Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!killer!ames!pasteur!ucbvax!UC.MSC.UMN.EDU!slevy From: slevy@UC.MSC.UMN.EDU ("Stuart Levy") Newsgroups: comp.protocols.tcp-ip Subject: Re: A host sending an ARP request to itself? Message-ID: <8807082155.AA03962@uc.msc.umn.edu> Date: 8 Jul 88 21:55:08 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 28 It's probably trying to tell the world that it itself (its own IP address) is at its own Ethernet address... just in case they forgot or otherwise got confused. It could also be checking for impostors on the same net, claiming to be the same IP address as its own. ARP request packets don't just list the requested IP address; they also include the requestor's IP and link-layer (e.g. Ethernet) address. A feature of the algorithm in RFC 826 is that, on receiving an ARP request, you check whether the -sender's- IP address is in the local ARP table. If so, update the table to associate [sender-IP-address, sender-link-layer-address]. (And, of course, also check whether to respond to the ARP request, but that's another matter.) This makes it possible to change a host's link-layer address and notify the world of the fact just by broadcasting any ARP request. Anyone who thought they knew what the address was will automatically update their tables. (Of course it also makes it possible for any bozo who can generate a bogus ARP packet to cut you off from the world. This might be a rationale for sending ARPs periodically, though 5 second intervals seem pretty extreme.) Further, ARPing for your own IP address should bring a response from anyone who thinks they're at that address too. BSD systems print "duplicate IP address!!" messages when they detect this situation. Stuart Levy