If you look at Kevin's example traces on the EDUCAUSE WIRELESS-LAN listserv you'll see that the ARP packets are in fact unicast. Iljitsch's point about the fact that iPhones remain on while crossing wireless switch boundaries is exactly dead on. If you read the security advisory you'll see that it involves either L3 roaming or two or more WLCs that share a common L2 network. Most wireless clients don't roam in such a big way. Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Iljitsch van Beijnum Sent: Tuesday, July 24, 2007 4:35 PM To: Prof. Robert Mathews (OSIA) Cc: North American Network Operators Group Subject: Re: iPhone and Network Disruptions ... On 24-jul-2007, at 15:27, Prof. Robert Mathews (OSIA) wrote:
Looking at this issue with an 'interoperability lens,' I remain puzzled by a personal observation that at least in the publicized case of Duke University's Wi-Fi net being effected, the "ARP storms" did not negatively impact network operations UNTIL the presence of iPhones on campus. The nagging point in my mind therefore, is: why have other Wi-Fi devices (laptops, HPCs/PDAs, Smartphones etc.,) NOT caused the 'type' of ARP flooding, which was made visible in Duke's Wi-Fi environment?
Reading the Cisco document the conclusion seems obvious: the iPhone implements RFC 4436 unicast ARP packets which cause the problem. I don't have an iPhone on hand to test this and make sure, though. The difference between an iPhone and other devices (running Mac OS X?) that do the same thing would be that an iPhone is online while the user moves around, while laptops are generally put to sleep prior to moving around.