Network Working Group T.-S. Jou INTERNET-DRAFT IBM Corporation Updates: RFC 826 February, 1999 Duplicate IP Address Detection Based on Gratuitous ARP Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To view the list Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract The Address Resolution Protocol specifies the scheme to resolve the hardware address of a host by using its IP address. The hardware addresses are normally unique for each hardware module because they were assigned by manufacturers; but there is much less control on the uniqueness of IP addresses on a LAN. With the booming network popularity, the possibility of the same IP address being used on different hosts is increasing. The duplication may come from users' or network administrators' mistakes, or configuration errors on host addresses assigning programs such as BOOTP or DHCP servers. This document is to define an extension to the original ARP protocol to prevent a newly configured host from making much damage to a host that has been the owner of the same IP address. The solution is based on the de-facto gratuitous ARP packets with modification on a host's behavior when an address duplication is detected. Jou [Page 1] INTERNET_DRAFT Duplicate IP Address Detection February, 1999 Acknowledgments This document was first prepared while the author was an IBM employee. The initial idea was confirmed and tested with help from Lori Napoli and Sajay Khanna in IBM. Thanks also go to Mike Patton in MAP Network Engineering, Inc., for pointing out the security concerns. 1. Introduction The Address Resolution Protocol, defined in RFC 826 [1], is used to determine a host's hardware address based on its network address. To adapt to the possible changes of the association between a hardware address and an IP address, two mechanisms are specified in the RFC: (1) When a host receives an ARP packet and the sender IP address exists in its ARP table, the host should update the cached ARP entry with the sender hardware address in the packet. (2) Each host ages away old ARP entries to allow changes on the network. There are increasing number of hosts that are connected to networks and have IP addresses assigned, some of them dynamically, hence there are increasing number of possibilities that the same IP address is assigned to multiple hosts on a LAN. RFC 826 oversees this problem. Later in this document we can see the above mechanisms even causes catastrophic problems. If address duplication ever occurs, neither of the two hosts sharing the same address can be reliably reached by others because the unpredictable hardware address resolution on the shared IP address. This is especially a serious threat to a server that many clients depend on. The problem can be avoided gracefully if following three conditions are achieved: (a) The host that attempts to use a duplicate IP address can detect this address is being used by another host, and stop using this address immediately, possibly via turning down its interface. (b) The host that originally owns the IP address notifies the the attempting host for the duplication, and then keep operating. (c) The confusion caused by the second host's attempt can be reduced to minimum for all other hosts on the network. A host running one of many latest TCP/IP implementations can generate a gratuitous ARP packet when any of its interfaces is configured, usually at booting time. The gratuitous ARP packet is an ARP request with both sender and the target IP address fields containing the configured IP address. This de-facto behavior can be deployed to detect IP address duplication. After seeing the gratuitous packets, a Jou [Page 2] INTERNET_DRAFT Duplicate IP Address Detection February, 1999 host following RFC 826 will send an ARP reply if the address is being configured on one of its interfaces. Due to the lack of standards, once the gratuitous ARP sender receives the unexpected ARP reply, the response varies. Most implementations can display warning messages on their consoles or to create error logs. Some implementation allows both hosts to keep using this IP address until the problem is corrected manually. Some other implementations disable the networking capability on both hosts and require both hosts to be reconfigured and possibly be rebooted. The latter implementation makes the hosts very vulnerable to configuration errors. The correct behavior should be that the host originally owns this IP address keeps operating, while error messages are reported to draw network administrator's attention. The host that attempts to use a duplicate IP address should stop operating on this address. The problem cannot be fully solved without addressing Condition (c). Since a gratuitous ARP request is a link-layer broadcast packet, all hosts on the network will receive it. According to RFC 826, all hosts that have this IP address cached in their ARP tables will update the entry with the sender hardware address. This behavior originally is designed to allow a host that has just changed its hardware address (such as interface card is replaced) to be able to update others. However, this design results in these hosts not being able to reach the original IP address owner until their ARP entry expires, even if the gratuitous ARP sender stops using the address immediately. Since the gratuitous ARP packet just updated every host's ARP entry, the entry will be valid for the full ARP entry lifetime, normally 20 minutes. As specified by RFC 826, the ARP reply from the original IP address owner is a unicast packet, hence the hosts with the ARP entry cached will not be aware of the occurrence of duplication. To correct the problem, this document specifies the reply of the gratuitous ARP to be a link-layer broadcast packet, hence Condition (c) can be achieved because all other hosts will be able to receive the ARP reply and change their cached entries back to destine to the original address owner. Even thought there is still a window of time that the cached entries are destined to the gratuitous ARP sender, the time period is much shorter than the ARP entry lifetime. 