Re: Problem when WinXP firewall is activated (does not reply to ping)

Raphaël HUCK wrote:
> There is a problem when the firewall of Windows XP is activated, as it
> does not reply to ping, and dnsmasq checks with ping whether an IP
> address is already attributed before giving it to someone.
> 
> As Windows XP doesn't reply to ping when its firewall is activated,
> dnsmasq thinks the address isn't in use, and gives it to someone else.

This shouldn't be a problem in practise. DHCP has "defense in depth"
against this problem. On a properly configured system, the DHCP server
will know which addresses are in use, and not allocate them twice. Then
there's the ping test on the server. Finally, the client should do a ARP
test, and send a DHCPDECLINE message if that fails, the server will then
offer a different address.

> 
> On the other hand, Windows XP still replies to arping (even when the
> firewall is activated).
> 
> So maybe it would be a good idea to check with arping if ping doesn't
> yield a reply.

See above: the client should do an arping anyway.
> 
> Someone already talked about using arping instead of ping (but not about
> this issue with Windows XP):
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2006q3/000847.html
> 
> The reply was that ping was used instead of arping because it was routed.
> 
> But for example when using dnsmasq in a SOHO, there is a high
> probability that a Windows XP will be connected to it.
> 
Agreed.

> So I think this is really an issue. Anyway, I'm gonna have a look into
> it, and maybe will come up with a patch.

As far as I can see, such patch shouldn't break standards compliance:
the crucial bit of RFC 2131 seems to be this:

   As a consistency check, the allocating
   server SHOULD probe the reused address before allocating the address,
   e.g., with an ICMP echo request, and the client SHOULD probe the
   newly received address, e.g., with ARP.


Which just says that both should do probe, but only gives examples as to
which protocol to use.

If you do a patch: watch out for portability: it's no use using
PF_PACKET sockets (Linux only) unless you provide alternative code for *BSD.

Cheers,

Simon.

> 
> --Raphael HUCK
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss-YFzxfK+dQ3ZKxzGo0kwUX62ZND6+EDdj@xxxxxxxxxxxxxxxx
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>