Hi,
On Wed, Oct 17, 2018 at 10:49:53AM -0600, Grant Taylor wrote:
> On 10/17/2018 02:43 AM, Erik Auerswald wrote:
> >Linux may do that...
> >
> >...especially if the NICs are in different broadcast domains (VLANs).
>
> I was thinking that it would happen if the NICs were in the /same/
> broadcast domain. I.e. NIC1 heard saw an ARP for NIC3's IP before
> NIC3 saw it. Thus NIC1 and NIC3 (and likely the others) were in the
> same broadcast domain.
>
> I can't think of another reason why NICs would see ARP requests for
> IPs bound to other NICs if they weren't in a common broadcast
> domain. - Sure there are other things, but that would usually
> involve issues on the sending side or magic smoke in the middle.
One example I experienced are misconfigured end-systems using IP addresses
from network A in the broadcast domain of network B. The gateway for both
networks was based on the Linux kernel. Misconfigured hosts were able to
reach their gateway without problems (the ARP request was answered from the
"wrong" interface, any interface accepts any IP destined for the host).
> >I am not saying that is the case here, just that it might be the case.
>
> If the NICs are connected to a common broadcast domain, then I think
> chances are good that it's the "weak host model" problem.
>
> >That would be an instance of the "weak host model" problem (see
> >RFC 1122, section 3.3.4.2, "Weak ES Model"). The problem is
> >primarily that some expectations about network separation are not
> >fulfilled by the end-system.
>
> (I need to brush up on RFC 1122 § 3.3.4.2. Thank you for the
> reference point.)
>
> I don't know that it's that end systems don't / can't fulfill the
> network separation. I think that Linux can be configured to
> (better) fulfill it via Kernel tunables and / or a combination of
> ARPTables / IPTables.
AFAIK one can configure ARP to separate more, but not competely. Using
bridges is said to allow for more separation, but I have not yet tested
this.
> I recently read that IPs are supposed to belong to hosts, not
> individual NICs there on, in TCP/IP Illustrated - Volume 1 - Second
> Edition. This jives with what I've commonly experienced.
For version 4, but this changes with version 6. ;-)
> I think part of the problem is a disconnect in what people expect
> and what TCP/IP specifications state.
I'd say the same. But part of the problem is that the weak host model
is a bit more surprising than the strong host model. In my experience
this is especially true when a weak host is used as a router.
Thanks,
Erik
--
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it.
-- Brian W. Kernighan
