On Jan 15, 2014, at 12:46 PM, Niels Bakker <niels=na...@bakker.net> wrote:
> * c...@bloomcounty.org (Clay Fiske) [Wed 15 Jan 2014, 20:34 CET]: >> Semi-related tangent: Working in an IXP setting I have seen weird corner >> cases cause issues in conjunction with the IXP subnet existing in BGP. Say >> someone’s got proxy ARP enabled on their router (sadly, more common than it >> should be, and not just from noobs at startups). Now say your IXP is growing >> and you expand the subnet. No matter how much you harp on the customers to >> make the change, they don’t all do it at once. Someone announces the new, >> larger subnet in BGP. Now when anyone ARPs for IPs in the new part of the >> range, proxy ARP guy (still on the smaller subnet) says “hey I have a route >> for that, send it here”. That was fun to troubleshoot. :) > > Proper run IXPs pay engineers to hunt down people with Proxy ARP enabled on > their peering interfaces. Yes, yes, I expected a smug reply like this. I just didn’t expect it to take so long. But how can I detect proxy ARP when detecting proxy ARP was patented in 1996? http://www.google.com/patents/US5708654 Seriously though, it’s not so simple. You only get replies if the IP you ARP for is in the offender’s route table (or they have a default route). I’ve seen different routers respond depending on which non-local IP was ARPed for. And while using something like 8.8.8.8 might be an obvious choice, I don’t care to hose up everyone’s connectivity to it just to find local proxy ARP offenders on my network. -c