1 / 11

Proxy-Arp considered harmful

Proxy-Arp considered harmful. 2011-11-03 RIPE63 – EIX Working Group Wolfgang Tremmel Director Support wolfgang.tremmel@de-cix.net. Internet. 80.81.194.C/22. 80.81.194.A/22. 80.81.195.B/22. 80.81.193.E/22. 80.81.192.0/22. 80.81.192.D/22.

yvon
Download Presentation

Proxy-Arp considered harmful

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proxy-Arp considered harmful 2011-11-03 RIPE63 – EIX Working Group Wolfgang Tremmel Director Support wolfgang.tremmel@de-cix.net

  2. Internet 80.81.194.C/22 80.81.194.A/22 80.81.195.B/22 80.81.193.E/22 80.81.192.0/22 80.81.192.D/22 Internet

  3. Internet 80.81.192.0/23 80.81.192.0/23 80.81.192.0/23 80.81.194.C/22 80.81.194.A/22 80.81.195.B/22 80.81.193.E/22 80.81.192.0/22 80.81.192.D/22 Internet

  4. Internet 80.81.192.0/23 blocked Accepted: 80.81.192.0/23 Accepted: 80.81.192.0/23 80.81.194.C/22 80.81.194.A/22 80.81.195.B/22 80.81.193.E/22 80.81.192.0/22 80.81.192.D/22 Internet

  5. Internet 80.81.192.0/23 blocked Accepted: 80.81.192.0/23 Accepted: 80.81.192.0/23 80.81.194.C/22 80.81.194.A/22 80.81.195.B/22 80.81.193.E/22 80.81.192.0/22 80.81.192.D/22 ARP-Request: Who has 80.81.193.1? Internet

  6. Internet No proxy-arp 80.81.192.0/23 blocked Accepted: 80.81.192.0/23 Accepted: 80.81.192.0/23 80.81.194.C/22 80.81.194.A/22 80.81.195.B/22 80.81.193.E/22 80.81.192.0/22 80.81.192.D/22 ARP-Request: Who has 80.81.193.1? Internet

  7. Internet Send Traffic for 80.81.193.1 tome! No proxy-arp 80.81.192.0/23 blocked Accepted: 80.81.192.0/23 Accepted: 80.81.192.0/23 80.81.194.C/22 80.81.194.A/22 80.81.195.B/22 80.81.193.E/22 80.81.192.0/22 80.81.192.D/22 ARP-Request: Who has 80.81.193.1? Internet

  8. Proxy-ARP: a history • RFC 1027: „ Using ARP to Implement Transparent Subnet Gateways” • 1987: A networkwith 100 hosts was considered large • Repeaters werecommon • Subnetting was „thenewthing“ • Proxy-Arp was a solutionforconnectingnetworks in whichhostswere not awareofsubnetting • Proxy-Arp „on“ asdefault in Cisco IOS sinceversion 9 at least • Do we still needthis?

  9. DE-CIX: Lessonslearned • Beforetheincidendweonlytested proxy-arpwhennewcustomersconnected • Configurationchangeswentunnoticed • Now: • Wetest all connectedcustomersfor proxy-arpevery10 minutes • In casewe find one: • 24/7 supportgets a message • Customer isnotified • Customer portgetsshut down • As sooncustomerconfirmes he hasturned off proxy-arp he getsre-enabled

  10. 1. November 2011 – DE-CIX Management GmbH Thank you Join DE-CIX now! DE-CIX Competence Center Lindleystrasse 12 60314 Frankfurt/Germany Phone +49 69 1730 902 - 0 info@de-cix.net DE-CIX Competence Center @ Kontorhaus Building Frankfurt Osthafen (Docklands)

More Related