Date: Sat, 9 Oct 1999 14:06:54 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: sthaug@nethelp.no Cc: aron@cs.rice.edu, freebsd-net@FreeBSD.ORG, justin@apple.com, alc@cs.rice.edu, wollman@khavrinen.lcs.mit.edu Subject: Re: arp errors on machines with two interfaces Message-ID: <Pine.BSF.4.05.9910091356490.53621-100000@home.elischer.org> In-Reply-To: <63642.939502328@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 9 Oct 1999 sthaug@nethelp.no wrote: > > > Garrett is correct, and sarcasm doesn't help. You can't have more > > > than one interface on a given wire, with the same subnet address, > > > using IP. Them's the protocol rules. > > > > Actually I am using different subnet addresses on the two interfaces. One is > > 128.42.3.77 and the other is 192.168.3.77. There are other machines in the > > dept running Solaris and other OS's that are connected in similar fashions. > > However, the Ethernet is switched and any broadcast by anyone is going to be > > seen by all interfaces connected to it. Why are you doing this? Why not just assign the two addresses to the same NIC? (though I guess with a switch you may be able to get twice the throughput with two NICs..) He does have a point however.. ARP packets that are not for the networks that are on teh receiving NIC could probably be safely discarded without effecting the way that the system supports the spec. I think it's vague on this point, and we SEE that other people do similar. I would actually thinkmthat it would be a security imporovement. I don't think we should accept cofiguration or routing information from machines that are not on the right network. If I had one net inside a firewall and one outside, I don't want to recieve ARP packets from the outside that are influencing my internal routint (arp) table. > > What you are doing is not supported by the standard TCP/IP model of > communication. The fact that it (partly) works for you should be > regarded as incidental. > > Try to think of it in terms of a traditional coax-based Ethernet, and > having two NICs on one host connected to the same physical Ethernet > cable. Would you expect this to work? (You shouldn't.) > > > I don't have control over the hardware. But here's a possibility - wouldn't > > it be better if this error message generation in FreeBSD is turned off if > > the packet is an arp broadcast ? Like I showed in my earlier mail, the > > problem only happens due to arp broadcasts. > > No, the problem happens due to the fact that you are connecting two > Ethernet NICs to the same segment. This is not supported. Why should the > error message be turned off just to please you, when you're using an > unsupported configuration? This is not that unsupported.. High availability hosts do this all the time, and need to. My suggestion is that we check incoming arp packets to discard packets that resolve addresses that are not in a netrange on the interface into which they came. I think this is a good idea anyway for security reasons and we can dispense with the check against ALL local networks. It might even be faster. julian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9910091356490.53621-100000>