Hi Thomas
On Mon, Jul 17, 2006 at 06:26:25PM +1200, Thomas Salmen said:
As far as I know, proxy-arp is disabled under junos by default. Our peering at APE is done with M-series kit, and we didn't notice any issues.
I wasn't suggesting that the Junipers were proxy-arping, rather that when the Juniper gets two replies to an ARP broadcast it previously
sent
(one from the legit MAC, and one from the proxy-arping MAC), it seems to be a bit of a lottery which one the Juniper uses.
I see; I didn't read your initial message properly - sorry for the mistake. If I recall correctly, some earlier versions of BSD would run into problems if a host received more than one response to an ARP who-has that it had issued. I know that FreeBSD at least was at some point vulnerable to ARP cache poisoning as well; this was a few years ago now. The fix for this particular problem utilized unicast ARP. There is possibly some link here; Junos is based on BSD. I can't find any further reference to this anywhere though. There are possibly some BSD-specific ways of tuning the ARP implementation on the Junipers, but if so it'd no doubt require low-level fiddling. All I can say is that we didn't notice any problems at the time; so I'm not going to play with my production routers too much :) If I do find out any more information I'll let you know; I'm quite interested in finding out myself, now. Cheers, Thomas