STCP has had duplicate IP address detection for quite some time but a change to how Microsoft Windows 2008 and 7 behave has added an interesting wrinkle.
First let’s review how it works.
Duplicate IP address detection relies on the address resolution protocol (ARP).
The packet_monitor tool shows an ARP packet in two lines as
11:13:43.123 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:13:d4:59:7a:da Type 0806 (ARP) ARP Req Target 126.96.36.199 Src 188.8.131.52 [00:13:d4:59:7a:da]
STCP looks at the Src field and if it matches the IP address of the interface it was received on then STCP reports a duplicate IP address in the syserr_log with a message formatted as
<time> WARNING (<index>): MAC address <MAC address> is using our IP address <IP address>
11:13:43 WARNING(5): MAC address 00:13:d4:59:7a:da is using our IP address 184.108.40.206
The “MAC” stands for Media Access Control and knowing the MAC address will give you some clues as to the identify of the offending host. The first 3 bytes of the address are called the Organizationally Unique Identifier (OUI) and can be used to determine something about the Ethernet card or the host that it is in. For example, Stratus has two registered OUIs, 00-00-A8 and 00-04-FC. You can look up any OUI at http://standards.ieee.org/develop/regauth/oui/public.html
Many hosts, including STCP, when they boot or when an IP interface is configured send what is known as a gratuitous ARP. This frame basically looks for its own IP address, if it gets a reply it knows that the IP address is in use. Here is an example of a packet_monitor trace showing the gratuitous ARP sent by another VOS module as it brings up one of its interfaces. Note that both the Target and Src fields have the same IP address.
10:19:53.045 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:00:a8:41:3b:6e Type 0806 (ARP) ARP Req Target 220.127.116.11 Src 18.104.22.168 [00:00:a8:41:3b:6e]
OK, so what is this wrinkle I mentioned at the start of this post?
Beginning with Windows 2008 and Windows 7, the Microsoft TCP stack sends the gratuitous ARP with the the Src field set to 0.0.0.0.
10:45:10.530 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 1c:c1:de:b4:76:60 Type 0806 (ARP) ARP Req Target 22.214.171.124 Src 0.0.0.0 [1c:c1:de:b4:76:60]
The result is that STCP thinks that this is a “normal” query for its Ethernet address and responds with a normal reply
10:45:10.530 Xmit Ether Dst 1c:c1:de:b4:76:60 Src 00:00:a8:41:3b:6e Type 0806 (ARP) ARP Rep Target 0.0.0.0 [1c:c1:de:b4:76:60] Src 126.96.36.199 [00:00:a8:41:3b:6e]
It does not record any indication of a duplicate IP address. The good news is that the Windows stack recognizes the duplication and will switch to a link local address of the form 169.254.X.Y.
Why did Microsoft make this change? It seems that many TCP stacks (including STCP) will update their ARP cache entry for the source IP address with the Ethernet address included in the ARP frame. If the IP address is a duplicate you end up breaking current connections to the duplicated IP address as the packets are redirected to the duplicating host. By changing the Src field to 0.0.0.0 Microsoft prevents the TCP stacks (including STCP) from updating their ARP cache entries.