I'm just wondering if anyone has an in depth understanding of the Linux networking stack and can tell me what the implications are for putting two interfaces on the same network in the same subnet.
Specifically, if you have a laptop connected via both Wifi and ethernet and both are active and have received IP addresses via DHCP, what would the expected result of that be?
Which interface would be used for traffic to our subnet?
Here is the way the routing table looks:
Destination Gateway Genmask Use Iface 192.168.5.0 0.0.0.0 255.255.255.0 eth0 192.168.5.0 0.0.0.0 255.255.255.0 wlan0 127.0.0.0 0.0.0.0 255.0.0.0 lo 0.0.0.0 192.168.5.254 0.0.0.0 eth0
The routing table indicates that eth0 is preferred for traffic outside my network but how was that determination made?
If I unplug the ethernet cable it immediately changes the routing table so that the wlan0 interface is the default gateway.
I'm wondering what controls that behaviour?
I can't say for linux but In OpenBSD,FreeBSD and OS X it works fine, though the devices you connect to will complain a lot about arp changes (which is kinda obvious). The interface that will take priority is the one that connects last (not sure about Linux but should be similar). The situation depends most on your switches if they can handle the arp changes without freaking out (depends on how you setup the switch but most dumb switches work fine).
All TCP sessions would just slightly hiccup before continuing on interface change as the IP of the machine hasn't changed just it's link address which it is up for the switch to handle.
I've been doing this for a long time with little ill effect but it isn't suggested in any audit/security sensitive environment.
This is a practical use for arp poisoning and should freak out you quite completely when you realize the security impacts.
Here is how a DHCP server 'notices things' (DHCP uses link layer lookups so good place to view what happens).
Wireless only. # arp -a | grep 2.23 crapple.franticfilms.com (172.16.2.23) at 00:1e:c2:da:be:ef on sis1 Plug in ethernet... # arp -a | grep 2.23 crapple.franticfilms.com (172.16.2.23) at 00:1e:c2:ea:be:ef on sis1 Unplug ethernet... # arp -a | grep 2.23 crapple.franticfilms.com (172.16.2.23) at 00:1e:c2da:be:ef on sis1
# tail /var/log/messages Nov 14 13:06:29 dhcp /bsd: arp info overwritten for 172.16.2.23 by 00:1e:c2:da:be:ef on sis1 Nov 14 13:06:31 dhcp /bsd: arp info overwritten for 172.16.2.23 by 00:1e:c2:ea:be:ef on sis1
Notice the flip-flip. Happens within a few seconds (depends on DHCP response time) and possibly every few seconds (depending on implementation).
Depending on how Linux deals with the flip-flopping (which could happen every odd packet until one interface goes down) you could expect to see the above log messages happen quite a lot (which is a very loud false positive for NIDS).
On 14-Nov-08, at 12:36 PM, John Lange wrote:
I'm just wondering if anyone has an in depth understanding of the Linux networking stack and can tell me what the implications are for putting two interfaces on the same network in the same subnet.
Specifically, if you have a laptop connected via both Wifi and ethernet and both are active and have received IP addresses via DHCP, what would the expected result of that be?
Which interface would be used for traffic to our subnet?
Here is the way the routing table looks:
Destination Gateway Genmask Use Iface 192.168.5.0 0.0.0.0 255.255.255.0 eth0 192.168.5.0 0.0.0.0 255.255.255.0 wlan0 127.0.0.0 0.0.0.0 255.0.0.0 lo 0.0.0.0 192.168.5.254 0.0.0.0 eth0
The routing table indicates that eth0 is preferred for traffic outside my network but how was that determination made?
If I unplug the ethernet cable it immediately changes the routing table so that the wlan0 interface is the default gateway.
I'm wondering what controls that behaviour?
-- John Lange www.johnlange.ca
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-
John Lange -
Sean Cody