SlideShare uma empresa Scribd logo

Layer2&arp

Abhilash Ramadugu
Abhilash Ramadugu
Tecnologia
1 de 19
Baixar para ler offline
Layer 2, Mac Addresses, ARP, and Duplicate IP Detection Marc MERLIN marc_soft@merlins.org LCA 2006 http://marc.merlins.org/linux/talks/Layer2&ARP/
Shoo, you don't want to be here :) ➢ The talk is about a kernel patch, but I'm planning to explain how the basic IP/networking pieces actually work instead of diving into kernel internals ➢ I will throw stuff at you ➢ The other speakers are most likely smarter than me ➢ Or you could stay here to make correct me, make fun of me, and if you stay until the end, tell me that my patch sucks :) ➢ Or you will also know to answer two interview questions I might ask you if you apply for a job at google.
What is Layer 2? ➢ It's above the physical layer (10b2/10bT/100bT/1000bT), FDDI, ATM, etc..) ➢ It is below IP, Appletalk, Decnet, IPX ➢ Token Ring is one example, as is carrier pigeon, but most of us use Ethernet now ➢ IEEE 802.3 replaces the original ethernet ➢ Can be more complex (VLANs/802.1q / 802.11 ...) ➢ source MAC / dest MAC / protocol type ➢ See /etc/protocols (ICMP:1, TCP: 6, UDP: 17)
Switching Ethernet ➢ A switch is a multi port bridge, it takes an incoming packet, and looks at the destination MAC address ➢ It decides what port to send the traffic to by looking at its CAM table (MAC to port # mapping) ➢ A switch does NOT do ARP to route ethernet frames ➢ A layer 2 switch does not even know what TCP/IP or ARP are. If it did, how would it route non IP traffic? ➢ Ethernet and TCP/IP were not designed with switches in mind, switches are supposed to be transparent. This means they do switching with no protocol support
Problems with Ethernet Switching ➢ How is the CAM table built? ➢ What if the destination MAC is not in the CAM table? ➢ How big do you think the CAM table is? ➢ What if it overflows? → you turn the water off :) ➢ What if a MAC address shows up on 2 ports?
ARP ➢ ARP is the address resolution protocol for IP ➢ Before you can send an IP packet, you need to build a frame with a destination ethernet address. If you don't know what the destination MAC address is, you use ARP to get it ➢ You broadcast a packet at layer 2 asking who has a certain IP, and what MAC address it belongs to ➢ The owner of the IP (if present) sends back a unicast packet to you with the answer (this means only you get the result of that arp query)
ARP gandalf:~# arp 10.2.251.248 Address HWtype HWaddress Flags Mask Iface 10.2.251.248 ether 00:11:25:84:EF:AD C eth0 gandalf:~# arp -d 10.2.251.248 gandalf:~# arp 10.2.251.248 Address HWtype HWaddress Flags Mask Iface 10.2.251.248 (incomplete) eth0 gandalf:~# ping -c 1 10.2.251.248 PING 10.2.251.248 (10.2.251.248) 56(84) bytes of data. 64 bytes from 10.2.251.248: icmp_seq=1 ttl=64 time=0.838 ms --- 10.2.251.248 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.838/0.838/0.838/0.000 ms gandalf:~# arp 10.2.251.248 Address HWtype HWaddress Flags Mask Iface 10.2.251.248 ether 00:11:25:84:EF:AD C eth0 0:d:60:b1:d5:d4 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.2.251.248 tell 10.2.251.242 0:11:25:84:ef:ad 0:d:60:b1:d5:d4 0806 60: arp reply 10.2.251.248 is-at 0:11:25:84:ef:ad 0:11:25:84:ef:ad 0:d:60:b1:d5:d4 0806 60: arp who-has 10.2.251.242 tell 10.2.251.248 0:d:60:b1:d5:d4 0:11:25:84:ef:ad 0806 42: arp reply 10.2.251.242 is-at 0:d:60:b1:d5:d4
RARP ➢ RARP is reverse ARP ➢ It was used among other things by diskless workstations to request their IP address: they would send a RARP packet with their MAC address, and expect an IP in return (from a server with a static entry in /etc/ethers and running rarpd) ➢ RARP is effectively obsolete and been replaced by dhcpd
MAC conflicts ➢ In theory, all ethernet interfaces have a different MAC address, it's guaranteed to be unique ➢ In theory, theory and practice are the same ➢ In practice, they're not :) ➢ Some older computers with built in ethernet (Sun and Silicon Graphics for instance) had the MAC address set at the factory on the mainboard, and sometimes there were mistakes and dupes ➢ Someone could have changed their MAC address to match yours, maybe with evil intentions
IP conflicts ➢ In theory (too) IPs are set to be unique, except: ➢ Some users like to play sysadmins, and you will eventually find yourself talking to them with a baseball bat, explaining why it's bad to take over the mail server or gateway IP :) ➢ DHCP hands out unique IPs until you get a subtle failure with failover and dynamic hosts ➢ A thought dead host with a reallocated IP comes back to life and gets plugged in ➢ A backup gets restored on more than one machine, with the original IP, or along with the backed up host
