Introduction
ProxyARPisavariantoftheARPprotocol.Forcomputerswithoutadefaultgatewaytocommunicatewithcomputersonothernetworks,thegatewaywillrespondtothesourcecomputerwithitsownMACaddressandtheIPaddressofthetargetcomputerwhenitreceivestheARPrequestfromthesourcecomputer.ProxyARPistouseahostasaresponsetoanotherhost'sARP.ItmakesitpossibletoaddanewRouterwithoutaffectingtheroutingtable,makingthesubnetmoretransparenttothehost.Atthesametime,italsobringshugerisks.InadditiontoARPspoofingandtheincreaseofARPinacertainnetworksegment,themostimportantthingisthatthenetworktopologycannotbesummarized.TheuseofproxyARPisgenerallyusedonanetworkthatisnotconfiguredwithadefaultgatewayandroutingstrategy.
proxyARP
Definition
ProxyARPistouseahost(usuallyrouter)asadesignateddevicetomakeanARPrequesttoanotherdeviceanswer.
Workingprocess
TheworkingprocessofproxyARPisasfollows:
AlthoughPC1andPC2belongtodifferentbroadcastdomains,theyareinthesamenetworksegment,soPC1AnARPrequestbroadcastpacketwillbesenttoPC2torequesttheMACaddressofPC2.Sincetherouterdoesnotforwardbroadcastpackets,theARPrequestcanonlyreachtherouter,notPC2.
WhentheARPproxyisenabledontherouter,therouterwillchecktheARPrequestandfindthattheIPaddress172.16.20.100belongstoanothernetworkitisconnectedto,sotherouterreplacestheMACaddressofPC2withitsowninterfaceMACaddress.AnARPreplywassenttoPC1.
AfterPC1receivestheARPresponse,itwillthinkthattheMACaddressofPC2is00-00-0c-94-36-ab,andwillnotperceivetheexistenceoftheARPproxy.
YoumayseethefollowingARPentriesintheARPtableofPC1:
C:\>arp-a
Interface:172.16.10.100--0x2
InternetAddressPhysicalAddressType
172.16.20.10000-00-0c-94-36-abdynamic
Inthenextdatacommunication,PC1sendsthedatatotherouterfirst,andtherouterforwardsittoPC2.
Advantages
Oneofthemainadvantagesistheabilitytoaddanewroutertothenetworkwithoutaffectingtheroutingtablesofotherrouters,sothatchangesinthesubnetaffectthehost.Itistransparent
ProxyARPshouldbeusedonanetworkwherethehostisnotconfiguredwithadefaultgatewayordoesnothaveanyroutingstrategy
Negativeimpact
⒈AddacertainnetworkARPtrafficonthesegment
⒉ThehostneedsalargerARPtabletohandlethemappingfromIPaddresstoMACaddress
⒊Securityissues,suchasARPspoofing
⒋willnotworkfornetworksthatdonotuseARPtoresolveaddresses
⒌cannotgeneralizeandpromotenetworktopology
ARPandproxyARP
ARPreportThetextissentbythehost.Whenthehostonlyknowstheotherparty'sIPaddressandwantstoknowtheotherparty'sMACaddress,itbroadcaststheARPrequesttoeachnodeinitsownnetworksegment.Whenahostresponds,themessagesentbackisunicast.
ProxyARPiswhenthehostknowsanIPaddressanditwantstoknowtheMACaddresscorrespondingtotheIPaddress,thehostbroadcastsanARPrequest,butiftherearesomehostsonthesamenetworksegmentonanotherphysicalnetwork(Forexample,twonetworksegmentsof192.168.1.0,withanetworksegmentof192.168.2.0inbetween),anintermediatedevice(router)isrequiredtoperformproxyARP.Becausetherouterdoesnotforwardbroadcastpacketsbydefault,whentherouterreceivesanARPrequest,itwillstarttheproxyARPserviceandwillsendbroadcastARPpackets.
FAQ
1)WhatisARPproxy?
