Re: Apple devices spoofing default gateway?

[Owen DeLong <owen () delong com>]

This is a less than helpful feature in a lot of situations…

e.g. I was attempting to work on an IOT device and test OTA firmware updates in a Hotel a little while ago.

The client isolation on the wifi network resulted in non-obvious failures that took some time to identify.

In general, people expect communications within a LAN segment to work. Breaking this assumption should only be done in 
cases where there is very good reason to do so.

I fully appreciate the argument that a hotel WiFi is one such situation and even agree with it to some extent. However, 
in such circumstances, I believe the fact should be posted in plain view and/or noticed on the captive portal login 
page.

Owen


> On Jun 7, 2019, at 12:06 , Matt Hoppes <mattlists () rivervalleyinternet net> wrote:
>
> Turn on client isolation on the access points?
>
> > On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo () slabnet com> wrote:
> >
> >
> > > On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy () gmail com> wrote:
> > >
> > > I just joined nanog to allow me to respond to a thread that Simon posted in
> > > March. .
> > > (Not sure if this is how to respond)
> > >
> > > We have the exact same problem with Aruba Access points and with multiple
> > > MacBooks and a iMac.
> > > Where the device will spoof the default gateway and the effect is that vlan
> > > is not usable.
> > >
> > > I also have raised a case with Apple but so far no luck.
> > >
> > > What is the status of your issue?  Any luck working out exactly what the
> > > cause is?
> >
> > We appeared to hit this with Cisco kit:
> > https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html
> >
> > They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out 
> > results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
> >
> > > * This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, 
> > > and specific broadcast traffic generated by newer Android devices
> > > * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default.  Due to their address 
> > > learning design, they will modify table entries based on this traffic leading to default gateway ARP entry 
> > > modification
> >
> > The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client 
> > devices.
> >
> > -- 
> > Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
> > pgp key: B178313E   | also on Signal