Re: permanent ARP being overwritten by ISP

Tue, 25 Oct 2016 03:48:34 -0700 

On Wednesday, January 20, 2016 1:37 PM, Martin Pieuchot <m...@openbsd.org> 
wrote:
>If you're referring to my reply, I was interested in the behavior in a
>-current kernel, what will be 5.9 soon.  A lot of changes happened
>since 5.8.
>
>It would be nice if you could also post the output of "route -n show -inet"

>with such kernel.

I have brought up this issue before, but I think I have narrowed down the 
possible causes/scenario,
and I have my machine up to date with the current release.

I think my question is:
on my openbsd 6.0 amd64 machine, where I already have an accurate ARP entry 
that has been manually
set as permanent, when the sshd daemon receives a connection, why does that 
machine broadcast
an ARP 'who-has' for the IP address of the SSH client machine?

This was sparked by seeing entries in my /var/log/messages like:
Oct 22 23:50:00 www /bsd: arp: attempt to overwrite permanent entry for 
70.20.25.26 by fa:c0:01:75:98:cd on em0


The details are, as best I can summarize:

network diagram:

                                                               --------

                    ----------                                 |      
|----192.168.1.x

--ISP 70.20.25.1----|switch  |                                 |      |
                    |SG200-18|             router              |      | home LAN
                    |        |----70.20.25.26 / 192.168.1.1----|switch|
                    |        |                                 --------
                    |        |----70.20.25.28
                    |        |
                    |        |----70.20.25.29
                    |        |
                    |        |----70.20.25.30
                    ----------      OBSD 6.0 amd64 release



ethernet IDs:
fa:c0:01:75:98:cd       70.20.25.1      FIOS gateway
00:25:90:0A:69:B6       70.20.25.26     my router - external
00:25:90:0A:69:B7       192.168.1.1     my router - internal
00:25:90:EA:52:9C       70.20.25.30
00:30:48:DC:1E:35       70.20.25.28
00:30:48:DC:75:DF       70.20.25.29


I have wanted to leave nothing to chance regarding IP to ethernet ID mapping so,
on 70.20.25.30
rc.local has:
arp -F -s 70.20.25.26 00:25:90:0a:69:b6 permanent
arp -F -s 70.20.25.28 00:30:48:dc:1e:35 permanent
arp -F -s 70.20.25.29 00:30:48:dc:75:df permanent

on 70.20.25.30
# route -n show -inet
Routing tables
Internet:
Destination         Gateway             Flags    Refs       Use    Mtu   Prio 
Iface
default             70.20.25.1          UGS         4     16498      -      8 
em0 
224/4               127.0.0.1           URS         0         0  32768      8 
lo0 
70.20.25/24         70.20.25.30         UC          1     47033      -      4 
em0 
70.20.25.1          fa:c0:01:75:98:cd   UHLc        1     24835      -      4 
em0 
70.20.25.26         00:25:90:0a:69:b6   UHLS3       1       657      - L    8 
em0 
70.20.25.28         00:30:48:dc:1e:35   UHLS3       0       590      -      8 
em0 
70.20.25.29         00:30:48:dc:75:df   UHLS3       0       592      -      8 
em0 
70.20.25.30         00:25:90:ea:52:9c   UHLl        0      7904      -      1 
em0 
70.20.25.255        70.20.25.30         UHb         0         0      -      1 
em0 
127/8               127.0.0.1           UGRS        0         0  32768      8 
lo0 
127.0.0.1           127.0.0.1           UHl         1       393  32768      1 
lo0 


When I initiate an SSH client connection from 70.20.25.26 to 70.20.25.30:

at 22 Oct 23:50, ssh from 70.20.25.26 to www.<redacted>.org (70.20.25.30)
#ssh user1@www.<redacted>.org


Then, having logged into 70.20.25.30
/var/log/authlog shows:
Oct 22 23:50:04 www sshd[5107]: Accepted password for user1 from 70.20.25.26 
port 8477 ssh2

/var/log/messages shows:
Oct 22 23:50:00 www /bsd: arp: attempt to overwrite permanent entry for 
70.20.25.26 by fa:c0:01:75:98:cd on em0


tcpdump log of arp traffic shows:
Oct 22 23:50:00.885770 00:25:90:ea:52:9c ff:ff:ff:ff:ff:ff 0806 42: arp who-has 
70.20.25.26 tell 70.20.25.30
Oct 22 23:50:00.885893 00:25:90:0a:69:b6 00:25:90:ea:52:9c 0806 60: arp reply 
70.20.25.26 is-at 00:25:90:0a:69:b6
Oct 22 23:50:00.886738 fa:c0:01:75:98:cd 00:25:90:ea:52:9c 0806 60: arp reply 
70.20.25.26 is-at fa:c0:01:75:98:cd


This looks to me like 00:25:90:ea:52:9c (which is 70.20.25.30) is broadcasting 
an arp 'who-has' requesting the
ethernet ID for 70.20.25.26 (SSH client)
Apropriately, 00:25:90:0a:69:b6 replies, but the FIOS gateway fa:c0:01:75:98:cd 
also replies,
and tries to pretend it is 70.20.25.26

My question is, why?
I have put the ethernet/IP address in as permanent in the arp table, the 
routing table shows it is there.
So why, when I open an SSH connection, is the 70.20.25.30 machine asking for 
the ethernet address of
the client machine?

If I didn't have the rc.local arp commands, there might have been the situation 
where the FIOS gateway
interposes itself.

I should point out that this is not exactly reproducible - this is after 
several weeks of running the machine,
and I looked for this problem in the first several weeks.
Packages installed include: slapd (and its dependency saslauthd), then postfix, 
dovecot, and acme-client

(my domain name - I put it as <redacted> , not because people can't figure it 
out, but because I don't want
Google to index it and make it trivial to associate with this 
problem/?vulnerability - I hope that doesn't
cause a problem)

Reply via email to