Solaris TCP/IP parameters: arp_cleanup_interval
By tgardner on Jun 10, 2008
The Address Resolution Protocol enables a host to determine the Ethernet address of a station given the station's IP address. If the host does not know the station's Ethernet address - in other words, the address is not in the ARP cache - the host sends an ARP message to all stations requesting the Ethernet address of the station with a given IP address. The returned entry is stored in the ARP cache.
There are two types of ARP cache entries: solicited and unsolicited. Solicited entries are entered into the ARP cache as a result of requests by the host. Unsolicited entries come from other hosts that have issued ARP requests. "arp_cleanup_interval" is the length of time, in milliseconds, that an unsolicited ARP entry remains in the ARP cache. Unsolicited ARP cache entries are discarded when IP does not request the entry before arp_cleanup_interval expires. The default value of arp_cleanup_interval in Solaris 8/9 is 300000 ms (5 minutes).
ARP attacks may be effective if arp_cleanup_interval is set to a value allowing unsolicited entries to remain in the ARP cache for long periods. An attacker could arrange to fill the ARP cache with bogus entries. On Solaris, the time-to-live of unsolicited entries is given in milliseconds by arp_cleanup_interval. Shorten the interval to reduce the effectiveness of ARP attacks, for example, 60000 ms (1 minute). Note: static ARP table entries entered with "/usr/sbin/arp -s" do not expire. Shortening the interval may increase network traffic, since the ARP cache will be refreshed more often.