>
> Hi Thomas
>
> On Mon, Jul 17, 2006 at 06:26:25PM +1200, Thomas Salmen said:
>
> > As far as I know, proxy-arp is disabled under junos by default. Our
> > peering at APE is done with M-series kit, and we didn't notice any
> > issues.
>
> I wasn't suggesting that the Junipers were proxy-arping, rather that
> when the Juniper gets two replies to an ARP broadcast it previously
sent
> (one from the legit MAC, and one from the proxy-arping MAC), it seems
to
> be a bit of a lottery which one the Juniper uses.
I see; I didn't read your initial message properly - sorry for the
mistake. If I recall correctly, some earlier versions of BSD would run
into problems if a host received more than one response to an ARP
who-has that it had issued. I know that FreeBSD at least was at some
point vulnerable to ARP cache poisoning as well; this was a few years
ago now. The fix for this particular problem utilized unicast ARP. There
is possibly some link here; Junos is based on BSD. I can't find any
further reference to this anywhere though.
There are possibly some BSD-specific ways of tuning the ARP
implementation on the Junipers, but if so it'd no doubt require
low-level fiddling. All I can say is that we didn't notice any problems
at the time; so I'm not going to play with my production routers too
much :)
If I do find out any more information I'll let you know; I'm quite
interested in finding out myself, now.
Cheers,
Thomas
