From owner-freebsd-net Sat Oct 9 14:14:41 1999 Delivered-To: freebsd-net@freebsd.org Received: from cs.rice.edu (cs.rice.edu [128.42.1.30]) by hub.freebsd.org (Postfix) with ESMTP id 06DBC150D0 for ; Sat, 9 Oct 1999 14:14:38 -0700 (PDT) (envelope-from aron@cs.rice.edu) Received: (from aron@localhost) by cs.rice.edu (8.9.0/8.9.0) id QAA11499; Sat, 9 Oct 1999 16:14:34 -0500 (CDT) From: Mohit Aron Message-Id: <199910092114.QAA11499@cs.rice.edu> Subject: Re: arp errors on machines with two interfaces To: julian@whistle.com (Julian Elischer) Date: Sat, 9 Oct 1999 16:14:33 -0500 (CDT) Cc: sthaug@nethelp.no, freebsd-net@freebsd.org, justin@apple.com, alc@cs.rice.edu, wollman@khavrinen.lcs.mit.edu In-Reply-To: from "Julian Elischer" at Oct 9, 99 02:06:54 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Why are you doing this? > Why not just assign the two addresses to the same > NIC? (though I guess with a switch you may be able to get twice the > throughput with two NICs..) > Actually I do have aliases on each of the interfaces but as you guessed, the two interfaces are there to get more throughput. The machine has a 500 MHz Pentium III processor (actually 4 of them, but I'm just using one for now). Its not possible to saturate the machine with just one 100Mbps interface. I need to have multiple interfaces. > He does have a point however.. ARP packets that are not for the networks > that are on teh receiving NIC could probably be safely discarded without > effecting the way that the system supports the spec. I think it's vague on > this point, and we SEE that other people do similar. I would actually > thinkmthat it would be a security imporovement. > I don't think we should accept cofiguration or routing information from > machines that are not on the right network. > > If I had one net inside a firewall and one outside, I don't want to > recieve ARP packets from the outside that are influencing my internal > routint (arp) table. > > This is not that unsupported.. High availability hosts do this all the > time, and need to. > > My suggestion is that we check incoming arp packets to discard > packets that resolve addresses that are not in a netrange on the interface > into which they came. > > I think this is a good idea anyway for security reasons and we can > dispense with the check against ALL local networks. It might even be > faster. > Thanks for clarifying the specs and supporting my suggestion. I do really need this configuration and all high end server systems that I know use it too. - Mohit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message