Re: Apple devices spoofing default gateway?
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond) We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable. I also have raised a case with Apple but so far no luck. What is the status of your issue? Any luck working out exactly what the cause is? Regards, Mike
On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy@gmail.com> wrote:
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond)
We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable.
I also have raised a case with Apple but so far no luck.
What is the status of your issue? Any luck working out exactly what the cause is?
We appeared to hit this with Cisco kit: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-acce... They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
* This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices
* AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices. -- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
Turn on client isolation on the access points?
On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy@gmail.com> wrote:
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond)
We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable.
I also have raised a case with Apple but so far no luck.
What is the status of your issue? Any luck working out exactly what the cause is?
We appeared to hit this with Cisco kit: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-acce...
They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
* This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices.
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
For those of us with Aruba wireless, www boy, could you share some more info about your setup/code version/configuration/specific APs/controller model(s)/etc? Matt Freitag Network Engineer Michigan Tech IT Michigan Technological University We can help. mtu.edu/it (906) 487-1111 On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes < mattlists@rivervalleyinternet.net> wrote:
Turn on client isolation on the access points?
On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy@gmail.com> wrote:
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond)
We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable.
I also have raised a case with Apple but so far no luck.
What is the status of your issue? Any luck working out exactly what the cause is?
We appeared to hit this with Cisco kit:
https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-acce...
They don't say *exactly* that the Apple devices are spoofing the
gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
* This is not a malicious attack, but triggered by an interaction
between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices
* AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices.
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
Good day Matt, We have a combination of IAP-135 and IAP-125's , we are running a older firmware (yeah i know it needs updating something for next month or so) Worst luck I couldnt work out how to modify local arp caches on the access points. I have just enabled "Deny inter user bridging" and that seems to have stopped the network from crashing when a client steals the router IP. (this solution may not be the best for some environments tho) Worst luck Apple is being very slow with a solution and even admitting there is a issue. But I just wanted to make sure i updated this thread so at least people in the future can find it when they google. If anyone else has any good ideas or solutions let me know. I am keen to try the latest firmware to see if that has any other features that might prevent this. Regards, Mike On Sat, Jun 8, 2019 at 5:59 AM Matt Freitag <mlfreita@mtu.edu> wrote:
For those of us with Aruba wireless, www boy, could you share some more info about your setup/code version/configuration/specific APs/controller model(s)/etc?
Matt Freitag Network Engineer Michigan Tech IT Michigan Technological University
We can help. mtu.edu/it (906) 487-1111
On Fri, Jun 7, 2019 at 3:06 PM Matt Hoppes < mattlists@rivervalleyinternet.net> wrote:
Turn on client isolation on the access points?
On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy@gmail.com> wrote:
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond)
We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable.
I also have raised a case with Apple but so far no luck.
What is the status of your issue? Any luck working out exactly what the cause is?
We appeared to hit this with Cisco kit:
https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-acce...
They don't say *exactly* that the Apple devices are spoofing the
gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
* This is not a malicious attack, but triggered by an interaction
between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices
* AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices.
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
This is a less than helpful feature in a lot of situations… e.g. I was attempting to work on an IOT device and test OTA firmware updates in a Hotel a little while ago. The client isolation on the wifi network resulted in non-obvious failures that took some time to identify. In general, people expect communications within a LAN segment to work. Breaking this assumption should only be done in cases where there is very good reason to do so. I fully appreciate the argument that a hotel WiFi is one such situation and even agree with it to some extent. However, in such circumstances, I believe the fact should be posted in plain view and/or noticed on the captive portal login page. Owen
On Jun 7, 2019, at 12:06 , Matt Hoppes <mattlists@rivervalleyinternet.net> wrote:
Turn on client isolation on the access points?
On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy@gmail.com> wrote:
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond)
We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable.
I also have raised a case with Apple but so far no luck.
What is the status of your issue? Any luck working out exactly what the cause is?
We appeared to hit this with Cisco kit: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-acce...
They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
* This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices.
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
On Fri, Jun 7, 2019 at 6:14 AM www boy <wwwboy@gmail.com> wrote:
I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond)
We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable.
I also have raised a case with Apple but so far no luck.
What is the status of your issue? Any luck working out exactly what the cause is?
Hmm. Shooting in the dark here, but do you have a mismatch in your netmask configurations? A device configured to perform proxy arp may respond to requests for addresses outside its configured netmask. If the configured address and netmask for some reason excluded the default gateway... Or if, say, you have multiple subnets on the same vlan and one of the devices in one of the subnets is configured to perform proxy arp... -- William Herrin bill@herrin.us https://bill.herrin.us/
participants (6)
-
Hugo Slabbert
-
Matt Freitag
-
Matt Hoppes
-
Owen DeLong
-
William Herrin
-
www boy