[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proxy ARP detection (was re: best practice for advertising peering fabric routes)

Subject: Proxy ARP detection (was re: best practice for advertising peering fabric routes)
From: mysidia at gmail.com (Jimmy Hess)
Date: Wed, 15 Jan 2014 23:17:29 -0600
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <CAP-guGU6bwRw975kimWy9aRmh5t6gLao-hjNX+UL+-kg2Z17Lw@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

On Wed, Jan 15, 2014 at 10:49 PM, ML <ml at kenweb.org> wrote:
>
> Shouldn't ARP inspection be a common feature?
>

Dynamic ARP inspection is mostly useful  only when the trusted ports
receive their MAC to IP address
mapping from a trusted DHCP server,  and the trusted mapping is established
using DHCP snooping.

Or else,  you have a manually entered  entries in the  secure ARP database
of  MAC to IP mappings.
Which most operators would be resistant to dealing with,  because of all
the extra work.

-It's not as if the switches know what the valid subnets are and suppress
ARP requests for outside networks.

Therefore, in most cases; ARP inspection won't be used,  except for DHCP
clients.
Arp inspection goes hand-in-hand with increasing resistance against a  Man
in the Middle attack from
a compromised workstation on a LAN,  using ARP hijacking to capture traffic
or distribute malware
to a neighboring workstation.

In most cases, DHCP-based configuration will not be used for routers  (the
very devices that might inadvertently have proxy-arp)....

--
-JH

References:
- best practice for advertising peering fabric routes
  - From: elouie at yahoo.com (Eric A Louie)
- best practice for advertising peering fabric routes
  - From: bicknell at ufp.org (Leo Bicknell)
- best practice for advertising peering fabric routes
  - From: patrick at ianai.net (Patrick W. Gilmore)
- best practice for advertising peering fabric routes
  - From: bicknell at ufp.org (Leo Bicknell)
- best practice for advertising peering fabric routes
  - From: patrick at ianai.net (Patrick W. Gilmore)
- best practice for advertising peering fabric routes
  - From: nanog at shankland.org (Jim Shankland)
- best practice for advertising peering fabric routes
  - From: niels=nanog at bakker.net (Niels Bakker)
- best practice for advertising peering fabric routes
  - From: bill at herrin.us (William Herrin)
- best practice for advertising peering fabric routes
  - From: clay at bloomcounty.org (Clay Fiske)
- best practice for advertising peering fabric routes
  - From: niels=nanog at bakker.net (Niels Bakker)
- Proxy ARP detection (was re: best practice for advertising peering fabric routes)
  - From: clay at bloomcounty.org (Clay Fiske)
- Proxy ARP detection (was re: best practice for advertising peering fabric routes)
  - From: ml at kenweb.org (ML)

Prev by Date: Proxy ARP detection (was re: best practice for advertising peering fabric routes)
Next by Date: gmail.com - 550 error for ipv6/PTR ?
Previous by thread: Proxy ARP detection (was re: best practice for advertising peering fabric routes)
Next by thread: best practice for advertising peering fabric routes
Index(es):
- Date
- Thread