WhentherouterreceivestheARPRequest,ifitfindsthatthedestinationIPaddressofthequeryisinadifferentsubnet,therouterwillactasaproxyARPandrespondonitsbehalf,tellingthequeriertheMACaddressitneedstodo(usingtheItistheMACaddressoftheinterface)
2)WhyisthereanARPproxy?AnimportantfunctionoftherouteristolimittheLANbroadcastpacketstothenetworkandpreventspreading,otherwiseitwillcauseanetworkstorm.ARPRequestisabroadcastpacket.Iftheobjectitasksisinthesamelocalareanetwork,itwillanswerit.Butwhatifthequeryobjectisnotinthesamelocalareanetwork?Inordertosolvethisproblem,therouterprovidesaservice:proxyARP.
3)IsthereanywaytosolvetheaddressqueryacrosstheLAN?Ifthehostisconfiguredwithadefaultgateway,thequerytaskcanbehandedovertothedefaultgatewaywhentheobjecttoquerytheMACaddressisoutsidethelocalareanetwork.
4)UnderwhatcircumstanceswillARPproxybeused?HostsandroutersinthenetworkhaveARPcaches.Hostsareusuallyconfiguredwithadefaultgateway,andtheywillusethedefaultgatewaytoquerytheMACaddressoutsidetheLAN.WhentherouterneedstoquerytheMACaddressintheremotenetworksegment,therouterconnectedtoitwillactasaproxyARPwhenreceivingtheARPRequest.
Commonquestions
Verifysomequestions:
⒈WhenwilltheARPrequestbesent?
⒉ProxyARP(proxyarp)willautomaticallyWhichnetworksegmentstorespondtoARPrequests
⒊WhatkindofenvironmentdoesproxyARPapplyto
Thefollowingonebyone:
⒈Firstofall,ARPisintheEthernetenvironmentIwasalittledizzyatthebeginning.Iactuallyconfigureditonthes0portandthenwenttosharp.Iwasstillthinkingabouthownothingwouldcomeout.
Then,noteverypackagegoingoutoftheInternetwillGenerateanarprequest(theproblemofarpcacheisnotdiscussedhere,thedefaultcacheisempty),aninterfacewillonlysendarprequeststotheIPaddressinthesubnetconfiguredonthisinterface,andtheipaddressisnotconfiguredintheinterfaceIfyouwanttochecktheroutingtableandsendittoyoursubnet.
Forexample:opendebugarp,e0ipadd172.16.1.1255.255.255.128
Localping172.16.1.1-1.126willbeGenerateanarprequest(ifthereisnoarp-cache),
Butping172.16.1.128andabovewillnotwork
⒉ProxyARPonlyrespondstothoseinitsroutingtableThenetworksegmentthatcanbefound,insteadofrespondingtoallarprequestsfromthehostwithmyownmacasIthoughtbefore.
Forexample:PC--Route
PCEther:ipaddress172.16.12.2255.255.0.0
Router:
interfaceEthernet0/0:
ipaddress172.16.12.1255.255.255.0
interfaceLoopback0
ipaddress172.16.14.1255.255.255.0
Inthisway,whenyouping172.16.14.1onthepc,youcanseethatthepcgeneratesanarprequest,andtherouterusesitsownTheE0/0Macaddressrepliedtothisrequest,thatis,actingasanARPproxy.Ifweping172.16.15.1,thearppacketisalsosenttotherouter,buttherouterdoesnotrespondtothearppacket.
Applicableenvironment
WhatkindofenvironmentdoesproxyARPapplyto?
Totellthetruth,Ididn’tthinkaboutthisverywell.Somebookssay,ProxyARPplaysaroleinprovidinggateways.Infact,throughthefirstverificationabove,itisobviousthatthisstatementiscompletelyincorrect,becausethearprequestwillonlybegeneratedwhentheipofthisnetworksegmentisrequested,andtheproxyarpcanonlyTheproxyistheipofthe"samesubnet"forthehostthatgeneratedthisarprequest.Whatkindofgatewayisthis?
