Proxy ARP

Last updated

Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution Protocol (ARP) queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the (ostensibly final) destination. [1] The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a tunnel.

Contents

The process, which results in the proxy server responding with its own MAC address to an ARP request for a different IP address for proxying purposes, is sometimes referred to as publishing.

Uses

Below are some typical uses for proxy ARP:

Joining a broadcast LAN with serial links (e.g., dialup or VPN connections).
Assume an Ethernet broadcast domain (e.g., a group of stations connected to the same hub or switch (VLAN)) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 – 192.168.0.127 are assigned to wired nodes). One or more of the nodes is an access router accepting dialup or VPN connections. The access router gives the dial-up nodes IP addresses in the range 192.168.0.128 – 192.168.0.254; for this example, assume a dial-up node gets IP address 192.168.0.254.
The access router uses proxy ARP to make the dial-up node present in the subnet without being wired into the Ethernet: the access router 'publishes' its own MAC address for 192.168.0.254. Now, when another node wired into the Ethernet wants to talk to the dial-up node, it will ask on the network for the MAC address of 192.168.0.254 and find the access router's MAC address. It will therefore send its IP packets to the access router, and the access router will know to pass them on to the particular dial-up node. All dial-up nodes therefore appear to the wired Ethernet nodes as if they are wired into the same Ethernet subnet.
Taking multiple addresses from a LAN
Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the loopback interface of the server (or assigned to special interfaces, the latter typically being the case with VMware/UML/jails/vservers/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such workarounds).
On a firewall
In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnetwork. Example: A network (10.0.0.0/8) has a server (10.0.0.20) that should be protected. A proxy ARP firewall can be placed in front of the server. In this way the server is put behind a firewall without having to make any further changes to the network.
Mobile-IP
In case of Mobile-IP the Home Agent uses proxy ARP in order to receive messages on behalf of the Mobile Node so that it can forward the appropriate message to the actual mobile node's address (Care-of address).
Transparent subnet gatewaying
A setup that involves two physical segments sharing the same IP subnet and connected together via a router. This use is documented in RFC 1027.
Redundancy
ARP manipulation techniques are the basis for protocols providing redundancy on broadcast networks (e.g., Ethernet), most notably Common Address Redundancy Protocol and Virtual Router Redundancy Protocol.

Disadvantages

Disadvantage of proxy ARP include scalability as ARP resolution by a proxy is required for every device routed in this manner, and reliability as no fallback mechanism is present, and masquerading can be confusing in some environments.

Proxy ARP can create DoS attacks on networks if misconfigured. For example, a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic.

Proxy ARP can hide device misconfigurations, such as a missing or incorrect default gateway.

Implementations

Related Research Articles

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

An Internet Protocol address is a numerical label such as 192.0.2.1 that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface identification, and location addressing.

Internetwork Packet Exchange (IPX) is the network layer protocol in the IPX/SPX protocol suite. IPX is derived from Xerox Network Systems' IDP. It also has the ability to act as a transport layer protocol.

<span class="mw-page-title-main">Internet Protocol version 4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

<span class="mw-page-title-main">Wake-on-LAN</span> Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message.

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

<span class="mw-page-title-main">Routing table</span> Data table stored in a router that lists the routes to network destinations

In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes. The routing table contains information about the topology of the network immediately around it.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. In this context, virtual refers to a physical object recreated and altered by additional logic, within the local area network. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

A broadcast address is a network address used to transmit to all devices connected to a multiple-access communications network. A message sent to a broadcast address may be received by all network-attached hosts.

Internet Connection Sharing (ICS) is a Windows service that enables one Internet-connected computer to share its Internet connection with other computers on a local area network (LAN). The computer that shares its Internet connection serves as a gateway device, meaning that all traffic between other computers and the Internet go through this computer. ICS provides Dynamic Host Configuration Protocol (DHCP) and network address translation (NAT) services for the LAN computers.

A default gateway is the node in a computer network using the Internet protocol suite that serves as the forwarding host (router) to other networks when no other route specification matches the destination IP address of a packet.

anoNet is a decentralized friend-to-friend network built using VPNs and software BGP routers. anoNet works by making it difficult to learn the identities of others on the network allowing them to anonymously host IPv4 and IPv6 services. One of the primary goals of anoNet is to protect its participants' rights of speech and expression.

The Neighbor Discovery Protocol (NDP), or simply Neighbor Discovery (ND), is a protocol of the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the internet layer of the Internet model, and is responsible for gathering various information required for network communication, including the configuration of local connections and the domain name servers and gateways.

A UDP Helper Address is a special router configuration used to forward broadcast network traffic from a client machine on one subnet to a server in another subnet.

<span class="mw-page-title-main">Computer network</span> Network that allows computers to share resources and communicate with each other

A computer network is a set of computers sharing resources located on or provided by network nodes. Computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

In computer networking, a link-local address is a network address that is valid only for communications on a local link, i.e. within a subnetwork that a host is connected to. Link-local addresses are most often unicast network addresses assigned automatically through a process known as stateless address autoconfiguration (SLAAC) or link-local address autoconfiguration, also known as automatic private IP addressing (APIPA) or auto-IP. Link-local addresses are not all unicast; e.g. IPv6 addresses beginning with ff02:, and IPv4 addresses beginning with 224.0.0. are multicast addresses that are link-local.

<span class="mw-page-title-main">Private VLAN</span> Computer network security technique

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port connected to a router, firewall, server, provider network, or similar central resource.

IP routing is the application of routing methodologies to IP networks. This involves not only protocols and technologies but includes the policies of the worldwide organization and configuration of Internet infrastructure. In each IP network node, IP routing involves the determination of a suitable path for a network packet from a source to its destination in an IP network. The process uses static configuration rules or dynamically obtained from routing protocols to select specific packet forwarding methods to direct traffic to the next available intermediate network node one hop closer to the desired final destination, a total path potentially spanning multiple computer networks.

The link layer is the lowest layer in the TCP/IP model. It is also referred to as the network interface layer and mostly equivalent to the data link layer plus physical layer in OSI. This particular layer has several unique security vulnerabilities that can be exploited by a determined adversary.

References

  1. Hal Stern (October 10, 2001). "ARP networking tricks". ITworld. Archived from the original on November 7, 2017. Retrieved November 3, 2017.
  2. "arp(8) man page". Archived from the original on 2019-06-27. Retrieved 2019-08-09.
  3. "Pseudo-bridges with Proxy-ARP". Archived from the original on 2022-12-06. Retrieved 2022-12-06.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.