Avoiding IP conflicts ➢ Just use DHCP everywhere, optionally with pseudo- static leases set by MAC address. You will have to renumber your hosts one day, and you'll thank yourself. ➢ In almost all cases, DHCP is good about not allocating the same IP twice, it pings one before giving it out, in case it was in use, but not in its own pool ➢ DHCP failover: serve two ranges (active-active) or trust the failover solution (active-passive) ➢ Check if your IP is in use before using it with arping. Some distros (like RH) will ARP for your IP and wait for no reply before using it themselves (the original appletalk had this builtin in the protocol)
When all else fails: detecting conflicts ➢ So, you should now be immune to IP conflicts, right? Mmmh, for the most part, just like you should never see two hosts with the same MAC address. ➢ But what if you do get a conflict? ➢ How do switches fill their CAM table? They notice MAC/port pairings on inbound packets and save them ➢ For TCP/IP, the first ARP request happens to send an IP/MAC combo for the sender, and it is conveniently broadcast to the entire layer 2. ➢ So, all hosts can take note of that IP/MAC mapping, and check if the IP or MAC address happens to match their own
Implementation Details ➢ If both the IP and MAC address in the packet match yours, it is most likely a layer 2 loop that reflects your traffic back to you, so we ignore these ➢ Where can this be done? ➢ For me, the simplest place was in the kernel, where ARP packets get already processed ➢ You can do that in userland too, as my patch was rejected mostly on the grounds that since it can be done in userspace, it shouldn't be in the kernel. ➢ It would be nice in the kernel though, as it is small, and helps everyone, on all distros, to get that extra protection ➢ Additional kernel load would be inferior to a process getting all traffic through a raw socket, and analyzing ARPs
Who else does this? ➢ I obviously wasn't the first to come up with this idea: at least Windows, Irix, and Solaris do this too ➢ Some, like Irix, will send a gratuitous ARP reply to the other host with the same IP so as to give a clue to the other machine that there is an IP conflict between you and it ➢ Most hosts syslog the problem, and display a message on the console, or even on the graphical terminal since it's a problem to take care of right away ➢ If I recall correctly, windows will even disable its interface when it sees a conflict. Use this feature as you see fit :)
Kernel Patch ➢ http://marc.merlins.org/linux/arppatch/ ➢ Basically, we hook in the ARP processing code, and if we receive a broadcast ARP request, we look at the from MAC address and IP, and compare them to ours ➢ If they match, we syslog a relevant message gandalf:~# ifconfig eth0 10.2.250.252 netmask 255.255.0.0 broadcast 10.2.255.255 gandalf:~# tcpdump -e -n -i eth0 ether host 0:d:93:34:a1:38 or host 10.2.250.252 23:50:38.047488 0:d:93:34:a1:38 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.2.251.254 tell 10.2.250.252 Jan 25 23:50:38 gandalf kernel: Uh Oh, MAC address 00:0D:93:34:A1:38 claims to have our IP address (10.2.250.252) (duplicate IP conflict likely)
Gratuitous ARP/IP takeover ➢ In an attempt to be unobtrusive, the patch doesn't send gratuitous ARPs, as it doesn't generate any traffic (by default, without extra checks, it would generate a gratuitous ARP loop between two machines fighting for the same IP anyway) ➢ However, sometimes you want to take over another machine's IP (IP takeover). This is where tools like fake and send_arp come in (courtesy of our Oz friend Horms) ➢ While there are usually few legit reasons to do so, you can also receive another machine's traffic by taking over its MAC address (just send outgoing packets with its MAC and most switches will send you traffic for it later)
What's missing / TODO ➢ Get some version of this patch in the kernel :) ➢ Alternatively, write a user space version, and get most distros to pick it up and run it by default (harder, and will generate a litte more load)
Questions
Are you a good sysadmin, or programmer? Need a job? (Silicon Valley, Sydney, Santa Monica, Zürich, New York, Dublin, Tokyo, India, and others) (4 of my coworkers came from LCA 2005) Email: marc_jo@merlins.org

