Difference between revisions of "Static ARP configuration"
WillieArce (Talk | contribs) m |
(→Reading your ARP Tables) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 22: | Line 22: | ||
inet6 addr: fe80::226:82ff:fe20:6559/64 Scope:Link | inet6 addr: fe80::226:82ff:fe20:6559/64 Scope:Link | ||
− | As we all know, [[IP_address#Reserved_Address_Space_.26_RFC_1918|localhost]] is 127.0.0.1, so its routing traffic for the 10.42.43.0/24 [[subnet]] reserved in RFC 1918 and then pushing it through the 192.168.1.1 gateway. You can see this by typing: | + | As we all know, [[IP_address#Reserved_Address_Space_.26_RFC_1918|localhost]] is 127.0.0.1, so its routing traffic for the 10.42.43.0/24 [[subnetting|subnet]] reserved in RFC 1918 and then pushing it through the 192.168.1.1 gateway. You can see this by typing: |
root ~ # route -n | root ~ # route -n | ||
Line 41: | Line 41: | ||
10.42.43.10 ether 00:24:21:f5:fa:c4 C eth0 | 10.42.43.10 ether 00:24:21:f5:fa:c4 C eth0 | ||
− | Shows the hardware address or [[MAC|MAC address]] of the [[gateway]] and a client on the 10.42.43.0/24 [[subnet]]. | + | Shows the hardware address or [[MAC|MAC address]] of the [[gateway]] and a client on the 10.42.43.0/24 [[subnetting|subnet]]. |
= Prevention = | = Prevention = | ||
Line 60: | Line 60: | ||
;Taking multiple addresses from a LAN | ;Taking multiple addresses from a LAN | ||
− | :Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain [[ | + | :Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain [[application]]s may require multiple [[IP address|IP addresses]] on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through Proxy [[ARP]]. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the loopback (RFC 1918) interface of the server (or assigned to special interfaces, the latter typically being the case with VMware/[[User-mode Linux|UML]]/[[Jail (computer security)|jails]]/[[Linux-VServer|vservers]]/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such tricks). |
;On a firewall | ;On a firewall | ||
Line 77: | Line 77: | ||
===Disadvantages=== | ===Disadvantages=== | ||
− | Disadvantage of Proxy [[ARP]] include scalability ([[ARP]] resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). [[ARP]] manipulation techniques, however, are the basis for [[protocols]] providing | + | Disadvantage of Proxy [[ARP]] include scalability ([[ARP]] resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). [[ARP]] manipulation techniques, however, are the basis for [[protocols]] providing redundancy on broadcast networks (e.g., [[Ethernet]]), most notably [[Common Address Redundancy Protocol|CARP]] and [[Virtual Router Redundancy Protocol]]. |
Proxy [[ARP]] can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy [[ARP]] has the ability to receive packets destined for other hosts (as it gives its own [[MAC|MAC address]] in response to [[ARP]] requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic. | Proxy [[ARP]] can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy [[ARP]] has the ability to receive packets destined for other hosts (as it gives its own [[MAC|MAC address]] in response to [[ARP]] requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic. | ||
Line 91: | Line 91: | ||
− | + | [[Category:Countermeasures]][[Category:Administration]] | |
− | [[Category:Countermeasures]] | + | |
− | [[Category: | + |
Latest revision as of 13:15, 9 May 2012
Static ARP Configuration refers to setting up a host with predefined ARP entries that can't be changed. This is useful in preventing ARP poisoning and can be done at the operating system level.
Contents
Reading your ARP Tables
In linux, you can type the following :
root ~ # arp -n
To receive something like :
Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 5c:da:d4:4d:85:b4 C ra0 10.42.43.10 ether 00:24:21:f5:fa:c4 C eth0
On a router. In this case, the router's ip addresses are:
root ~ # ifconfig|grep inet inet addr:10.42.43.1 Bcast:10.42.43.255 Mask:255.255.255.0 inet6 addr: fe80::92e6:baff:fe76:243a/64 Scope:Link inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::226:82ff:fe20:6559/64 Scope:Link
As we all know, localhost is 127.0.0.1, so its routing traffic for the 10.42.43.0/24 subnet reserved in RFC 1918 and then pushing it through the 192.168.1.1 gateway. You can see this by typing:
root ~ # route -n
Which will give you:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.42.43.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 ra0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ra0
In any case, we can see that the previous output of `arp -n`:
Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 5c:da:d4:4d:85:b4 C ra0 10.42.43.10 ether 00:24:21:f5:fa:c4 C eth0
Shows the hardware address or MAC address of the gateway and a client on the 10.42.43.0/24 subnet.
Prevention
ProxyARP
Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel.
The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'.A Proxy ARP Simulation visualizes how a router responds to ARP request on behalf of the target host at different networks. See ARP cache updates at host, router, remote host.
Uses
Below are some typical uses for proxy ARP:
- Joining a broadcast LAN with serial links (e.g., dialup or VPN connections).
- Assume an Ethernet broadcast domain (e.g., a group of stations connected to the same hub) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 - 192.168.0.127 are assigned to wired nodes). One or more of the nodes is an access router accepting dialup or VPN connections. The access router gives the dial-up nodes IP addressses in the range 192.168.0.128 - 192.168.0.254; for this example, assume a dial-up node gets IP address 192.168.0.254.
- The access router uses Proxy ARP to make the dial-up node present in the subnet without being wired into the Ethernet: the access server 'publishes' its own MAC address for 192.168.0.254. Now, when another node wired into the Ethernet wants to talk to the dial-up node, it will ask on the network for the MAC address of 192.168.0.254 and find the access server's MAC address. It will therefore send its IP packets to the access server, and the access server will know to pass them on to the particular dial-up node. All dial-up nodes therefore appear to the wired Ethernet nodes as if they are wired into the same Ethernet subnet.
- Taking multiple addresses from a LAN
- Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through Proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the loopback (RFC 1918) interface of the server (or assigned to special interfaces, the latter typically being the case with VMware/UML/jails/vservers/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such tricks).
- On a firewall
- In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnet. Example- A network (10.0.0.0/8) has a server which should be protected (10.0.0.20) a proxy-arp firewall can be placed in front of the server. In this way the server is put behind a firewall without making any changes to the network at all.
- Mobile-IP
- In case of Mobile-IP the Home Agent uses ProxyARP in order to receive messages on behalf of the Mobile Node, so that it can forward the appropriate message to the actual mobile node's address (Care Of Address).
- Transparent subnet gatewaying
- A setup that involves two physical segments sharing the same IP subnet and connected together via a router. This use is documented in RFC 1027.
Advantages
The advantage of Proxy ARP over other networking schemes is simplicity. A network can be extended using this technique without the knowledge of the upstream router.
For example, suppose a host, say A, wants to contact another host B, where B is on a different subnet/broadcast domain than A. For this, host A will send an ARP request with a Destination IP address of B in its ARP packet. The multi-homed router which is connected to both the subnets, responds to host A's request with its MAC address instead of host B's actual MAC address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other.
Disadvantages
Disadvantage of Proxy ARP include scalability (ARP resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). ARP manipulation techniques, however, are the basis for protocols providing redundancy on broadcast networks (e.g., Ethernet), most notably CARP and Virtual Router Redundancy Protocol.
Proxy ARP can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic.
Further reading
- RFC 925 - Multi-LAN Address Resolution
- RFC 1027 - Using ARP to Implement Transparent Subnet Gateways
- W. Richard Stevens - The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley Professional; 1st edition (December 31, 1993). ISBN 0-201-63346-9