Thursday, August 14, 2008

ARP, RARP, Proxy ARP, Gratuitous ARP and IP Redirect

Well... after a while away from my computer (in fact, away from any computer) due to some medical issues I´m back! Don´t worry, nothing bad, it was scheduled already, and I had the company of my wife, and guess who?! Yeah! Him! Mr. Jeff Doyle, not in person, but in his book version!

Books like TCP/IP Vol. 1 and 2 MUST be read from cover to cover! Always a good thing to learn!

Some of you may think, ARP, too basic... Yeah, I think too, but there were more than 10, 20 times that people who were supposed to know this asked me HOW it works... so here (with mr. Doyle´s help) you´ll find ARP some variations of  it.

ARP

Address Resolution Protocol (ARP) is used to map a known IP Address to a unkown data-link identifier (for example MAC Address). The ARP Request will contain:

  • Source IPv4 Address;
  • Source data-link identifier address (MAC Address for example);
  • Destination IPv4 Address;
  • Destination data-link identifier (MAC Address in our example) will be set to 00:00:00:00:00:00.

Check this ARP Request capture:

Ethernet II, Src: 00:30:b8:83:cb:40, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source:
00:30:b8:83:cb:40  (00:30:b8:83:cb:40 )
    Type: ARP (0x0806)
    Trailer: FFE000200020003035800000FFE000100030               Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address:
00:30:b8:83:cb:40 (00:30:b8:83:cb:40)
    Sender IP address: 201.6.115.1 (201.6.115.1)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 201.6.115.254 (201.6.115.254)

By default Cisco Routers holds the ARP entries for 4 hours. You can change this value per interface basis with the command: arp timeout <value in seconds>. Example:

interface fastethernet 0/0
arp timeout 3600

RARP

RARP is the opposite of ARP, it maps an IPv4 Address to a know MAC Address, for example, old workstations  (dumb terminals) could have it´s firmware programmed to send a RARP request as soon as it was powered up, and a RARP Server would answer this RARP request with the workstation´s IP Address (Airline Companies used it ALOT in the past). Hmmm.. looks like DHCP right?! Yeah.. it looks, but it ISN´T ok?! ;)

RARP Request will contain:

  • Source and Destination data-link identifier (MAC Address in this example) will be the local host MAC Address;
  • Source and Destination IP Address will be set to 0.0.0.0.

Check this example capture of a RARP Traffic:

Ethernet II, Src: Marquett_12:dd:88, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source:
Marquett_12:dd:88  (00:00:a1:12:dd:88)
    Type: ARP (0x0806)
    Trailer: FFE000200020003035800000FFE000100030               Address Resolution Protocol (reverse request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reverse request (0x0003)
    Sender MAC address:
Marquett_12:dd:88  (00:00:a1:12:dd:88) 
    Sender IP address: 0.0.0.0 (0.0.0.0)
    Target MAC address:
Marquett_12:dd:88  (00:00:a1:12:dd:88) 
    Target IP address:
0.0.0.0 (0.0.0.0)


---> EXAMPLE TOOK FROM Wireshark Wiki <---

Proxy ARP

A Proxy ARP enabled Router answers ARP requests intended for another machine, it does that by making the local host believe that the Router is the "owner" of that IP Address, local host will forward the traffic to the Router and the Router will be responsible to "route" the packets to the real destination.

For example, a Host in Subnet A wants to send traffic to Host in Subnet B, Host A and Host B are in the same subnet, but in different broadcast domains. Host A will send an ARP Request with Host B IP Address, the Router connected to both subnets will answer to Host A request using it´s own MAC Address instead of Host B MAC Address.

Now when Host A wants to transmit traffic to Host B, it´ll send to the Router MAC Address and the Router will just forward the traffic to Host B. That´s why "Proxy ARP".

It´s used on networks where the hosts are not configured with a default-gateway.

Oh yeah... it´s enabled by default in the Cisco IOS, and you can disable it on a per-interface basis with the command: no ip proxy- arp

Gratuitous ARP

In some circunstances a Host (Router, Switch, Computer, etc) might send an ARP Request with it´s own address  as the target address... But, to his own address?! Why a host would do that!?

Well... there are some reasons... for example:

  • It´s use to update other devices ARP Table (when a device receives an ARP Request with an IP that it´s already in it´s cache, the cache will be updated with the new information;
  • HSRP Routers that takes over the control will send Gratuitous ARP out the network to update the cache table of other devices ;
  • To check for duplicate addresses (if the host receives a response, it´ll know that somebody is using the same IP Address).

You can check this Gratuitous ARP traffic captured with Wireshark (the best opensource sniffer out there):

Ethernet II, Src: 02:02:02:02:02:02, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 02:02:02:02:02:02 (02:02:02:02:02:02)
    Type: ARP (0x0806)
    Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (request/gratuitous ARP)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: 02:02:02:02:02:02 (02:02:02:02:02:02)
    Sender IP address: 192.168.1.1 (192.168.1.1)
    Target MAC address: ff:ff:ff:ff:ff:ff (Broadcast)
    Target IP address: 192.168.1.1 (192.168.1.1)


---> EXAMPLE TOOK FROM Wireshark Wiki <---

IP Redirect: 

IP Redirect is used by routers to notify hosts of another router on the data link that should be used for a particular destination.

For example, Router A and Router B are connected to the same Ethernet Segment, so as Host C. Host C has Router A set as default-gateway, Host C will send the packets to Router A, and Router A sees that the destination address of the packet is reachable via Router B, so Router A must forward the packets out the same interface it has received to Router B. Router A does that, and also, sends an ICMP Redirect to Host C informing to use Router B to reach this particular destination next time.

IP Redirect is enable by default in IOS Routers and can be disabled on a per interface basis with the command: no ip redirects.

That´s it! I´ll lie down a while, my head is a little fuzzy right now!

2 comments:

IPexpert Training Advisors said...

Feel better man!

Caue said...

Hehehe, I´m already MUCH better! Just a couple more days and I´ll be 110% recovered!

Thanks man! Appreciate!