HOME

TheInfoList



Click Here for Items Related To - Proxy ARP
OR:
Proxy ARP on:   [Wikipedia]   [Google]   [Amazon]

Proxy ARP is a technique by which a
proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...
on a given network answers the
Address Resolution Protocol The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function ...
(ARP) queries for an
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own
MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...
as the (ostensibly final) destination. The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a
tunnel A tunnel is an underground passageway, dug through surrounding soil, earth or rock, and enclosed except for the entrance and exit, commonly at each end. A pipeline is not a tunnel, though some recent tunnels have used immersed tube cons ...
. The process, which results in the proxy server responding with its own MAC address to an ARP request for a different IP address for proxying purposes, is sometimes referred to as ''publishing''.


Uses

Below are some typical uses for proxy ARP: ;Joining a broadcast LAN with serial links (e.g.,
dialup Dial-up Internet access is a form of Internet access that uses the facilities of the public switched telephone network (PSTN) to establish a connection to an Internet service provider (ISP) by dialing a telephone number on a conventional telep ...
or
VPN A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
connections). :Assume an Ethernet broadcast domain (e.g., a group of stations connected to the same hub or switch (VLAN)) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 – 192.168.0.127 are assigned to wired nodes). One or more of the nodes is an access router accepting dialup or VPN connections. The access router gives the dial-up nodes IP addresses in the range 192.168.0.128 – 192.168.0.254; for this example, assume a dial-up node gets IP address 192.168.0.254. :The access router uses proxy ARP to make the dial-up node present in the subnet without being wired into the Ethernet: the access server 'publishes' its own MAC address for 192.168.0.254. Now, when another node wired into the Ethernet wants to talk to the dial-up node, it will ask on the network for the MAC address of 192.168.0.254 and find the access server's MAC address. It will therefore send its IP packets to the access server, and the access server will know to pass them on to the particular dial-up node. All dial-up nodes therefore appear to the wired Ethernet nodes as if they are wired into the same Ethernet subnet. ;Taking multiple addresses from a LAN :Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the
loopback Loopback (also written loop-back) is the routing of electronic signals or digital data streams back to their source without intentional processing or modification. It is primarily a means of testing the communications infrastructure. There are m ...
interface of the server (or assigned to special interfaces, the latter typically being the case with
VMware VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...
/
UML The Unified Modeling Language (UML) is a general-purpose, developmental modeling language in the field of software engineering that is intended to provide a standard way to visualize the design of a system. The creation of UML was originally m ...
/
jails A prison, also known as a jail, gaol (dated, standard English, Australian, and historically in Canada), penitentiary (American English and Canadian English), detention center (or detention centre outside the US), correction center, correc ...
/ vservers/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such workarounds). ;On a firewall :In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnetwork. Example: A network (10.0.0.0/8) has a server (10.0.0.20) that should be protected. A proxy ARP firewall can be placed in front of the server. In this way the server is put behind a firewall without having to make any further changes to the network. ;Mobile-IP :In case of Mobile-IP the Home Agent uses proxy ARP in order to receive messages on behalf of the Mobile Node so that it can forward the appropriate message to the actual mobile node's address (
Care-of address A care-of address (usually referred to as ''CoA'') is a temporary IP address for a mobile device used in Internet routing. This allows a home agent to forward messages to the mobile device. A separate address is required because the IP address of ...
). ;Transparent subnet gatewaying :A setup that involves two physical segments sharing the same IP subnet and connected together via a router. This use is documented in RFC 1027. ;Redundancy :ARP manipulation techniques are the basis for protocols providing redundancy on broadcast networks (e.g.,
Ethernet Ethernet () is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...
), most notably
Common Address Redundancy Protocol The Common Address Redundancy Protocol or CARP is a computer networking protocol which allows multiple hosts on the same local area network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when us ...
and
Virtual Router Redundancy Protocol The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing p ...
.


Disadvantages

Disadvantage of proxy ARP include scalability as ARP resolution by a proxy is required for every device routed in this manner, and reliability as no fallback mechanism is present, and masquerading can be confusing in some environments. Proxy ARP can create DoS attacks on networks if misconfigured. For example, a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic. Proxy ARP can hide device misconfigurations, such as a missing or incorrect
default gateway A default gateway is the node in a computer network using the Internet protocol suite that serves as the forwarding host ( router) to other networks when no other route specification matches the destination IP address of a packet. Role A gateway ...
.


Implementations

*
OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...
implements proxy ARP. *
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
implements proxy ARP.


References


Further reading

* RFC 925 – Multi-LAN Address Resolution * RFC 1027 – Using ARP to Implement Transparent Subnet Gateways * W. Richard Stevens. The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley Professional; 1st edition (December 31, 1993). {{ISBN, 0-201-63346-9 Internet protocols Internet Standards de:Address Resolution Protocol#Proxy ARP