***************Thisauthorisobviouslywrong.Whenthehostisnotconfiguredwithadefaultroute,pingtheaddressofanon-localnetworksegmentwillsendthisnon-localaddresstothenetwork.WhentheARPrequestfortheaddressofthisnetworksegment,andthedeviceinterfacewithproxyARPenabledhastherouteofthenon-localnetworksegment,itwillreplyitsownMACtoARPtorealizetheARPproxyfunction.TheaccessinthisnetworksegmentisonlysimplebroadcastaddressinganddoesnotinvolveproxyARP.Whenthehostconfiguresthedefaultroute,theARPrequestdirectlyrequeststhegateway'sARPanddoesnotinvolveproxyARP,sotheso-calledproxyARPisequivalenttoThegatewaymakessense.TheproxyARPproblemwillnotoccuronthedeviceconfiguredwiththegateway**********************************
WhatistheuseofproxyARP?
Thefollowingpicturemaybemoreillustrative.
Seeit,payattentiontotheconfigurationofthenumberofsubnetsonthehost.Itseemstobeusedonlyinsuch"weird"occasions.Totheproxyarp,ACcommunication,AthinksthatCisinitsownsubnet,andsendsarpdirectly,routinge0receivesthisarprequest,andthenfindsthattherequestedipaddressisinthenetworksegmentdirectlyconnectedtoit(canbefoundintheroutingtable),inthisway,Irespondedtothearprequestwiththee0port,andcompletedtheproxyARP
instanceconfiguration
ProxyARP(proxyARP),alsocalledpromiscuousARP(promiscuousARP),ItisanIPnetworkaddressmultiplexingtechnology.Someusersinthecorporatenetworkwillusethistechnology.
TheprincipleofproxyARPisshowninFigure1:
Mainnetwork
.
RunARP
Hiddennetwork
.
Hiddenhost
Themainnetworkandthehiddennetworkinthefiguresharethesamenetworkaddress,whichmeansthatthemainnetworkandthehiddennetworkareinthesameaddresssegment.ProxyARPrequiresthattheARPprotocolisusedonthemainnetworktomaptheIPaddresstothephysicaladdress.WheneachhostonthemainnetworkcallsARPtoresolvethephysicaladdressofthehostonthenetwork,thegatewayGrespondsinsteadofthehost,andthegivenphysicaladdressisGitselfThephysicaladdressisansweredbyG.GatewayGneedstoknowallthehostsonthehiddennetworksothatalldatapacketsenteringthehiddennetworkaresenttogatewayGfirst,andgatewayGissendingthepacketstothehostthatshouldarrive.Similarly,gatewayGalsohascontroloverthehostnetwork.Hosttoperformappropriateoperationsonoutgoingdata.
ProxyARPtechnologyinvolvestwoaspectsofIPaddressandphysicaladdress.Ontheonehand,proxyARPneedstouseIPtofindthepath,becauseitneedstodeterminetheresponsetothoseARPrequests;ontheotherhand,proxyARPneedstoThegatewayGestablishesanIP-physicaladdressmappingtable,whichdirectlyparticipatesinphysicaltransmission.ItisanetworkaddressmultiplexingtechnologybecauseinproxyARPtechnology,aphysicaladdresscorrespondstoseveralIPaddresses,andthetwoarenotone-to-onecorrespondence.Thisisillegalintermsofprotocol,becauseitwillCausessecurityproblems.Ifacomputerclaimstobeanothercomputer,itanswersitsownphysicaladdresstoanARPrequestthatdoesnotbelongtoitself,andthenillegallyacceptspackets.Inordertoavoidthisinsecurefactor,someARPimplementationsintroducespecialCopingmechanism,oncetwoIPaddressesarefoundtobemappedtothesamephysicaladdress,animmediatewarningwillbeissuedtoremindtheadministratortotakemeasures.InproxyARPtechnology,itisnotallowedtogeneratewarnings,otherwisetoomanywarningmessageswillcauseunnecessarytrouble.AnimportantconceptinproxyARPtechnologyis"trust".Itsbasicideais:allmachinesparticipatinginARPmustcooperatewitheachotherandcannotbedeceived.Therefore,allARPresponsesarelegal.
