- Proxy ARP
Proxy ARP (Address Resolution Protocol) is a technique by which a network host answers to the ARP queries for the network address that it does not have configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host. The "captured" traffic is then typically routed to the destination host via another interface or via a tunnel.
Advantages
The advantage of Proxy ARP over other networking schemes is simplicity. A network can be extended using this technique without the knowledge of the upstream router.Definition of Proxy ARP can also be a process where a border device (a device connecting between two networks) answers ARP requests on behalf of a remote host.
For example, suppose a host, say A, wants to contact another host B, where B is on a different subnet/broadcast domain than A. For this, host A will send an ARP request with an Destination IP address of B in its ARP packet. The multi-homed router which is connected to both the subnets, responds to host A's request with its MAC address instead of host B's actual MAC address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other. The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'.
Uses
Below are some typical uses for proxy ARP:
;Joining a broadcast LAN with serial links (e.g., dialup or VPN connections).:Assume a broadcast domain (e.g., a group of stations connected to the same hub) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 -192.168.0.127 are assigned to wired nodes). One or more of the stations is an
access router accepting dialup or VPN connections. Provided the addresses given to dialup/VPN-connected nodes need to be of the same range (let's assume a dial-up node gets an address of 192.168.0.254 from an access server with LAN IP address of 192.168.0.1), Proxy ARP is used to create the 'presence' effect for the said node; the access server 'publishes' its MAC for 192.168.0.254, the address of the dial-up node.;Taking multiple addresses from a LAN:Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through Proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are aliased to the
loopback interface of the server (or assigned to special interfaces, the latter typically being the case withVMware /UML/jails/vservers/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such tricks).;On a firewall:In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnet. Example- A network (10.0.0.0/8) has a server which should be protected (10.0.0.20) a proxy-arp firewall can be placed in front of the server. In this way the server is put behind a firewall without making any changes to the network at all.
;Mobile-IP: In case of Mobile-IP the Home Agent uses Proxy ARP in order to receive messages on behalf of the Mobile Node, so that it can forward the appropriate message to the actual mobile node's address ( Care Of Address).
;Transparent subnet gatewaying: A setup that involves two physical segments sharing the same IP subnet and connected together via a
router . This use is documented in RFC 1027.Disadvantages
Disadvantage of Proxy ARP include scalability (ARP resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). It should be noted that ARP manipulation techniques, however, are the basis for protocols providing redundancy on broadcast networks (e.g.,
Ethernet ), most notably CARP andVirtual Router Redundancy Protocol .Proxy ARP can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic.
Further reading
* RFC 925 - Multi-LAN Address Resolution
* RFC 1027 - Using ARP to Implement Transparent Subnet Gateways
*W. Richard Stevens . The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley Professional; 1st edition (December 31, 1993). ISBN 0-201-63346-9
* [http://www.osischool.com/protocol/arp/proxy/index.php ARP Proxy demo]
Wikimedia Foundation. 2010.