Pekka Savola wrote: >On Thu, 22 Aug 2002, Manuel Carrasco wrote: > > >>I have modified arp.c in order avoid responses to arp requests when the >>source IP is equal that the target IP and Proxy-ARP is enabled. >>This feature will support to hosts with static IP even when the address >>are topologically incorrect. >> >> >[...] > >As already noted, this is an extremely bad idea. > >Moreover, if your network admin or upstream acted responsibly, they would >be filtering bogus addresses from that direction; apparently they don't. > >Mobile IP or a VPN is probably what you want. > > > There is not reason to respond with proxy-arp to 'the some' client address. In fact if the client is windows this response disable the client interface but not in linux (or other flavour Unix), I don't know nobody using proxy_arp as a security mechanism. A bogus address have nothing to do throw the router becouse response packets in conection don't return (as you say in standard instalations these address must be blocked specially from the internet interface). In fact to do use of this feature is necessary to play with iptables (nat & mangle) and ip route utilities to route response packets, and obiouslly other high level auth mechanisms that enable they. An incorrect address in our internal network has nothing to do if the rest of computers are correctly configured. The problem is a malicious guy with physical access to our network :-(. I dont see problem to include this patch in kernel, perhaps would be recommendable to enable this functionality with a kernel proc_fs variable. Manolo - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
