draft-jou-duplicate-ip-address-02.txt

VRRP双机热备份协议源吗

 Network Working Group                             T.-S. Jou
 INTERNET-DRAFT                                    IBM Corporation
 Updates: RFC 826                                  February, 1999


       Duplicate IP Address Detection Based on Gratuitous ARP
                <draft-jou-duplicate-ip-address-02.txt>

Status of this Memo

     This document is an Internet-Draft and is in full conformance
     with all provisions of Section 10 of RFC2026.

     Internet-Drafts are working documents of the Internet Engineering
     Task Force (IETF), its areas, and its working groups.  Note that
     other groups may also distribute working documents as
     Internet-Drafts.

     Internet-Drafts are draft documents valid for a maximum of six
     months and may be updated, replaced, or obsoleted by other
     documents at any time.  It is inappropriate to use Internet-
     Drafts as reference material or to cite them other than as
     "work in progress."

     To view the list Internet-Draft Shadow Directories, see
     http://www.ietf.org/shadow.html.


Copyright Notice

   Copyright (C) The Internet Society (1999). All Rights Reserved.


Abstract
   
   The Address Resolution Protocol specifies the scheme to resolve the
   hardware address of a host by using its IP address. The hardware
   addresses are normally unique for each hardware module because they  
   were assigned by manufacturers; but there is much less control on the
   uniqueness of IP addresses on a LAN. With the booming network
   popularity, the possibility of the same IP address being used on
   different hosts is increasing. The duplication may come from users'
   or network administrators' mistakes, or configuration errors on host
   addresses assigning programs such as BOOTP or DHCP servers. This
   document is to define an extension to the original ARP protocol to
   prevent a newly configured host from making much damage to a host
   that has been the owner of the same IP address. The solution is
   based on the de-facto gratuitous ARP packets with modification on a
   host's behavior when an address duplication is detected.



Jou                                                          [Page 1] 
INTERNET_DRAFT     Duplicate IP Address Detection         February, 1999


Acknowledgments

   This document was first prepared while the author was an IBM
   employee. The initial idea was confirmed and tested with help from
   Lori Napoli and Sajay Khanna in IBM. Thanks also go to Mike Patton
   in MAP Network Engineering, Inc., for pointing out the security
   concerns.


1. Introduction

   The Address Resolution Protocol, defined in RFC 826 [1], is used
   to determine a host's hardware address based on its network address.
   To adapt to the possible changes of the association between a 
   hardware address and an IP address, two mechanisms are specified in
   the RFC:

   (1) When a host receives an ARP packet and the sender IP address
       exists in its ARP table, the host should update the cached
       ARP entry with the sender hardware address in the packet.
   (2) Each host ages away old ARP entries to allow changes on the
       network.

   There are increasing number of hosts that are connected to networks
   and have IP addresses assigned, some of them dynamically, hence there
   are increasing number of possibilities that the same IP address is
   assigned to multiple hosts on a LAN. RFC 826 oversees this problem.
   Later in this document we can see the above mechanisms even causes 
   catastrophic problems. If address duplication ever occurs,
   neither of the two hosts sharing the same address can be reliably
   reached by others because the unpredictable hardware address
   resolution on the shared IP address. This is especially a serious
   threat to a server that many clients depend on.

   The problem can be avoided gracefully if following three conditions
   are achieved:

   (a) The host that attempts to use a duplicate IP address can detect
       this address is being used by another host, and stop using this
       address immediately, possibly via turning down its interface.
   (b) The host that originally owns the IP address notifies the
       the attempting host for the duplication, and then keep operating.
   (c) The confusion caused by the second host's attempt can be reduced
       to minimum for all other hosts on the network.

   A host running one of many latest TCP/IP implementations can generate
   a gratuitous ARP packet when any of its interfaces is configured,
   usually at booting time. The gratuitous ARP packet is an ARP request
   with both sender and the target IP address fields containing the
   configured IP address. This de-facto behavior can be deployed to
   detect IP address duplication. After seeing the gratuitous packets, a



Jou                                                          [Page 2] 
INTERNET_DRAFT     Duplicate IP Address Detection         February, 1999


   host following RFC 826 will send an ARP reply if the address is being
   configured on one of its interfaces. Due to the lack of standards,
   once the gratuitous ARP sender receives the unexpected ARP reply, the
   response varies. Most implementations can display warning messages
   on their consoles or to create error logs. Some implementation allows
   both hosts to keep using this IP address until the problem is
   corrected manually. Some other implementations disable the networking
   capability on both hosts and require both hosts to be reconfigured
   and possibly be rebooted. The latter implementation makes the hosts
   very vulnerable to configuration errors. The correct behavior should
   be that the host originally owns this IP address keeps operating,
   while error messages are reported to draw network administrator's
   attention. The host that attempts to use a duplicate IP address
   should stop operating on this address.

   The problem cannot be fully solved without addressing Condition (c).
   Since a gratuitous ARP request is a link-layer broadcast packet, all
   hosts on the network will receive it. According to RFC 826, all hosts
   that have this IP address cached in their ARP tables will update the
   entry with the sender hardware address. This behavior originally is
   designed to allow a host that has just changed its hardware address
   (such as interface card is replaced) to be able to update others.
   However, this design results in these hosts not being able to reach
   the original IP address owner until their ARP entry expires, even if
   the gratuitous ARP sender stops using the address immediately. Since
   the gratuitous ARP packet just updated every host's ARP entry, the
   entry will be valid for the full ARP entry lifetime, normally 20
   minutes.

   As specified by RFC 826, the ARP reply from the original IP address
   owner is a unicast packet, hence the hosts with the ARP entry cached 
   will not be aware of the occurrence of duplication. To correct the
   problem, this document specifies the reply of the gratuitous ARP to
   be a link-layer broadcast packet, hence Condition (c) can be achieved
   because all other hosts will be able to receive the ARP reply and
   change their cached entries back to destine to the original address
   owner. Even thought there is still a window of time that the cached
   entries are destined to the gratuitous ARP sender, the time period is
   much shorter than the ARP entry lifetime.


2. Discussion of an Alternative to Broadcast Reply

   An alternative to replying with a broadcast ARP reply packet is to
   let the original address owner to send a gratuitous ARP packet again,
   which can correct other hosts' cached entries as well. However, if
   for whatever reason the host attempting to use the duplicate IP
   address chooses to continue operating, that host will reply with an
   ARP packet. Once the original address owner receives the reply, it
   becomes a protocol dilemma whether to send another gratuitous ARP,
   which potentially can cause an infinite looping of ARP packets
   between the two hosts, or, to hand over the IP address to the new
   host, which violates Condition (b) we would like to achieve.

Jou                                                          [Page 3] 
INTERNET_DRAFT     Duplicate IP Address Detection         February, 1999


   On the other hand, if the link-layer broadcast ARP reply is sent by
   the original address owner but for some reason the host attempting to
   use the duplicate IP address is still operating, those hosts that
   have the ARP entry cached will be able to keep communicating with the
   original address owner until their ARP entries expire. Since these
   entries are updated by the broadcast reply, they will remain valid
   for approximately the full entry lifetime. But those hosts that have
   to resolve this IP address will see undetermined results. However, if
   the duplication problem can be fixed in time, perhaps manually by the
   users or the network administrator, the proposed scheme still causes
   lesser damage to all hosts on the network.
    

3. The Solution

   The implementation details of the solution is described in this
   section. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
   "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   RFC 2119.

   (1) A gratuitous ARP request packet MUST be generated in two
       situations:
       (i)  when an IP address is being assigned to a working interface,
            and
       (ii) when an interface that has IP address assigned is being
            turned up from down.