netbsd-help: Re: ARP queries; what do they mean?

Subject: Re: ARP queries; what do they mean?
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Richard Rauch <rauch@rice.edu>
List: netbsd-help
Date: 12/12/2002 19:29:46

> > > Manuel> Was this on your private LAN, or on the ADSL side ?  Is it
> >
> > My DSL modem plugs directly into my private LAN.  (I"m still considering
> > going back to a firewall and private IP numbers for most of my
> > machines---or maybe stringing two LAN's and running less secure mechanisms
> > over the second LAN.)
> >
> > So, I can't really say, just on the basis of wiring, where the packets
> > came from (or could not have come from).
>
> OK, so it can be from the "outside".

Yes.  As I said, I can't rule that out.  (^&  Nor can I rule out if it is
coming from one of my machines.  (Though it seems unlikely that it should
be from my side.)


> > > Manuel> possible that someone has stolen your IP (maybe just by
> > > Manuel> misconfiguration) ?
> >
> > Hm.  Well, this is ARP, so it's fairly low-level, right?
>
> yes
>
> > My impression is
> > that it must be coming from a machine that thinks it's directly connected
> > to my hub (i.e., this can't be forwarded by my ISP's TCP/IP gateway from
> > some other part of the Internet).  Is that correct?
>
> Yes.
> Note that it can be from your provider, though.

(nod)


> It is also theorically possible to build some kind of virtual ethernet
> LAN on top of ADSL, in such a way that other customers's machine would
> appear on the same ethernet as you. but I don't think an ISP would go this
> way; it would put extra load (broadcasts) on the customer's DSL lines, and
> would have security issues.
> Or maybe they filter ethernet broadcast (to only allow ARP requests, for
> example, and forbid any customer to customer ethernet traffic).

I guess, then, there's no way to determine the origin of these packets
just by watching the wire?

I'm always reluctant to deal with the ISP's tech. support.  Their grasp of
things mostly boils down to a few little sequences of button pushes in
BillOS, and/or cycling the power.  Still, if it persists,. I'll give them
a chance.  But I'd like to be as armed with information as I can be, to
get past their first line of "We don't support UNIX...", etc...


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu