Bugtraq mailing list archives
Re: Buggy ARP handling in Windoze
From: steve () CELL2000 NET (Steven Alexander)
Date: Thu, 29 Jun 2000 15:29:10 -0700
Bugtraq readers, Paul's post brings up an interesting issue. Static ARP entries aren't actually regulated by RFC 826 (The ARP specification). Static can be interpreted in two ways in the context of the ARP cache. It can be seen as unchangeable vs. changeable (for security), or it can be seen as permanent vs. temporary (for performance). Likely, when ARP was originally designed the latter would have been more desireable. I might have a fileserver on my LAN that I would set static ARP entries for so that everybody has it in their cache all of the time, a slight performance increase. However, if that fileserver goes down I may wish to replace it without manually changing ARP entries on every machine in my network. With gratuitous ARP I am able to bring a new machine up to replace the downed machine and everyone will update their ARP cache to reflect the new MAC address. If the machines on the network do not update the static ARP cache entries I would have to change each one manually (likely to be difficult). Unfortunately, network environments are much less friendly than when ARP was designed (1982) and they are also much faster. The performance gain that results from static entries is miniscule compared with the security risk that results from being able to poison the ARP cache. However, there is also the valid point that I may wish to bring up a backup server in the event that one of my machines fails and I may not be able to update all of the ARP entries on each machine manually. It would probably be beneficial in an ARP implementation to be able to set two seperate attributes to the ARP cache, both permanent (no timeout) and unchangeable (without manual intervention anyway). What does everyone else think? -steven alexander steve () cell2000 net Paul Starzetz wrote:
: Buggy ARP handling in Windoze
I discovered a strange bug in the ARP handling under Windows 98/latest Winsock patch (IGMP). Win98 (at almost Win95 as far as tested) would not handle static ARP entries correctly. Setting up an static ARP cache entry like:
<snip>
Current thread:
- Multiple vulnerabilities in Sybergen Secure Desktop, (continued)
- Multiple vulnerabilities in Sybergen Secure Desktop anders.ingeborn () INFOSEC SE (Jun 30)
- SecureXpert Advisory [SX-20000620-2] SecureXpert DIRECT Sender (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Bernd Luevelsmeyer (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Lars Mathiesen (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Robert Bihlmeyer (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Ben Pfaff (Jun 29)
- Update to Integrity Protection Driver Available IPD (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 29)
- Buggy ARP handling in Windoze Paul Starzetz (Jun 29)
- Re: Buggy ARP handling in Windoze Jurjen Oskam (Jun 29)
- Re: Buggy ARP handling in Windoze Steven Alexander (Jun 29)
- vpopmail-3.4.11 problems H D Moore (Jun 29)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump Conectiva Security (Jun 30)