|
|
On Tuesday 2005-October-11 15:49, Joern Krebs wrote:
> (The problem is, if you like to solve this by adding the IP-Address
> of the client to the LAN-Interface of the server, the server "thinks"
> that this IP belongs to himself and does not route the paket, so the
> server has to answer an ARP-Requests (with his own LAN-MAC-Address)
> knowing that this IP-Address does not belong to him. And this
> technique is Proxy-ARP and not solveable by any standard local
> utility. This is why it has to be _in_ the Linux Kernel and not a
> user-level utility.
I don't know. I only have VNC access to Windows. No openvpn to play
with, but I will try it if I ever get the chance. (Did you try it?)
GNU/Linux as you mentioned actually does have arp(8), a userspace
utility which can implement specific ARP table entries.
The kernel sysctl, /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp, merely
provides an intelligent way to turn on proxy ARP, or ARP replies for IP
addresses other than the ones locally bound, per interface. Basically
it says if a host route exists for an IP, and we hear an ARP request on
$INTERFACE for that IP, we say yes to it, grab the packet and push it
out our host route.
arp(8) can enable/disable ARP replies per IP, whether or not locally
bound, and can also do MAC spoofing per IP. Unless I am missing
something (which would not surprise me because I do not know much about
it) this is the same thing as proxy ARP. I do know for a fact that I
can disable the proxy ARP sysctl, and continue to do proxy ARP for my
openvpn peer (192.168.6.12 in the following example):
[I am at room101, logged into miniluv via ssh]
root@miniluv:~# arp -v -Ds eastasia.1984.lan eth0 pub
arp: device `eth0' has HW address ether `00:0D:87:zz:yy:xx'.
arp: SIOCSARP()
root@miniluv:~# arp -a
room101.1984.lan (192.168.6.101) at 00:0A:E6:pp:qq:rr [ether] on eth0
telescreen.1984.lan (192.168.6.18) at 00:04:76:jj:kk:ll [ether] on eth0
crimethink.1984.lan (192.168.6.9) at 00:0F:66:aa:bb:cc [ether] on eth0
eastasia.1984.lan (192.168.6.12) at * PERM PUP on eth0
root@miniluv:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
[then back at room101]
rob0@room101:~$ ping -c1 eastasia.1984.lan
PING eastasia.1984.lan (192.168.6.12) 56(84) bytes of data.
64 bytes from eastasia.1984.lan (192.168.6.12): icmp_seq=1 ttl=63
time=20.6 ms
--- eastasia.1984.lan ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 20.624/20.624/20.624/0.000 ms
rob0@room101:~$ /sbin/arp -a
telescreen.1984.lan (192.168.6.18) at 00:04:76:jj:kk:ll [ether] on eth0
eastasia.1984.lan (192.168.6.12) at 00:0D:87:zz:yy:xx [ether] on eth0
crimethink.1984.lan (192.168.6.9) at 00:0F:66:aa:bb:cc [ether] on eth0
miniluv.1984.lan (192.168.6.49) at 00:0D:87:zz:yy:xx [ether] on eth0
[end]
arp(8) may be necessary for proxy ARP in situations where there is a
network route to the host, IIUC. (I am not sure about that.) But it
also can be used if the administrator for some reason does not want
proxy ARP on the entire interface.
I had heard that Microsoft swiped, er, I mean INNOVATED, their TCP/IP
utilities from BSD, which might account for the fact that the syntax
and functionality tends to be similar to the Unix counterparts. Thus
I'm holding to the belief that if you had tried this:
arp -s IP.or.hostname.of.peer 00-aa-00-62-c6-09
your system would have been doing proxy ARP for your peer as the MAC
address 00:aa:00:62:c6:09[1]. (Note the MS innovation here, to change
the MAC delimiter : to -. User friendly, not having to hold Shift. :) )
Bottom line here: each of us thinks the other is misunderstanding ARP
and proxy ARP. NBD. Perhaps one or both of us will come away from this
with greater understanding. I think I did/will/am. :) "man 7 arp" has
some interesting parts pertaining to this.
[1] This MAC address taken from the MS Win2KPro "arp.exe /?" example.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|