Recomendados

Nova HA
Nova HANova HA
Nova HA
Open Stack
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL Configuration
Hamed Moghaddam
 
DMVPN
DMVPNDMVPN
DMVPN
NetProtocol Xpert
 
Packet Tracer: Nat protocol
Packet Tracer: Nat protocolPacket Tracer: Nat protocol
Packet Tracer: Nat protocol
Rafat Khandaker
 
Cisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink ConfigurationCisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink Configuration
Hamed Moghaddam
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 Configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route ConfigurationJuniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route Configuration
Hamed Moghaddam
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access List
Hamed Moghaddam
 

Recomendados

Nova HA
Nova HANova HA
Nova HA
Open Stack
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL Configuration
Hamed Moghaddam
 
DMVPN
DMVPNDMVPN
DMVPN
NetProtocol Xpert
 
Packet Tracer: Nat protocol
Packet Tracer: Nat protocolPacket Tracer: Nat protocol
Packet Tracer: Nat protocol
Rafat Khandaker
 
Cisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink ConfigurationCisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink Configuration
Hamed Moghaddam
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 Configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route ConfigurationJuniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route Configuration
Hamed Moghaddam
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access List
Hamed Moghaddam
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
Hamed Moghaddam
 
Chapter7ccna
Chapter7ccnaChapter7ccna
Chapter7ccna
ernestlithur
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
Subhash Kumar Singh
 
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 
Juniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationJuniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route Configuration
Hamed Moghaddam
 
Hands on Experience with IPv6 Routing and Switching Services
Hands on Experience with IPv6 Routing and Switching ServicesHands on Experience with IPv6 Routing and Switching Services
Hands on Experience with IPv6 Routing and Switching Services
Cisco Canada
 
Using linux as_a_router
Using linux as_a_routerUsing linux as_a_router
Using linux as_a_router
HARRY CHAN PUTRA
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
Netwax Lab
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing ProtocolsEincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Netwax Lab
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
Thanawan Tuamyim
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
Cassio Ramos
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
Sreenatha Reddy K R
 
Raspberry PI iGate with TNC Direwolf Soundmodem
Raspberry PI iGate with TNC Direwolf SoundmodemRaspberry PI iGate with TNC Direwolf Soundmodem
Raspberry PI iGate with TNC Direwolf Soundmodem
AURELIO PY5BK
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)
Netwax Lab
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Netwax Lab
 
JmDNS : Service Discovery for the 21st Century
JmDNS : Service Discovery for the 21st Century JmDNS : Service Discovery for the 21st Century
JmDNS : Service Discovery for the 21st Century
Gnu Alsonative
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
Varnnit Jain
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
amiable_indian
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
Luthfi Widyanto
 