2. Discussion of an Alternative to Broadcast Reply An alternative to replying with a broadcast ARP reply packet is to let the original address owner to send a gratuitous ARP packet again, which can correct other hosts' cached entries as well. However, if for whatever reason the host attempting to use the duplicate IP address chooses to continue operating, that host will reply with an ARP packet. Once the original address owner receives the reply, it becomes a protocol dilemma whether to send another gratuitous ARP, which potentially can cause an infinite looping of ARP packets between the two hosts, or, to hand over the IP address to the new host, which violates Condition (b) we would like to achieve. Jou [Page 3] INTERNET_DRAFT Duplicate IP Address Detection February, 1999 On the other hand, if the link-layer broadcast ARP reply is sent by the original address owner but for some reason the host attempting to use the duplicate IP address is still operating, those hosts that have the ARP entry cached will be able to keep communicating with the original address owner until their ARP entries expire. Since these entries are updated by the broadcast reply, they will remain valid for approximately the full entry lifetime. But those hosts that have to resolve this IP address will see undetermined results. However, if the duplication problem can be fixed in time, perhaps manually by the users or the network administrator, the proposed scheme still causes lesser damage to all hosts on the network. 3. The Solution The implementation details of the solution is described in this section. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. (1) A gratuitous ARP request packet MUST be generated in two situations: (i) when an IP address is being assigned to a working interface, and (ii) when an interface that has IP address assigned is being turned up from down. A gratuitous ARP packet on an Ethernet is defined as 48.bit Destination Address = 0xffffffffffff (broadcast) 48.bit Source Address = Hardware address of interface 16.bit Frame type = 0x806 (ARP) ---------------------- 16.bit Hardware type = 0x1 (Ethernet) 16.bit Protocol Type = 0x800 (IP) 8.bit Hardware Address size = 6 8.bit Protocol Address size = 4 16.bit Opcode = 1 (Request) 48.bit Sender Ethernet Address = Hardware address of interface 32.bit Sender IP Address = Configured IP address 48.bit Target Ethernet Address = Don't care 32.bit Target IP Address = Configured IP Address (2) If a host receives an ARP request packet in which the target IP address and the sender IP address fields are the same and it matches the address of the receiving interface, it implies IP address duplication happens. The host MUST send a link-layer broadcast ARP reply as defined below. The host SHOULD report, log, and/or display warning messages to indicate the detection of IP address duplication. Jou [Page 4] INTERNET_DRAFT Duplicate IP Address Detection February, 1999 48.bit Destination Address = 0xffffffffffff (broadcast) 48.bit Source Address = Hardware address of interface 16.bit Frame type = 0x806 (ARP) ---------------------- 16.bit Hardware type = 0x1 (Ethernet) 16.bit Protocol Type = 0x800 (IP) 8.bit Hardware Address size = 6 8.bit Protocol Address size = 4 16.bit Opcode = 2 (Reply) 48.bit Sender Ethernet Address = Hardware address of interface 32.bit Sender IP Address = Local IP address 48.bit Target Ethernet Address = Sender Addr in Request packet 32.bit Target IP Address = Local IP Address (3) Within a small time period after a host sends a gratuitous ARP packet, if the host receives an ARP reply with both sender IP address and the target IP address fields match the address of the receiving interface, it MUST stop using this address. If this is the only address of the interface, the interface MUST be turned down. If there are multiple IP addresses assigned to the interface, the implementation can choose to only remove the affected address and keep the interface operating with other assigned addresses. The host SHOULD report, log, and/or display messages to indicate the error. If such a reply packet is received outside the time period, the host SHOULD only report, log, and/or display messages, but keep operating with the address. 4. Backwards Compatibility The hosts with this solution implemented can coexist with other hosts that do not have it implemented. The implementation is trivial and the overhead is very limited. Since one of the primary functions to fully solve the problem is that the second host stops using the duplicate IP address, the problem addressed here cannot be completely avoided unless all hosts on the network follow this document. However, because many existing TCP/IP implementations generate gratuitous ARP packet, as well as error reporting when duplication occurs, running hosts with this solution implemented can increase the chance of catching the error at earlier stage and reduce the possible damage made by an error. 5. Security Considerations The proposed solution can decrease the impact when a user, either fraudulently or simply by mistake, configures a host with an existing IP address on the LAN. Nevertheless, the proposed solution is mainly designed to prevent configuration errors, not for malicious attacks. If a hacker can fabricate and transmit ARP packets on a LAN, these packets can easily confuse all hosts on the LAN and to sabotage any Jou [Page 5] INTERNET_DRAFT Duplicate IP Address Detection February, 1999 network operations. Preventing malicious attacks within a LAN is sophisticated, and is out of the scope of this document. A new security concern introduced by the proposed scheme is by having a requirement to disable an interface when a suitable ARP reply is seen. To limit the vulnerability from attacks and network errors, as described in Step (3) of the solution, this disabling SHOULD only happen if the reply is received within some time period of sending out a gratuitous ARP request. A RECOMMENDED default period is 3 seconds, which is long enough to cover normal operations. 6. Reference [1] Plummer, D., "An Ethernet Address Resolution Protocol", STD 37, RFC 826, MIT, November 1982. 7. Author's Address Tyan-Shu Jou Torrent Networking Technologies Corporation 3000 Aerial Center Parkway Suite 140 Morrisville, NC 27560 U.S.A. Phone: (919) 468-8466 x233 Email: tsjou@torrentnet.com 8. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. Jou [Page 6] INTERNET_DRAFT Duplicate IP Address Detection February, 1999 This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Jou [Page 7]