cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
0
Helpful
2
Replies

APIPA Address to Static Address at Link Layer

SF02
Level 1
Level 1

Not necessarily a Cisco related question but perhaps someone else can shed some light on this.

 

I'm not massively familiar with the rules surrounding APIPA addresses and how they work, other than the obvious nature of how a Windows client will revert to one if it cannot get a DHCP lease.

 

I was investigating some packet captures recently, and came across a device which had an APIPA address, nothing unusual there.

 

However i found packets in the capture showing a conversation between the APIPA device with IP 169.254.87.121, and a statically addresses device on an address in 192.1.1.0/24.

 

(Yes I have told the customer they should not be using this address range internally as its not a private range and they don't own it).

 

I didn't expect this to work at first, whilst obviously its only the MAC address which is important at the link layer, I would have expected the device not to ARP for something outside of it's own subnet, there is also no gateway configured to which it could send inter-network traffic.

 

The flow of traffic in the capture appears as follows:

 

Gratuitous ARP broadcast - 169.254.87.121 is at <MAC>

ARP Request Broadcast - who has 192.1.1.60 tell 169.254.87.121

ARP Reply Broadcast - 192.1.1.60 is at <MAC>

TCP SYN - Dst Port 3911 - 192.1.1.60 to 169.254.87.121 (HP Printer Status traffic)

TCP SYN,ACK - Src Port 3911 - 169.254.87.121 to 192.1.1.60 

 

Now I hadn't ever thought of a device receiving an ARP request to its MAC address but with a requester IP outside of its subnet and how this would work, but I guess it doesn't matter as ARP is a link layer protocol and therefore only interest in the source and destination MAC being valid.

 

It surprised me to see TCP connections being established between an APIPA address and an assigned static address in different ranges without inter-network comms.

 

Is there some special rule surrounding APIPA which means it is considered as part of the same network as the statically assigned IP and thus connections can occur as normal?

 

Has anyone ever come across this?

2 Replies 2

luis_cordova
VIP Alumni
VIP Alumni

Hi @SF02,

 

Address 192.1.1.0 is registered by BBN Technology.

https://www.raytheon.com/ourcompany/bbn

Do you have any device related to that company?

If so, could that device be responding to ARP broadcast messages.

 

Regards

Luis,

This is a customer's network, I had already done a whois on the range and established it wasn't theirs.
It appears that whoever did the addressing in the past for some strange reason thought they could use that address range, they probably confused 192.168.1.0/24.

The network is however isolated and only comprises this range so all the communication is at link layer.

The 192.1.1.0/24 devices are responding to the ARP request from the 169.254.87.121 device, I'm surprised to see this communication working though even at the link layer as I would expect the nodes to see this as internet layer traffic and not link layer.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco