ARP

From Network Security Wiki
Jump to navigation Jump to search


Basics

  • Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a physical machine address(MAC).

ARP Header

Hardware type (Ethernet = 1)
Protocol type (IPv4 = 0x0800)
Hardware address length (Ethernet size is 6) Protocol address length (IPv4 size is 4.)
Operation ( 1 for request; 2 for reply)
Source MAC
Source IP
Dest MAC
Dest IP
Arp2.png

RARP

  • Rendered obsolete by BOOTP & DHCP
  • Both support a much greater feature set than RARP
  • RARP was limited to serving only IP addresses


Gratuitous ARP

GARP.png
  • Sender IP Address and Target IP Address are both same as the Source IP address
  • Destination MAC in Ethernet frame is the broadcast address ff:ff:ff:ff:ff:ff.
  • Usually no reply packet will come.
  • A gratuitous ARP reply is a reply to which no request has been made.
GARP can be useful for following reasons
  • It can help detect IP conflicts.
  • It assist in the updating of other machines' ARP tables.
  • It inform switches of the MAC address of the machine on a given switch port.
  • If a Link goes up, Driver for interface will send a gratuitous ARP to update ARP tables of all other local hosts.
  • If we see multiple GARPs from the same host frequently, it may point to bad Ethernet hardware/cabling.


Proxy ARP

  • ARP was designed to be used by devices that are directly connected on a local network.
  • ARP relies on broadcasts which are not propagated beyond a Router.
  • Therefore ARP cannot function between devices on different physical networks.
  • When such operation is required, a router, can be configured as an ARP proxy to respond to ARP requests on the behalf of a device on a different network.


Scenario


SRX Performing Static NAT


  • Here SRX interface ge-0/0/0.0 has IP address 1.1.1.1/24.
  • The Router in ISP (not shown) needs to send a packet to the Destination IP address 1.1.1.2.
  • It will send an ARP Request for the IP address 1.1.1.2.
  • If Proxy ARP is not configured on the SRX, it will not reply to the ARP Request as it does not have the IP address configured on the interface ge-0/0/0.0.
  • The ARP request will timeout and the packet will be dropped at the router.
  • If Proxy ARP is configured on interface ge-0/0/0.0 for the IP 1.1.1.2, then when the router sends a ARP Request out for the IP address 1.1.1.2, the SRX will respond to the ARP Request.
  • Then the router will be able to send the packet to the Destination IP address 1.1.1.2 for the MAC address of the SRX.


Configuration

Identify the address & IP address for which the Proxy ARP is needed:

Address: 1.1.1.2
Interface: ge-0/0/0.0

Proxy ARP command for SRX is:

set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.2/32


Disadvantages
  • Complexity
  • If more than one router connects two physical networks using the same network ID, problems may arise.
  • Introduces potential security risks as router “impersonates” devices

For these reasons, it may be better to redesign the network so routing is done between physical networks separated by a router.

Inverse ARP

  • Used in Frame Relay.



Packet Captures

  1. Gratuitous ARP
  2. Gratuitous ARP HSRP
  3. RARP Request
  4. ARP Storm


blog comments powered by Disqus