[ih] History of duplicate address tests
Jack Haverty
jack at 3kitty.org
Tue Nov 29 13:51:42 PST 2022
I'm surprised (and disappointed) if this "feature" still exists.
Back in the mid 80s, we created a simple software tool we called a
"Flakeway". The purpose was to simulate network problems in order to
test out a TCP's ability to deal with IP datagrams that were actually
dropped, reordered, duplicated, or otherwise mangled in transit.
Computers directly connected to the ARPANET never encountered such
conditions, so we looked for a way to create them in order to see if a
TCP implementation really worked.
Such a tool would be most useful if it didn't require changes anywhere
in the existing equipment. Ideally it would work by somehow inserting
itself into the normal path for traffic between two computers
interacting using TCP, without those computers knowing that it was there.
By exploiting the behavior of ARP and common host implementations that
Joe mentioned, we created "Flakeway" software. Typically we would run
it on a machine with an Ethernet interface that could deal with lots of
traffic, and which could be put in "promiscuous mode" so that the
Flakeway would receive all Ethernet traffic regardless of its
addresses. The constraint for using the tool was that at least one of
the computers under test had to be connected to the same Ethernet
segment, so that all its traffic would be visible at the Flakeway's
Ethernet interface. At the time, Sun workstations ("SPARCs") were
typically available and met the requirements.
Flakeway would start watching all Ethernet traffic (much like Wireshark
today), and then issue an ARP request for the computer being tested. On
receiving the ARP reply, it would immediately send its own ARP reply for
that same IP address, but specifying itself as the appropriate Ethernet
target address. As Joe noted, computers typically flush their address
caches on seeing new ARP information, and use the most recent response
for any subsequent traffic they send to that IP address.
After completing this setup, all the interesting traffic now flows to
the Flakeway machine, which can simply retransmit it to the real
Ethernet address of the computer being tested. Other than a slight
increase in delay, nothing much changes. By performing the same
procedure for a (real) gateway's Ethernet address, the Flakeway could
insert itself into the datagram pathway for traffic in both
directions. To do the testing, we then set it up so it could delay,
duplicate, reorder, discard, and otherwise mangle the IP traffic flow to
see how the TCPs dealt with such problems (as they were designed to do).
This tool was very useful. Programming it took only a day or two. But
it did seem to reveal a vulnerability in the protocols. E.g., you could
easily pretend to be any other Internet computer and possibly convince
some user to enter sensitive information or do other nasty things.
This was all reported, quietly, to IETF, so it could be fixed.
Meanwhile, it was a useful tool. About ten years later, in the early
90s, I tried using the tool again and discovered that it still worked.
I don't know if that was because the protocols hadn't been improved, or
because the computers involved weren't up to date.
Curiously, as it became more common to use "switched" Ethernet, the tool
required more careful configuration of the machines involved to make
sure the traffic flows were visible to the Flakeway. Now, with the
pervasive use of Wifi, and the broadcast nature of radio, maybe the
pendulum has swung back.
So, a little piece of history of address idiosyncracies.... and use of
duplicate addresses.
Enjoy,
Jack Haverty
On 11/29/22 12:50, touch--- via Internet-history wrote:
> Hi, Andy,
>
> Using ARP as duplicate address detection has an unintended and possibly dangerous consequence.
>
> If you ARP your own address, you are also broadcasting the IP/Ethernet association of your endpoint as the requesting party. That can flush caches elsewhere and cause traffic to the previous owner of that endpoint to fail - in some cases (and surprisingly) that includes the endpoint that had that address in the first place.
>
> So I don’t think that qualifies as “safe” duplicate address detection and I wouldn’t say that this would be an origin of that concept, as a result.
>
> YMMV.
>
> Joe
>
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com
>
>> On Nov 29, 2022, at 12:43 PM, Andrew G. Malis via Internet-history <internet-history at elists.isoc.org> wrote:
>>
>> John,
>>
>> ARP (RFC 826) trivially enables duplicate IPv4 address detection on
>> Ethernet networks (just ARP for your own address and see if anyone else
>> responds), so I guess November 1982 for IP over Ethernet.
>>
>> Cheers,
>> Andy
>>
>>
>> On Tue, Nov 29, 2022 at 3:23 PM John Kristoff via Internet-history <
>> internet-history at elists.isoc.org> wrote:
>>
>>> My earliest memory, because that is the time of my entry into the
>>> field, of duplicate address detection was done on Token Ring networks
>>> during ring insertion (phase 2 - address verification). More recently
>>> IPv6 has duplicate address detection (dad).
>>>
>>> I'm curious to know about the earliest of duplicate address detection
>>> mechanisms. I imagine there were some predating what I remember about
>>> Token Ring, but this is the kind of thing that is difficult to uncover
>>> without some hints. Any pointers to the earliest of these functions in
>>> networking?
>>>
>>> Thanks kindly,
>>>
>>> John
>>> --
>>> Internet-history mailing list
>>> Internet-history at elists.isoc.org
>>> https://elists.isoc.org/mailman/listinfo/internet-history
>>>
>> --
>> Internet-history mailing list
>> Internet-history at elists.isoc.org
>> https://elists.isoc.org/mailman/listinfo/internet-history
More information about the Internet-history
mailing list