A weird routing mystery

February 15, 2008

Once upon a time, we had a machine that wound up with a default route that pointed straight to the local network, basically what you'd get if you did route add default dev eth0.

(Disclaimer: I have no idea if your system would actually accept that route command or if it would demand a gateway.)

That this worked to some degree is not too surprising in retrospect; there actually is a straightforward meaning to this, namely to arp for all destinations on the local Ethernet, and that's what our machine did. The weirdness comes in what happened next: the machine could still ping another system that was on a completely separate subnet on the same physical network.

On the one hand this makes perfect sense: the machine was arp'ing for the other system's Ethernet address and then just sending the packets to it. On the other hand, this makes no sense: how was the other system replying to those ping packets? The other system was not on the first subnet and had no route to it, so in theory it should have dropped its ping replies as unroutable; instead it just shoveled them back on to the Ethernet.

(My best guess has to do with the first machine being present in the other system's arp cache, but I'm not completely convinced.)

Comments on this page:

From 212.187.153.231 at 2008-02-18 14:40:31:

Presumably you were routing between the subnets somewhere, so the packets came back from the second machine's default router.

-- Graham

By cks at 2008-02-18 18:16:22:

We saw this was in an isolated test environment, with no routers available. (Hence the weirdness.)

By Dan.Astoorian at 2008-02-19 13:58:26:

We saw this was in an isolated test environment, with no routers available. (Hence the weirdness.)

I presume the system which received the pings was not configured with route add default dev eth0 as the first system was: that would be far too obvious.

Any chance the second machine's subnet mask was incorrect?

Could the first machine reach the second via, e.g., TCP or UDP, or was it only ICMP ECHO/REPLY that worked between them? Could the second machine also ping the first one?

(My best guess has to do with the first machine being present in the other system's arp cache, but I'm not completely convinced.)

Well, that just begs the question: how did the first machine get added to the other's arp cache?

If the second machine was a Linux machine, /sbin/ip neighbour may yield slightly more information (under modern Linuxes, the ARP table is a special case of what it refers to as the neighbour table, and the distinctions between layers 2 and 3 are somewhat blurred; commands like arp, route and ifconfig seem to merely be interfaces to the mechanisms controlled more directly by the /sbin/ip command).

--Dan

From 207.88.115.107 at 2008-02-22 19:30:26:

First, what's odd to me is the proxy arp behavior you describe. This should not have happened in the first place.

Second, I would expect this route to result in the box treating everything as local, essentially ignoring its own (implied) connected routes. In this case, since there is no L2 separation both the arp request from source box and the ping are expected to make it to the target box. However, if the target machine had no route back, the ping would fail.

If the proxying behavior is as you describe (arping for the destination), are you sure the box wasn't responding to its own ping? This is easily verified with tcpdump.

By cks at 2008-02-22 20:38:49:

To clarify: I don't think that the first machine was doing arp proxying, I think it was just sending out arp requests for all destinations (even ones theoretically not on the local network).

As for how the first machine got added to the second machine's arp cache, I believe that most machines add things to their arp caches when they answer arp requests (Linux certainly does), and I suspect that they do this without caring whether the target IP is theoretically reachable on that interface's local network.

Written on 15 February 2008.
« Why does anyone buy iSCSI TOE network cards?
The only way you can stop spam with money »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Fri Feb 15 23:33:49 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.