In article <Pine.LNX.4.61.0508181612450.1549@xxxxxxxxxxxxxxxxxxxxx> you wrote: >> I've run into what probably is a policy decision, but I cannot quite get the >> reason: When sending TCP traffic to a machine, the first packet will cause >> an arp request to be made. Later on, this arp entry gets its lifetime >> extended by the TCP packets, so that it does not have to arp again until the >> network becomes quiet. > > Are you sure? I see some ARP traffic even when there is TCP, and can find > no trace of this extending of the neighbor entries in the TCP code (but > this does not mean it isn't there).. The reason why TCP code extend the lifetime and ICMP not is because it is easier to spot if a TCP packet is spoofed (seq numbers). This makes it harder for attackers to poison the neighbour cache. > Probably hasn't been considered important to implement for ICMP, if it is > implemented for TCP. But I do have a feeling both ICMP and TCP behaves the > same in this regard, and my testing indicates this is the case. I think the re-arping is done if the entries get stale, which is first time after some random time after base reachable time. And confirmed traffic resets the counters. i thin you can see that mit "ip -s neigh" Gruss Bernd - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
