Friday, October 16, 2015

Proxy ARP

This document explains the concept of proxy Address Resolution Protocol (ARP). Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. Proxy ARP is defined in RFC 1027



How Does Proxy ARP Work?

This is an example of how proxy ARP works:

Network Diagram

5_01.gif
The Host A (172.16.10.100) on Subnet A needs to send packets to Host D (172.16.20.200) on Subnet B. As shown in the diagram, Host A has a /16 subnet mask. What this means is that Host A believes that it is directly connected to all of network 172.16.0.0. When Host A needs to communicate with any devices it believes are directly connected, it sends an ARP request to the destination. Therefore, when Host A needs to send a packet to Host D, Host A believes that Host D is directly connected, so it sends an ARP request to Host D.
In order to reach Host D (172.16.20.200), Host A needs the MAC address of Host D.
Therefore, Host A broadcasts an ARP request on Subnet A, as shown:
Sender's MAC Address Sender's IP Address Target MAC Address Target IP Address
00-00-0c-94-36-aa 172.16.10.100 00-00-00-00-00-00 172.16.20.200
In this ARP request, Host A (172.16.10.100) requests that Host D (172.16.20.200) send its MAC address. The ARP request packet is then encapsulated in an Ethernet frame with the MAC address of Host A as the source address and a broadcast (FFFF.FFFF.FFFF) as the destination address. Since the ARP request is a broadcast, it reaches all the nodes in the Subnet A, which includes the e0 interface of the router, but does not reach Host D. The broadcast does not reach Host D because routers, by default, do not forward broadcasts.
Since the router knows that the target address (172.16.20.200) is on another subnet and can reach Host D, it replies with its own MAC address to Host A.
Sender's MAC Address Sender's IP Address Target MAC Address Target IP Address
00-00-0c-94-36-ab 172.16.20.200 00-00-0c-94-36-aa 172.16.10.100
This is the Proxy ARP reply that the router sends to Host A. The proxy ARP reply packet is encapsulated in an Ethernet frame with MAC address of the router as the source address and the MAC address of Host A as the destination address. The ARP replies are always unicast to the original requester.
Upon receipt of this ARP reply, Host A updates its ARP table, as shown:
IP Address MAC Address
172.16.20.200 00-00-0c-94-36-ab
From now on, Host A forwards all the packets that it wants to reach 172.16.20.200 (Host D) to the MAC address 00-00-0c-94-36-ab (router). Since the router knows how to reach Host D, the router forwards the packet to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B.
The ARP cache of Host A is shown in this table:
IP Address MAC Address
172.16.20.200 00-00-0c-94-36-ab
172.16.20.100 00-00-0c-94-36-ab
172.16.10.99 00-00-0c-94-36-ab
172.16.10.200 00-00-0c-94-36-bb
Note: Multiple IP addresses are mapped to a single MAC address, the MAC address of this router, which indicates that proxy ARP is in use.
The interface of the Cisco must be configured to accept and respond to proxy ARP. This is enabled by default. The no ip proxy-arp command must be configured on the interface of the router connected to the ISP router. Proxy ARP can be disabled on each interface individually with the interface configuration command no ip proxy-arp, as shown: 
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface ethernet 0
Router(config-if)# no ip proxy-arp
Router(config-if)# ^Z
Router#
In order to enable proxy ARP on an interface, issue the ip proxy-arp interface configuration command.
Note: When Host B (172.16.10.200/24) on Subnet A tries to send packets to destination Host D (172.16.20.200) on Subnet B, it looks into its IP routing table and routes the packet accordingly. Host B (172.16.10.200/24) does not ARP for Host D IP address 172.16.20.200 because it belongs to a different subnet than what is configured on Host B ethernet interface 172.16.20.200/24.

Advantages of Proxy ARP

The main advantage of proxy ARP is that it can be added to a single router on a network and does not disturb the routing tables of the other routers on the network.
Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence.

Disadvantages of Proxy ARP

Hosts have no idea of the physical details of their network and assume it to be a flat network in which they can reach any destination simply by sending an ARP request. But using ARP for everything has disadvantages. These are some of the disadvantages:
  • It increases the amount of ARP traffic on your segment.
  • Hosts need larger ARP tables in order to handle IP-to-MAC address mappings.
  • Security can be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing."
  • It does not work for networks that do not use ARP for address resolution.
  • It does not generalize to all network topologies. For example, more than one router that connects two physical networks.
Posted by at No comments:

When Are ICMP Redirects Sent?

Internet Control Message Protocol (ICMP) is used to communicate to the original source, the errors encountered while routing the packets, and exercise control on the traffic. This document discusses ICMP redirects and when redirects happen in a network.



How ICMP Redirect Messages Work

ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.
For example, the two routers R1 and R2 are connected to the same Ethernet segment as Host H. The default gateway for Host H is configured to use router R1. Host H sends a packet to router R1 to reach the destination on Remote Branch office Host 10.1.1.1. Router R1, after it consults its routing table, finds that the next-hop to reach Host 10.1.1.1 is router R2. Now router R1 must forward the packet out the same Ethernet interface on which it was received. Router R1 forwards the packet to router R2 and also sends an ICMP redirect message to Host H. This informs the host that the best route to reach Host 10.1.1.1 is by way of router R2. Host H then forwards all the subsequent packets destined for Host 10.1.1.1 to router R2.
43_01.gif
This debug message shows router R1, as in the network diagram, sending an ICMP redirect message to Host H (172.16.1.1).
R1#
debug ip icmp


ICMP packet debugging is on

*Mar 18 06:28:54: ICMP:redirect sent to 172.16.1.1 for dest 10.1.1.1, use gw 172.16.1.200

R1#
Router R1 (172.16.1.100) sends a redirect to Host H (172.16.1.1) to use router R2 (172.16.1.200) as the gateway to reach the destination 10.1.1.1.

When Are ICMP Redirects Sent?

Cisco routers send ICMP redirects when all of these conditions are met:
  • The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
  • The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
  • The datagram is not source-routed.
  • The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)
Note: ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface. In Cisco IOS Software Release 12.1(3)T and later, ICMP Redirect is allowed to be enabled on interfaces configured with HSRP. For more information, refer to HSRP Support for ICMP Redirects section of Hot Standby Router Protocol Features and Functionality.
For example, if a router has two IP addresses on one of its interfaces:
  interface ethernet 0

  ip address 171.68.179.1 255.255.255.0

  ip address 171.68.254.1 255.255.255.0 secondary
If the router receives a packet that is sourced from a host in the subnet 171.68.179.0 and destined to a host in the subnet 171.68.254.0, the router does not send an ICMP redirect because only the first condition is met, not the second.
The original packet for which the router sends a redirect still gets routed to the correct destination.
Posted by at No comments:
Subscribe to: Posts (Atom)