subject: Re: arp errors on machines with two interfaces Message-ID: <199910092114.QAA11499@cs.rice.edu> In-Reply-To: <Pine.BSF.4.05.9910091356490.53621-100000@home.elischer.org> from "Julian Elischer" at Oct 9, 99 02:06:54 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> Why are you doing this? > Why not just assign the two addresses to the same > NIC? (though I guess with a switch you may be able to get twice the > throughput with two NICs..) > Actually I do have aliases on each of the interfaces but as you guessed, the two interfaces are there to get more throughput. The machine has a 500 MHz Pentium III processor (actually 4 of them, but I'm just using one for now). Its not possible to saturate the machine with just one 100Mbps interface. I need to have multiple interfaces. > He does have a point however.. ARP packets that are not for the networks > that are on teh receiving NIC could probably be safely discarded without > effecting the way that the system supports the spec. I think it's vague on > this point, and we SEE that other people do similar. I would actually > thinkmthat it would be a security imporovement. > I don't think we should accept cofiguration or routing information from > machines that are not on the right network. > > If I had one net inside a firewall and one outside, I don't want to > recieve ARP packets from the outside that are influencing my internal > routint (arp) table. > > This is not that unsupported.. High availability hosts do this all the > time, and need to. > > My suggestion is that we check incoming arp packets to discard > packets that resolve addresses that are not in a netrange on the interface > into which they came. > > I think this is a good idea anyway for security reasons and we can > dispense with the check against ALL local networks. It might even be > faster. > Thanks for clarifying the specs and supporting my suggestion. I do really need this configuration and all high end server systems that I know use it too. - Mohit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910092114.QAA11499>