Erik Auerswald wrote "One example I experienced are misconfigured end-systems ..." - Could you explain this a little more thoroughly? Are you saying that, given a system with 172.16.30.1 address on network A and 10.20.30.1 address on network B that an application is sending to the A network using the 10... address rather than the 172... address? If so was the application configured to use a particular IP address? You also wrote "The gateway for both networks was based on the Linux kernel." Could you be a little more specific? Were multiple routing tables being used along with 'ip rule' entries or was it a "nexthop with weights" situation or something else? I'm just trying to better understand the situations you encountered so I can recognize them in the future. Leroy Tennison Network Information/Cyber Security Specialist E: leroy@xxxxxxxxxxxxxxxx 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com TThis message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here . If you prefer not to be contacted by Harris Operating Group please notify us . This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. ________________________________________ From: lartc-owner@xxxxxxxxxxxxxxx <lartc-owner@xxxxxxxxxxxxxxx> on behalf of Erik Auerswald <auerswal@xxxxxxxxxxxxxxxxx> Sent: Thursday, October 18, 2018 2:10 AM To: lartc@xxxxxxxxxxxxxxx Cc: Grant Taylor Subject: [EXTERNAL] Re: arp table - same mac address shows two ip addresses Hi, On Wed, Oct 17, 2018 at 10:49:53AM -0600, Grant Taylor wrote: > On 10/17/2018 02:43 AM, Erik Auerswald wrote: > >Linux may do that... > > > >...especially if the NICs are in different broadcast domains (VLANs). > > I was thinking that it would happen if the NICs were in the /same/ > broadcast domain. I.e. NIC1 heard saw an ARP for NIC3's IP before > NIC3 saw it. Thus NIC1 and NIC3 (and likely the others) were in the > same broadcast domain. > > I can't think of another reason why NICs would see ARP requests for > IPs bound to other NICs if they weren't in a common broadcast > domain. - Sure there are other things, but that would usually > involve issues on the sending side or magic smoke in the middle. One example I experienced are misconfigured end-systems using IP addresses from network A in the broadcast domain of network B. The gateway for both networks was based on the Linux kernel. Misconfigured hosts were able to reach their gateway without problems (the ARP request was answered from the "wrong" interface, any interface accepts any IP destined for the host). > >I am not saying that is the case here, just that it might be the case. > > If the NICs are connected to a common broadcast domain, then I think > chances are good that it's the "weak host model" problem. > > >That would be an instance of the "weak host model" problem (see > >RFC 1122, section 3.3.4.2, "Weak ES Model"). The problem is > >primarily that some expectations about network separation are not > >fulfilled by the end-system. > > (I need to brush up on RFC 1122 § 3.3.4.2. Thank you for the > reference point.) > > I don't know that it's that end systems don't / can't fulfill the > network separation. I think that Linux can be configured to > (better) fulfill it via Kernel tunables and / or a combination of > ARPTables / IPTables. AFAIK one can configure ARP to separate more, but not competely. Using bridges is said to allow for more separation, but I have not yet tested this. > I recently read that IPs are supposed to belong to hosts, not > individual NICs there on, in TCP/IP Illustrated - Volume 1 - Second > Edition. This jives with what I've commonly experienced. For version 4, but this changes with version 6. ;-) > I think part of the problem is a disconnect in what people expect > and what TCP/IP specifications state. I'd say the same. But part of the problem is that the weak host model is a bit more surprising than the strong host model. In my experience this is especially true when a weak host is used as a router. Thanks, Erik -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian W. Kernighan