[RndTbl] Implication of multiple interfaces on the same subnet?

Sean Cody sean at tinfoilhat.ca
Fri Nov 14 13:14:16 CST 2008 

I can't say for linux but In OpenBSD,FreeBSD and OS X it works fine,  
though the devices you connect to will complain a lot about arp  
changes (which is kinda obvious).  The interface that will take  
priority is the one that connects last (not sure about Linux but  
should be similar).  The situation depends most on your switches if  
they can handle the arp changes without freaking out (depends on how  
you setup the switch but most dumb switches work fine).

All TCP sessions would just slightly hiccup before continuing on  
interface change as the IP of the machine hasn't changed just it's  
link address which it is up for the switch to handle.

I've been doing this for a long time with little ill effect but it  
isn't suggested in any audit/security sensitive environment.

This is a practical use for arp poisoning and should freak out you  
quite completely when you realize the security impacts.

Here is how a DHCP server 'notices things' (DHCP uses link layer  
lookups so good place to view what happens).

Wireless only.
# arp -a | grep 2\.23
crapple.franticfilms.com (172.16.2.23) at 00:1e:c2:da:be:ef on sis1
Plug in ethernet...
# arp -a | grep 2\.23
crapple.franticfilms.com (172.16.2.23) at 00:1e:c2:ea:be:ef on sis1
Unplug ethernet...
# arp -a | grep 2\.23
crapple.franticfilms.com (172.16.2.23) at 00:1e:c2da:be:ef on sis1

# tail /var/log/messages
Nov 14 13:06:29 dhcp /bsd: arp info overwritten for 172.16.2.23 by  
00:1e:c2:da:be:ef on sis1
Nov 14 13:06:31 dhcp /bsd: arp info overwritten for 172.16.2.23 by  
00:1e:c2:ea:be:ef on sis1

Notice the flip-flip.  Happens within a few seconds (depends on DHCP  
response time) and possibly every few seconds (depending on  
implementation).

Depending on how Linux deals with the flip-flopping (which could  
happen every odd packet until one interface goes down) you could  
expect to see the above log messages happen quite a lot (which is a  
very loud false positive for NIDS).

On 14-Nov-08, at 12:36 PM, John Lange wrote:

> I'm just wondering if anyone has an in depth understanding of the  
> Linux
> networking stack and can tell me what the implications are for putting
> two interfaces on the same network in the same subnet.
>
> Specifically, if you have a laptop connected via both Wifi and  
> ethernet
> and both are active and have received IP addresses via DHCP, what  
> would
> the expected result of that be?
>
> Which interface would be used for traffic to our subnet?
>
> Here is the way the routing table looks:
>
> Destination     Gateway         Genmask         Use Iface
> 192.168.5.0     0.0.0.0         255.255.255.0   eth0
> 192.168.5.0     0.0.0.0         255.255.255.0   wlan0
> 127.0.0.0       0.0.0.0         255.0.0.0       lo
> 0.0.0.0         192.168.5.254   0.0.0.0         eth0
>
> The routing table indicates that eth0 is preferred for traffic outside
> my network but how was that determination made?
>
> If I unplug the ethernet cable it immediately changes the routing  
> table
> so that the wlan0 interface is the default gateway.
>
> I'm wondering what controls that behaviour?
>
> -- 
> John Lange
> www.johnlange.ca
>
>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable

-- 
Sean

More information about the Roundtable mailing list