Wireshark-users: [Wireshark-users] Malformed Gratuitous ARP

From: "Justin Shore" <justin.shore@xxxxxxxxxx>
Date: Mon, 18 Dec 2006 11:08:08 -0600
I stumbled across an unusual problem with a new series of broadband
routers.  This particular product line absolutely will not work behind a
certain model of DSL modem/router we use but will work behind the
previous versions just find.  After sniffing the traffic in a number of
scenarios I believe I have found the problem.  The broadband router does
a DHCP DISCOVER and gets a DHCP OFFER from our ATM router.  It
immediately ARPs for the IP address from the DHCP OFFER (more on this in
a second).  At the same time it sends the DHCP REQUEST and receives the
subsequent DHCP ACK.  The ARP it sent our is malformed.  The SHA is
correct but the SPA is set to 0.0.0.0.  The TPA is the IP from the DHCP
OFFER.  The THA is an bogus Ethernet MAC such as 40:47:40:47:40:47 or
c0:a8:40:47:40:47.  

(For those that don't understand the ARP acronyms above refer to this
page:)

http://en.wikipedia.org/wiki/Address_Resolution_Protocol

This is a invalid ARP request.  The SPA is always supposed to be the
valid SPA for host, not 0.0.0.0.  The THA is supposed to be 0 or f.  I
believe they're trying to do a gratuitous ARP.  However they can't do a
G-ARP at this stage of the DHCP exchange because they haven't yet sent
the DHCP REQUEST and received the DHCP ACK (so they don't yet have an
IP).  A gratuitous ARP uses an identical SPA and TPA with the correct
THA.  The only field not populated with known data is the THA and it's
supposed to be populated with 0s or Fs.  You can't simply make up a THA.


The end result is that the broadband router receives a reply to its ARP
and immediately sends a DHCP DECLINE.  Now let me explain something
about the ARP reply it receives.  It appears that the DSL modem/router
has a builtin proxy-ARP function.  It replies to the ARP request with a
reply that sets the THA the DSL modem's MAC and uses the TPA from the
ARP request as the SPA for the reply packet.  The TPA is 0.0.0.0 and the
THA is the original SHA.  I haven't found a way to disable the proxy ARP
functionality in this modem.  It did not do this in the older models.
This is part of the problem but under normal circumstances isn't a
problem at all.  The broadband router's invalid usage of ARP causes the
whole problem.  I believe this is the result of a proxy ARP

Am I understanding this correctly?  I've been working on this all
weekend.  It's ARP; there are only so many different ways in which you
can use ARP.  I have packet dumps from both new models of the broadband
routers on both the problematic modem and the older modem.  I also have
similar packet dumps from the previous model of broadband router on both
modems.

Can anyone doublecheck my work and theory?  I'm trying to engage both
vendors to resolve this problem.  I'm at a loss for any other
explanation at this point though.

Thanks
 Justin