Jump to content

Proxy ARP

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 24.87.161.50 (talk) at 22:32, 28 February 2008 (Uses: +Transparent subnet gatewaying). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Proxy ARP (Address Resolution Protocol) is a technique by which a network host answers to the ARP queries for the network address that it does not have configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host. The "captured" traffic is then typically routed to the destination host via another interface or via a tunnel.

Advantages

The advantage of Proxy ARP over other networking schemes is simplicity. A network can be extended using this technique without the knowledge of the upstream router. Definition of Proxy ARP can also be a process where a border device (a device connecting between two networks) answers ARP requests on behalf of a remote host.

For example, suppose a host, say A, wants to contact another host, say B, on another subnet. For this, host A will send an ARP request with IP address of B in its ARP packet. The multi-homed router which is connected to both the subnets, answers to host A's request with its MAC address instead of host B's actual MAC address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'.

Uses

Below are some typical uses for proxy ARP:

Joining a broadcast LAN with serial links (e.g., dialup or VPN connections).
Assume a broadcast domain (e.g., a group of stations connected to the same hub) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 -192.168.0.127 are assigned to wired nodes). One or more of the stations is an access router accepting dialup or VPN connections. Provided the addresses given to dialup/VPN-connected nodes need to be of the same range (let's assume a dial-up node gets an address of 192.168.0.254 from an access server with LAN IP address of 192.168.0.1), Proxy ARP is used to create the 'presence' effect for the said node; the access server 'publishes' its MAC for 192.168.0.254, the address of the dial-up node.
Taking multiple addresses from a LAN
Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through Proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the loopback interface of the server (or assigned to special interfaces, the latter typically being the case with VMware/UML/jails/vservers/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such tricks).
On a firewall
In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnet. Example- A network (10.0.0.0/8) has a server which should be protected (10.0.0.20) a proxy-arp firewall can be placed in front of the server. In this way the server is put behind a firewall without making any changes to the network at all.
Mobile-IP
In case of Mobile-IP the Home Agent uses Proxy ARP in order to receive messages on behalf of the Mobile Node, so that it can forward the appropriate message to the actual mobile node's address (Care Of Address).
Transparent subnet gatewaying
A setup that involves two physical segments sharing the same IP subnet and connected together via a router. This use is documented in RFC 1027.

Disadvantages

Disadvantage of Proxy ARP include scalability (ARP resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). It should be noted that ARP manipulation techniques, however, are the basis for protocols providing redundancy on broadcast networks (e.g., Ethernet), most notably CARP and Virtual Router Redundancy Protocol.

Further reading

  • RFC 925 - Multi-LAN Address Resolution
  • RFC 1027 - Using ARP to Implement Transparent Subnet Gateways
  • W. Richard Stevens. The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley Professional; 1st edition (December 31, 1993). ISBN 0-201-63346-9