Detection of IP conflict in Linux

White paper by Jaroslav Imrich

Published: 01.12.2006

IP conflict occurs when two different devices in local network are using the same IP address. MS indows informs about this event b! showing the warning message and recording M"# address of conflicting s!stem in s!stem logs $ust like Solaris or %&en'S(. Situation in o&erating s!stems based on )inu* kernel is com&letel! different. If !ou use +,-.)inu* and !ou have ever taken the &art in IP conflict/ !ou &robabl! noticed onl! re&eating losses of connectivit!. 0ou would reall! waste !our time searching for the cause of these &roblems in s!stem logs because when IP conflict occurs )inu* kernel does absolutel! nothing. Detection of IP conflict IP conflict can be detected onl! when !our s!stem receives &acket that meets two re1uirements. Source IP address must be the same as !ours and received &acket must originate from different device. 2he origin of &acket is determined from the source M"# address. M"# address is uni1ue for ever! device in the network/ so when !our com&uter receives &acket with the same source IP address as !ours but with different source M"# address than !ours/ it is obvious that some other device on the local network uses !our IP. hen !our local network is based on switches 3405 of networks do6 !our com&uter receives onl! &ackets that are directl! addressed for it. 2herefore it is much better to detect IP conflict from broadcast &ackets that are delivered to ever! device on local network. Most o&erating s!stems detect IP conflict from "7P broadcasts. 'roadcasts are sent also b! samba and other network services but these do not run on ever! com&uter in network/ so it is alwa!s best to stick to "7P. Losses of connectivity "7P &rotocol is used to resolve M"# addresses of devices connected to local network and the losses of connectivit! suffered during IP conflict are directl! related to it. Su&&ose following situation: #om&uter " with IP address 10.1.1.2 wants to communicate with com&uter ' with IP address 10.1.1.8. #om&uter " sends "7P broadcast with 1uestion: "Who has IP address 10.1.1.3? Answer to computer with IP address 10.1.1.2 and MAC address AA:AA:BB:BB:CC:CC". 2his broadcast is received b! ever! device on local network/ but onl! com&uter ' which is the

owner of corres&onding IP address sends answer: "10.1.1.3 e!on"s to me and m# MAC address is 11:11:22:22:33:33". #om&uter " tem&oraril! stores the answer into its local "7P cache and is able to begin communication with the com&uter '. Persistence of normal entr! in "7P cache is usuall! a&&ro*imatel! one minute. It is ver! im&ortant to sa! that if !our com&uter has an entr! for an! IP address in its "7P cache/ it will not send "7P broadcast. It will use available data. )imitations of this communication conce&t are clearl! visible when there is a s!stem with du&licate IP address on local network. It generates re&lies for "7P broadcasts sent b! neighboring s!stems and it &ro&agates wrong data into their "7P cache. 2he! have wrong M"# address associated with !our IP address and so the! are unable to communicate with !our com&uter. -se of static "7P entries can be sufficient &revention/ but it is difficult to maintain static "7P entries in larger networks. In ma$orit! o&erating s!stems contents of the "7P cache can be shown and managed b! the 9ar&9 utilit!. Preventing IP conflict ,aturall! most modern o&erating s!stems tr! to avoid IP conflicts. (uring start: u& or during the change of the network interface &arameters the! broadcast a s&ecial t!&e of "7P re1uest called 9+ratuitous "7P9. 2his wa! the! tr! to find out if the IP address the! are going to use is not alread! used b! an! other device on the local network. +ratuitous "7P re1uest generated b! com&uter " from &revious e*am&le looks like: "$oes an#one ha%e IP address 10.1.1.2? Answer to computer with IP address 10.1.1.2 and MAC address AA:AA:BB:BB:CC:CC". If com&uter " receives an! res&onse it will know that IP address 10.1.1.2 is alread! used b! another device. In this situation most o&erating s!stems draw user attention b! showing the warning message and the! do not assign the IP address to the network interface. )inu* kernel does not react to +ratuitous "7P re1uest. 2his can be considered a serious &roblem. Su&&ose following situation: #om&uter " running )inu* uses IP address 10.1.1.2. #om&uter ' is starting indows ;P configured to use the same IP address. #om&uter ' broadcasts +ratuitous "7P re1uest for this IP address and waits for re&l!. )inu* running on com&uter " does not answer. #om&uter ' starts to use this IP and causes the IP conflict. #om&uter " is unable to communicate with other network devices because ever! device on the local network u&dated corres&onding entr! in its "7P cache when it received +ratuitous "7P re1uest from com&uter '. If com&uter " would res&ond to +ratuitous "7P re1uest generated during startu& of com&uter '/ there would be no IP conflict. "ctuall! it would be &ossible to &revent 445 of IP conflicts $ust b! sending re&l! to +ratuitous "7P immediatel!. 'roadcasting of ne*t +ratuitous "7P re1uest would ensure that all neighboring devices u&date entries in their "7P caches with the correct values. IP conflicts and Linux It was alread! mentioned that )inu* kernel currentl! does not contain an! code

that would deal with detection of IP conflict and generation of re&lies for +ratuitous "7P re1uests. 0ou can think of this as of the bug but at the other hand this 9functionalit!9 is used for e*am&le b! <igh:"vailabilit! )inu* Pro$ect. "bsence of IP conflict detection was alread! solved before b! unofficial kernel 9"7P &atch9 created b! Marc Merlin. It im&lements logging of this event through s!slog interface/ but it was re$ected b! the develo&ers of )inu* kernel with an argument that if this can be done in users&ace it should not be in the kernel. I agree with Mr. Merlin and I also think logging of this event 3and also the reaction to the +ratuitous "7P6 should be done b! the kernel. 2his functionalit! could be disabled in cases when needed for e*am&le b! 9.&roc interface9 $ust like IP forwarding. I started &ro$ect IPwatch( = htt&:..i&watchd.sourceforge.net. = with target to create tool that can detect IP conflicts and generate re&lies to +ratuitous "7P re1uests. 'asicall! IPwatch( is 1uite sim&le daemon that uses &ca& librar! to ca&ture all incoming "7P &ackets. It then com&ares IP and M"# addresses from &ackets with addresses of local interfaces tr!ing to detect IP conflict. IPwatch( can o&erate on each network interface in two modes = &assive and active. In &assive mode it $ust generates s!slog events. In active mode it also answers +ratuitous "7P re1uest and sends following +ratuitous "7P re1uests to u&date cache of neighboring hosts with correct data.