On Jan 15, 2014, at 3:47 PM, Niels Bakker <niels=na...@bakker.net> wrote:
> * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:35 CET]: > [...] >> Seriously though, it’s not so simple. You only get replies if the IP you ARP >> for is in the offender’s route table (or they have a default route). I’ve >> seen different routers respond depending on which non-local IP was ARPed >> for. And while using something like 8.8.8.8 might be an obvious choice, I >> don’t care to hose up everyone’s connectivity to it just to find local proxy >> ARP offenders on my network. > > You'll never be entirely sure but obviously you're not limited to sending > only one ARP request - this isn't The Hunt For The Red October movie. We're > talking a common misconfiguration here in this thread - or at least you were, > two mails upthread. > > How will checking for Proxy ARP possibly hose up anybody's connectivity? You > realise that ARP replies are unicast, right? And that IXPs generally have > dedicated servers for monitoring from which they can source packets? This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess what else? A lot of routers listen to unsolicited ARP replies. So no, even though I consider it someone else’s bad behavior to broadcast an ARP reply, I’m not willing to take the chance with an IP that doesn’t belong to me. -c