Subject: peculiar ICMP redirects?
To: None <tech-net@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 03/22/2005 19:54:16
I've just set up 2.0 on a machine at work and I'm having trouble.

I want a setup like this:

-------+------------------------ 10.10.10.0/23
  rtk0 | 10.10.10.73
   +---+---+
   |   A   |
   +---+---+
  tlp0 | 192.168.1.1
-------+---------------+-------- 192.168.1.0/24
                  fxp0 | 192.168.1.2
                   +---+---+
                   |   B   |
                   +---+---+
                  sip0 | 10.10.10.74
-----------------------+-------- 10.10.10.72/29

That is, I have a /23 on one side, out of which is carved a /29 for the
other.

What I tried to do on box A is to configure both interfaces as usual at
boot time, then, in /etc/netstart.local, do

route add 10.10.10.72 192.16.1.2 -netmask 255.255.255.248

to install the route to the /29 and

arp -s 10.10.10.74 00:48:54:88:16:73 pub
arp -s 10.10.10.75 00:48:54:88:16:73 pub
arp -s 10.10.10.76 00:48:54:88:16:73 pub
arp -s 10.10.10.77 00:48:54:88:16:73 pub
arp -s 10.10.10.78 00:48:54:88:16:73 pub

to install proxy ARP entries so that the rest of the /23 can reach
them.  First, this didn't work because I did the route before the arps,
and arp complained about being unable to "intuit" which interface to
put the arp entry on - it really needs an option to specify the
interface in such cases.  So I switched the order, to add the route
after setting the arp entries.

However, this doesn't work.  When pinging 10.10.10.74 from another host
in the /23 but not in the /29 (.20, actually), I see behaviour like
this (this is from .20, tcpdumping "ether host 00:48:54:88:16:73"):

20:09:28.707446 8:0:20:78:9e:de ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.10.10.74 tell 10.10.10.20
20:09:28.707760 0:48:54:88:16:73 8:0:20:78:9e:de 0806 60: arp reply 10.10.10.74 is-at 0:48:54:88:16:73
20:09:28.707882 8:0:20:78:9e:de 0:48:54:88:16:73 0800 98: 10.10.10.20 > 10.10.10.74: icmp: echo request
20:09:28.708247 0:48:54:88:16:73 0:48:54:88:16:73 0800 98: 10.10.10.20 > 10.10.10.74: icmp: echo request
20:09:28.708304 0:48:54:88:16:73 8:0:20:78:9e:de 0800 70: 10.10.10.73 > 10.10.10.20: icmp: redirect 10.10.10.74 to host 10.10.10.74
20:09:29.717362 8:0:20:78:9e:de 0:48:54:88:16:73 0800 98: 10.10.10.20 > 10.10.10.74: icmp: echo request
20:09:29.717726 0:48:54:88:16:73 0:48:54:88:16:73 0800 98: 10.10.10.20 > 10.10.10.74: icmp: echo request
20:09:29.717775 0:48:54:88:16:73 8:0:20:78:9e:de 0800 70: 10.10.10.73 > 10.10.10.20: icmp: redirect 10.10.10.74 to host 10.10.10.74

(8:0:20:78:9e:de is 10.10.10.20 here.)

What I believe is happening here is that box A is answering the ARP
request correctly, but then when it receives the ping packet, it
forwards it back out onto rtk0 rather than obeying the more specific
route to the /29 - I speculate that this is because the
intended-as-proxy arp entry is taken as a "real" arp entry and thus is
an even more specific /32 route.  I do note that "arp -na" shows those
entries as "permanent published" but without the "(proxy only)" I've
seen when doing proxy ARP on 1.4T; I tried adding "proxy" to the arp
command and it makes no apparent difference - both "netstat -rn -f
inet" and "arp -na" look the same, and the (mis)behaviour is the same.

What do I have to do to make this work?

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B