Mais conteúdo relacionado

Mais procurados

Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
Thanawan Tuamyim
 
JmDNS : Service Discovery for the 21st Century
JmDNS : Service Discovery for the 21st Century JmDNS : Service Discovery for the 21st Century
JmDNS : Service Discovery for the 21st Century
Gnu Alsonative
 

Mais procurados (20)

Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
 
Chapter7ccna
Chapter7ccnaChapter7ccna
Chapter7ccna
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
 
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
 
Juniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationJuniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route Configuration
 
Hands on Experience with IPv6 Routing and Switching Services
Hands on Experience with IPv6 Routing and Switching ServicesHands on Experience with IPv6 Routing and Switching Services
Hands on Experience with IPv6 Routing and Switching Services
 
Using linux as_a_router
Using linux as_a_routerUsing linux as_a_router
Using linux as_a_router
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing ProtocolsEincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
 
Raspberry PI iGate with TNC Direwolf Soundmodem
Raspberry PI iGate with TNC Direwolf SoundmodemRaspberry PI iGate with TNC Direwolf Soundmodem
Raspberry PI iGate with TNC Direwolf Soundmodem
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
JmDNS : Service Discovery for the 21st Century
JmDNS : Service Discovery for the 21st Century JmDNS : Service Discovery for the 21st Century
JmDNS : Service Discovery for the 21st Century
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 

Semelhante a Layer2&arp

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy
 
©LWTAOB© 2013 Cisco andLab – O.docx
©LWTAOB© 2013 Cisco andLab – O.docx©LWTAOB© 2013 Cisco andLab – O.docx
©LWTAOB© 2013 Cisco andLab – O.docx
LynellBull52
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
Dan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
Dan Kaminsky
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
Ishraq Al Fataftah
 

Semelhante a Layer2&arp (20)

Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Et4045-3-attacks-2
Et4045-3-attacks-2Et4045-3-attacks-2
Et4045-3-attacks-2
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
©LWTAOB© 2013 Cisco andLab – O.docx
©LWTAOB© 2013 Cisco andLab – O.docx©LWTAOB© 2013 Cisco andLab – O.docx
©LWTAOB© 2013 Cisco andLab – O.docx
 
C14-TCPIP.ppt
C14-TCPIP.pptC14-TCPIP.ppt
C14-TCPIP.ppt
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Linux router
Linux routerLinux router
Linux router
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Wireless Cyber Warfare
Wireless Cyber WarfareWireless Cyber Warfare
Wireless Cyber Warfare
 
Lecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsLecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignments
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Layer2&arp

