Proxy ARP
Encyclopedia
Proxy ARP is a technique by which a device on a given network answers the ARP
queries for a network address
that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel
.
The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'. A Proxy ARP Simulation visualizes how a router responds to ARP request on behalf of the target host at different networks. See ARP cache updates at host, router, remote host.
Joining a broadcast LAN with serial
links (e.g., dialup
or VPN
connections).
Taking multiple addresses from a LAN
On a firewall
Mobile-IP
Transparent subnet gatewaying
For example, suppose a host, say A, wants to contact another host B, where B is on a different subnet/broadcast domain than A. For this, host A will send an ARP
request with a Destination IP address of B in its ARP packet. The multi-homed router which is connected to both the subnets, responds to host A's request with its MAC address instead of host B's actual MAC
address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other.
on broadcast networks (e.g., Ethernet
), most notably CARP
and Virtual Router Redundancy Protocol
.
Proxy ARP can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic.
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
queries for a network address
Network layer
The network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...
that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
.
The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'. A Proxy ARP Simulation visualizes how a router responds to ARP request on behalf of the target host at different networks. See ARP cache updates at host, router, remote host.
Uses
Below are some typical uses for proxy ARP:Joining a broadcast LAN with serial
Serial communications
In telecommunication and computer science, serial communication is the process of sending data one bit at a time, sequentially, over a communication channel or computer bus. This is in contrast to parallel communication, where several bits are sent as a whole, on a link with several parallel channels...
links (e.g., dialup
Dial-up access
Dial-up Internet access is a form of Internet access that uses the facilities of the public switched telephone network to establish a dialled connection to an Internet service provider via telephone lines...
or VPN
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
connections).
- Assume an Ethernet broadcast domain (e.g., a group of stations connected to the same hub) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 – 192.168.0.127 are assigned to wired nodes). One or more of the nodes is an access router accepting dialup or VPN connections. The access router gives the dial-up nodes IP addresses in the range 192.168.0.128 – 192.168.0.254; for this example, assume a dial-up node gets IP address 192.168.0.254.
- The access router uses Proxy ARP to make the dial-up node present in the subnet without being wired into the Ethernet: the access server 'publishes' its own MAC address for 192.168.0.254. Now, when another node wired into the Ethernet wants to talk to the dial-up node, it will ask on the network for the MAC address of 192.168.0.254 and find the access server's MAC address. It will therefore send its IP packets to the access server, and the access server will know to pass them on to the particular dial-up node. All dial-up nodes therefore appear to the wired Ethernet nodes as if they are wired into the same Ethernet subnet.
Taking multiple addresses from a LAN
- Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through Proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliasedAliasingIn signal processing and related disciplines, aliasing refers to an effect that causes different signals to become indistinguishable when sampled...
to the loopbackLoopbackLoopback describes ways of routing electronic signals, digital data streams, or flows of items from their originating facility back to the source without intentional processing or modification...
interface of the server (or assigned to special interfaces, the latter typically being the case with VMwareVMwareVMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
/UMLUser-mode LinuxUser-mode Linux enables multiple virtual Linux systems to run as an application within a normal Linux system...
/jails/vserversLinux-VServerLinux-VServer is a virtual private server implementation that was created by adding operating system-level virtualization capabilities to the Linux kernel. It is developed and distributed as open source software.The project was started by Jacques Gélinas...
/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such tricks).
On a firewall
- In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnet. Example- A network (10.0.0.0/8) has a server which should be protected (10.0.0.20) a proxy-arp firewall can be placed in front of the server. In this way the server is put behind a firewall without making any changes to the network at all.
Mobile-IP
- In case of Mobile-IPMobile IPMobile IP is an Internet Engineering Task Force standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address. Mobile IP for IPv4 is described in IETF RFC 5944, and extensions are defined in IETF RFC 4721...
the Home Agent uses Proxy ARP in order to receive messages on behalf of the Mobile Node, so that it can forward the appropriate message to the actual mobile node's address (Care-of address).
Transparent subnet gatewaying
- A setup that involves two physical segments sharing the same IP subnet and connected together via a router. This use is documented in RFC 1027.
Advantages
The advantage of Proxy ARP over other networking schemes is simplicity. A network can be extended using this technique without the knowledge of the upstream router.For example, suppose a host, say A, wants to contact another host B, where B is on a different subnet/broadcast domain than A. For this, host A will send an ARP
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
request with a Destination IP address of B in its ARP packet. The multi-homed router which is connected to both the subnets, responds to host A's request with its MAC address instead of host B's actual MAC
Media Access Control
The media access control data communication protocol sub-layer, also known as the medium access control, is a sublayer of the data link layer specified in the seven-layer OSI model , and in the four-layer TCP/IP model...
address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other.
Disadvantages
Disadvantage of Proxy ARP include scalability (ARP resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). ARP manipulation techniques, however, are the basis for protocols providing redundancyRedundancy (engineering)
In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe....
on broadcast networks (e.g., Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
), most notably CARP
Common Address Redundancy Protocol
The Common Address Redundancy Protocol or CARP is a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations CARP can also provide...
and Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol
The Virtual Router Redundancy Protocol is a computer networking protocol that provides for automatic assignment of available Internet Protocol routers to participating hosts...
.
Proxy ARP can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic.
Further reading
- RFC 925 – Multi-LAN Address Resolution
- RFC 1027 – Using ARP to Implement Transparent Subnet Gateways
- W. Richard StevensW. Richard StevensWilliam Richard Stevens was one of the most famous and widely acclaimed authors of UNIX and TCP/IP books.-Biography:...
. The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley Professional; 1st edition (December 31, 1993). ISBN 0-201-63346-9