Proxy ARP

From Wikipedia, the free encyclopedia

Proxy ARP is a technique for using the ARP protocol to provide an ad hoc routing mechanism.

A multi-port networking device (e.g. a router) implementing Proxy ARP will respond to ARP requests on one interface as being responsible for addresses of device addresses on another interface. The device can then receive and forward packets addressed to the other devices.

[edit] Advantages

The advantage of Proxy ARP over other networking schemes is simplicity. A network can be extended using this technique without the knowledge of the upstream router. Definition of Proxy ARP can also be a process where a border device (a device connecting between two networks) answers ARP requests on behalf of a remote host.

For example, suppose a host, say A, wants to contact another host, say B, on another subnet. For this, host A will send an ARP request with IP address of B in its ARP packet. The multihomed router which is connected to both the subnets, answers to host A's request with its MAC address instead of host B's actual MAC address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'.

[edit] Uses

Below are some typical uses for proxy ARP:

Joining a broadcast LAN with serial links (e.g., dialup or VPN connections).

Assume a broadcast domain (e.g., a group of stations connected to the same hub) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1-192.168.0.127 are assigned to wired nodes). One or more of the stations is an access router accepting dialup or VPN connections. Provided the addresses given to dialup/VPN-connected nodes need to be of the same range (let's assume a dial-up node gets an address of 192.168.0.254 from an access server with LAN IP address of 192.168.0.1), Proxy ARP is used to create the 'presence' effect for the said node; the access server 'publishes' its MAC for 192.168.0.254, the address of the dial-up node.

Taking multiple addresses from a LAN

Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through Proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the loopback interface of the server (or assigned to special interfaces, the latter typically being the case with VMware/UML/jails/vservers/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such tricks).

On a firewall

In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnet. Example- A network (10.0.0.0/8) has a server which should be protected (10.0.0.20) a proxy-arp firewall can be placed in front of the server. In this way the server is put behind a firewall without making any changes to the network at all.

[edit] Disadvantages

Disadvantage of Proxy ARP include scalability (ARP resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). It should be noted that ARP manipulation techniques, however, are the basis for protocols providing redundancy on broadcast networks (e.g., Ethernet), most notably CARP and Virtual Router Redundancy Protocol.