  • 1. Layer 2, Mac Addresses, ARP, and Duplicate IP Detection Marc MERLIN marc_soft@merlins.org LCA 2006 http://marc.merlins.org/linux/talks/Layer2&ARP/
  • 2. Shoo, you don't want to be here :) ➢ The talk is about a kernel patch, but I'm planning to explain how the basic IP/networking pieces actually work instead of diving into kernel internals ➢ I will throw stuff at you ➢ The other speakers are most likely smarter than me ➢ Or you could stay here to make correct me, make fun of me, and if you stay until the end, tell me that my patch sucks :) ➢ Or you will also know to answer two interview questions I might ask you if you apply for a job at google.
  • 3. What is Layer 2? ➢ It's above the physical layer (10b2/10bT/100bT/1000bT), FDDI, ATM, etc..) ➢ It is below IP, Appletalk, Decnet, IPX ➢ Token Ring is one example, as is carrier pigeon, but most of us use Ethernet now ➢ IEEE 802.3 replaces the original ethernet ➢ Can be more complex (VLANs/802.1q / 802.11 ...) ➢ source MAC / dest MAC / protocol type ➢ See /etc/protocols (ICMP:1, TCP: 6, UDP: 17)
  • 4. Switching Ethernet ➢ A switch is a multi port bridge, it takes an incoming packet, and looks at the destination MAC address ➢ It decides what port to send the traffic to by looking at its CAM table (MAC to port # mapping) ➢ A switch does NOT do ARP to route ethernet frames ➢ A layer 2 switch does not even know what TCP/IP or ARP are. If it did, how would it route non IP traffic? ➢ Ethernet and TCP/IP were not designed with switches in mind, switches are supposed to be transparent. This means they do switching with no protocol support
  • 5. Problems with Ethernet Switching ➢ How is the CAM table built? ➢ What if the destination MAC is not in the CAM table? ➢ How big do you think the CAM table is? ➢ What if it overflows? → you turn the water off :) ➢ What if a MAC address shows up on 2 ports?
  • 6. ARP ➢ ARP is the address resolution protocol for IP ➢ Before you can send an IP packet, you need to build a frame with a destination ethernet address. If you don't know what the destination MAC address is, you use ARP to get it ➢ You broadcast a packet at layer 2 asking who has a certain IP, and what MAC address it belongs to ➢ The owner of the IP (if present) sends back a unicast packet to you with the answer (this means only you get the result of that arp query)
  • 7. ARP gandalf:~# arp 10.2.251.248 Address HWtype HWaddress Flags Mask Iface 10.2.251.248 ether 00:11:25:84:EF:AD C eth0 gandalf:~# arp -d 10.2.251.248 gandalf:~# arp 10.2.251.248 Address HWtype HWaddress Flags Mask Iface 10.2.251.248 (incomplete) eth0 gandalf:~# ping -c 1 10.2.251.248 PING 10.2.251.248 (10.2.251.248) 56(84) bytes of data. 64 bytes from 10.2.251.248: icmp_seq=1 ttl=64 time=0.838 ms --- 10.2.251.248 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.838/0.838/0.838/0.000 ms gandalf:~# arp 10.2.251.248 Address HWtype HWaddress Flags Mask Iface 10.2.251.248 ether 00:11:25:84:EF:AD C eth0 0:d:60:b1:d5:d4 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.2.251.248 tell 10.2.251.242 0:11:25:84:ef:ad 0:d:60:b1:d5:d4 0806 60: arp reply 10.2.251.248 is-at 0:11:25:84:ef:ad 0:11:25:84:ef:ad 0:d:60:b1:d5:d4 0806 60: arp who-has 10.2.251.242 tell 10.2.251.248 0:d:60:b1:d5:d4 0:11:25:84:ef:ad 0806 42: arp reply 10.2.251.242 is-at 0:d:60:b1:d5:d4
  • 8. RARP ➢ RARP is reverse ARP ➢ It was used among other things by diskless workstations to request their IP address: they would send a RARP packet with their MAC address, and expect an IP in return (from a server with a static entry in /etc/ethers and running rarpd) ➢ RARP is effectively obsolete and been replaced by dhcpd
  • 9. MAC conflicts ➢ In theory, all ethernet interfaces have a different MAC address, it's guaranteed to be unique ➢ In theory, theory and practice are the same ➢ In practice, they're not :) ➢ Some older computers with built in ethernet (Sun and Silicon Graphics for instance) had the MAC address set at the factory on the mainboard, and sometimes there were mistakes and dupes ➢ Someone could have changed their MAC address to match yours, maybe with evil intentions
  • 10. IP conflicts ➢ In theory (too) IPs are set to be unique, except: ➢ Some users like to play sysadmins, and you will eventually find yourself talking to them with a baseball bat, explaining why it's bad to take over the mail server or gateway IP :) ➢ DHCP hands out unique IPs until you get a subtle failure with failover and dynamic hosts ➢ A thought dead host with a reallocated IP comes back to life and gets plugged in ➢ A backup gets restored on more than one machine, with the original IP, or along with the backed up host
