On Thu, Jan 16, 2014 at 10:51 AM, Niels Bakker wrote:
> That wasn't the question. The question was what equipment would send
> proxy ARP replies as broadcasts, possibly causing poisoning in other
> routers (which still sounds far-fetched to me).
>
Which current routers will actually _listen_ to
I seem to recall some video encoders doing that, but I can't remember the
vendor.
Sent from my Mobile Device.
Original message
From: Niels Bakker
Date: 01/16/2014 8:54 AM (GMT-08:00)
To: nanog@nanog.org
Subject: Re: Proxy ARP detection
* vrist...@ramapo.edu (
* vrist...@ramapo.edu (Vlade Ristevski) [Thu 16 Jan 2014, 17:46 CET]:
Cisco ASA's still have proxy ARP enabled by default when certain NAT
types are configured.
That wasn't the question. The question was what equipment would send
proxy ARP replies as broadcasts, possibly causing poisoning in
Cisco ASA's still have proxy ARP enabled by default when certain NAT
types are configured.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html
"Default Settings
(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has
proxy ARP disabled.
You
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 01:25 CET]:
On Jan 15, 2014, at 4:03 PM, Niels Bakker wrote:
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
This is where theory diverges nicely from practice. In some
cases the offender broadcast his reply, and guess wha
On Wed, Jan 15, 2014 at 10:49 PM, ML wrote:
>
> Shouldn't ARP inspection be a common feature?
>
Dynamic ARP inspection is mostly useful only when the trusted ports
receive their MAC to IP address
mapping from a trusted DHCP server, and the trusted mapping is established
using DHCP snooping.
Or
On 1/15/2014 6:31 PM, Clay Fiske wrote:
Yes, yes, I expected a smug reply like this. I just didn’t expect it to take so
long.
But how can I detect proxy ARP when detecting proxy ARP was patented in 1996?
http://www.google.com/patents/US5708654
Seriously though, it’s not so simple. You only
On Wed, Jan 15, 2014 at 10:21 PM, Patrick W. Gilmore wrote:
> Excellent. So all everyone has to do is not buy cisco _or_ juniper.
>
Or make the LANs IPv6-only adressed, since ARP is not used.
And it is probably unlikely that someone will turn on a ND Proxy by
"accident".
> Wait a minute.
Excellent. So all everyone has to do is not buy cisco _or_ juniper.
Wait a minute
--
TTFN,
patrick
On Jan 15, 2014, at 19:54 , Eric Rosen wrote:
> Cisco PIX's used to do this if the firewall had a route and saw a ARP request
> in that IP range it would proxy arp.
>
> - Original Mes
Cisco PIX's used to do this if the firewall had a route and saw a ARP request
in that IP range it would proxy arp.
- Original Message -
>
> On Jan 15, 2014, at 4:03 PM, Niels Bakker wrote:
>
> > * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
> >> This is where theory
On Jan 15, 2014, at 4:03 PM, Niels Bakker wrote:
> * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
>> This is where theory diverges nicely from practice. In some cases the
>> offender broadcast his reply, and guess what else? A lot of routers listen
>> to unsolicited ARP repl
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
This is where theory diverges nicely from practice. In some cases
the offender broadcast his reply, and guess what else? A lot of
routers listen to unsolicited ARP replies.
I've never seen this. Please name vendor and product,
On Jan 15, 2014, at 3:47 PM, Niels Bakker wrote:
> * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]:
> [...]
>> Seriously though, it’s not so simple. You only get replies if the IP you ARP
>> for is in the offender’s route table (or they have a default route). I’ve
>> seen diff
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]:
[...]
Seriously though, it’s not so simple. You only get replies if the IP
you ARP for is in the offender’s route table (or they have a default
route). I’ve seen different routers respond depending on which
non-local IP was ARPed
14 matches
Mail list logo