Thistechnologyiswidelyusedinrouters.SetproxyARPontheLANportofthecentralLANrouter.Somedial-upuserscanusethecentralLANsegmenttocommunicatewiththecenter.IftherouteralsosupportsdynamicIPaddresspools,Thentheentirenetworkconfigurationisquitesimple.TheBDCOM3000seriesroutersproducedbyShanghaiBORDADataCommunicationCo.,Ltd.supportthisusage.Typicalapplicationsareasfollows:
Inthisnetwork,therouterisusedasadial-upaccessserver,andthemainconfigurationworkisconcentratedonthecentralrouter.OnBDC0M3161,proxyARPtechnologyisusedontheE0port,andadynamicIPaddresspoolisconfiguredontherouter,sothattheremotedial-upcomputeronlyneedstoconfigurethephonenumberinthedial-upnetworktocommunicatewiththecenter.BDCOM3161isequivalenttocisco's2511.Ithas16asynchronousportsand3synchronousports.Thehighestrate(synchronous)ofeachportis2M.These3portsalsosupportasynchronous(synchronous/asynchronousconfigurationontherouterportasrequired).Ifallareusedasasynchronous,19asynchronousportscanbeprovided.ThisisusedinabankinQinghaiProvince.Therouterconfigurationisasfollows:
nodenameBDCOM3161Settheroutername
ippooladdremoteip192.168.1.10016SettheIPaddresspool,thenameisremoteip,startingfrom192.168.1.100,thereare16addressesavailableFordistribution
e0entertheEthernetport
arpproxy-arpenabletoturnontheARPproxy
ipadd192.168.1.254255.255.255.0SettheEthernetIPaddress
quitExitE0port
A0enterA0port
encapsulatepppEncapsulateA0portintoPPPprotocol
ipadd192.168.1.254255.255.255.0SettheIPaddress(thisIPaddressisthesameastheE0portaddress)
linedialChangethisporttoadial-upline
idletime300Settheon-hooktime(whenthereisnobusinesstrafficfor300secondsWhentherouterhangsuptheMODEM)
pppauthpapPAPauthenticationonthisport
Assignanaddresstotheremotecomputer
quitExitA0port
a1
encapsulateppp
ipadd192.168.1.254255.255.255.0
linedial
idletime300
pppauthpap
pppipcppoolremoteipSpecifythisporttousetheaddresspoolremoteiptoassignaddressestoremotecomputers
quit
a2
encapsulateppp
ipadd192.168.1.254255.255.255.0
linedial
idletime300
pppauthpap
pppipcppoolremoteip
quit
a3
encapsulateppp
ipadd192.168.1.254255.255.255.0
p>linedial
idletime300
pppauthpap
pppipcppoolremoteip
quit
……
a15
encapsulateppp
ipadd192.168.1.254255.255.255.0
linedial
idletime300
pppauthpap
pppipcppoolremoteip
quit
useraddbdcomabcdaddsuseraccount(bdcom)andpassword(abcd)forPAPauthentication
useraddbdcom1dcbaSameasabove.ThisaccountcanbebasedonNeedtoaddmultiple
icmpredirectdisabletoprohibittheredirectioninformationofinternetcontrolmessageprotocolfromremotedial-upcomputer,onlyneedtoconfigurethephonenumberofdial-upnetwork,gettheaccountnumberandpasswordfromtheadministrator,andtheIPaddressbytherouterItcanbeassignedautomatically.
Exampleconfiguration:
AsshowninFigure1,theswitchisconnectedtotwoPCs(AandB).Initially,theyareallinavlan1,respectivelyConfiguretheIPaddresses172.16.1.2/16and172.16.2.2/16,andthegatewayisnotconfigured.Atthistime,youcanpingtheotherparty.
AddAtovlan1,vlanifwithIP:172.16.1.1/24
AddBtovlan2,vlanifwithIP:172.16.2.1/24
ThisWhenApingBisunabletoping.
Thereasonisguessed:neitherthegatewaynortheproxyARPisconfigured,sothepingfails
WhenIconfiguretheproxyARPonthetwoports,IfindthatthePingisstilldifferentatthistime.
Atthistime,IcheckedA'sARPtableandfoundthattheMACaddressof172.16.2.2inthetablewasB'saddress.
Atthistime,theMACaddressencapsulatedinthepacketsentbyAisB.Whenvlanifreceivestheframe,itwilldiscardthepacket
ClearA'sARPtable(arp-d),atthistime,pingBagainandfindthatPingcanbedone.TheMACaddressof172.16.2.2recordedinAisalreadytheMACaddressofvlanif1.