  • 11. Avoiding IP conflicts ➢ Just use DHCP everywhere, optionally with pseudo- static leases set by MAC address. You will have to renumber your hosts one day, and you'll thank yourself. ➢ In almost all cases, DHCP is good about not allocating the same IP twice, it pings one before giving it out, in case it was in use, but not in its own pool ➢ DHCP failover: serve two ranges (active-active) or trust the failover solution (active-passive) ➢ Check if your IP is in use before using it with arping. Some distros (like RH) will ARP for your IP and wait for no reply before using it themselves (the original appletalk had this builtin in the protocol)
  • 12. When all else fails: detecting conflicts ➢ So, you should now be immune to IP conflicts, right? Mmmh, for the most part, just like you should never see two hosts with the same MAC address. ➢ But what if you do get a conflict? ➢ How do switches fill their CAM table? They notice MAC/port pairings on inbound packets and save them ➢ For TCP/IP, the first ARP request happens to send an IP/MAC combo for the sender, and it is conveniently broadcast to the entire layer 2. ➢ So, all hosts can take note of that IP/MAC mapping, and check if the IP or MAC address happens to match their own
  • 13. Implementation Details ➢ If both the IP and MAC address in the packet match yours, it is most likely a layer 2 loop that reflects your traffic back to you, so we ignore these ➢ Where can this be done? ➢ For me, the simplest place was in the kernel, where ARP packets get already processed ➢ You can do that in userland too, as my patch was rejected mostly on the grounds that since it can be done in userspace, it shouldn't be in the kernel. ➢ It would be nice in the kernel though, as it is small, and helps everyone, on all distros, to get that extra protection ➢ Additional kernel load would be inferior to a process getting all traffic through a raw socket, and analyzing ARPs
  • 14. Who else does this? ➢ I obviously wasn't the first to come up with this idea: at least Windows, Irix, and Solaris do this too ➢ Some, like Irix, will send a gratuitous ARP reply to the other host with the same IP so as to give a clue to the other machine that there is an IP conflict between you and it ➢ Most hosts syslog the problem, and display a message on the console, or even on the graphical terminal since it's a problem to take care of right away ➢ If I recall correctly, windows will even disable its interface when it sees a conflict. Use this feature as you see fit :)
  • 15. Kernel Patch ➢ http://marc.merlins.org/linux/arppatch/ ➢ Basically, we hook in the ARP processing code, and if we receive a broadcast ARP request, we look at the from MAC address and IP, and compare them to ours ➢ If they match, we syslog a relevant message gandalf:~# ifconfig eth0 10.2.250.252 netmask 255.255.0.0 broadcast 10.2.255.255 gandalf:~# tcpdump -e -n -i eth0 ether host 0:d:93:34:a1:38 or host 10.2.250.252 23:50:38.047488 0:d:93:34:a1:38 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.2.251.254 tell 10.2.250.252 Jan 25 23:50:38 gandalf kernel: Uh Oh, MAC address 00:0D:93:34:A1:38 claims to have our IP address (10.2.250.252) (duplicate IP conflict likely)
  • 16. Gratuitous ARP/IP takeover ➢ In an attempt to be unobtrusive, the patch doesn't send gratuitous ARPs, as it doesn't generate any traffic (by default, without extra checks, it would generate a gratuitous ARP loop between two machines fighting for the same IP anyway) ➢ However, sometimes you want to take over another machine's IP (IP takeover). This is where tools like fake and send_arp come in (courtesy of our Oz friend Horms) ➢ While there are usually few legit reasons to do so, you can also receive another machine's traffic by taking over its MAC address (just send outgoing packets with its MAC and most switches will send you traffic for it later)
  • 17. What's missing / TODO ➢ Get some version of this patch in the kernel :) ➢ Alternatively, write a user space version, and get most distros to pick it up and run it by default (harder, and will generate a litte more load)
  • 19. Are you a good sysadmin, or programmer? Need a job? (Silicon Valley, Sydney, Santa Monica, Zürich, New York, Dublin, Tokyo, India, and others) (4 of my coworkers came from LCA 2005) Email: marc_jo@merlins.org