Address Resolution Protocol - Case Study

8/2/2019 Address Resolution Protocol - Case Study

1/16

T.Z.A.S.P. MANDALS

PRAGATI COLLEGE OF ARTS, COMMERCE AND SCIENCE

T. Y. B. Sc. (I.T.)

CERTIFICATE

THIS IS TO CERTIFY THAT MR. CHETAN C. KAKHANDKI HAS COMPLETED THE CASE STUDY

OF INTERNET TECHNOLOGY SATISFACTORILY DURING THE ACADEMICYEAR 2011-2012.

DATE: 3-MARCH-2012

PROFESSOR IN-CHARGE

(B.Sc.IT)


2/16

T.Z.A.S.P. MANDALS

PRAGATI COLLEGE OF ARTS, COMMERCE AND SCIENCE

Internet Technology

A CASE STUDY REPORT ON

PRESENTATION ON: ARP

ABLY GUIDED BY MRS.VAISHALI GUJARE

T.Y.B.Sc.IT

SUBMITTED BY

MR. CHETAN C. KAKHANDKI

ROLL NO. 31


3/16

INDEX

Sr.No TOPIC NAME Page No

1. ARP 4

2. Variants Of ARP Protocol 5

3. Comparison between ARP & inARP 6

4. Packet Structure 7

5. The Problems 10

6. Packet Generation 11

7. Packet Reception 13

8. ARP Request & ARP Reply 14

9. Proxy ARP 15

10. Vulnerabilities Of ARP 16


4/16

Address Resolution Protocol (ARP)

In computer networking, the Address Resolution Protocol (ARP) isthe method for finding a host's hardware address when only its

network layer address is known. Due to the overwhelming prevalence

of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to

Ethernet MAC addresses. It is also used for IP over other LAN

technologies, such as Token Ring, FDDI, or IEEE 802.11, and for IP over

ATM.

ARP is used in four cases of two hosts communicating:1. When two hosts are on the same network and one desires

to send a packet to the other

2. When two hosts are on different networks and must use agateway/router to reach the other host

3. When a router needs to forward a packet for one hostthrough another router

4. When a router needs to forward a packet from one host tothe destination host on the same network

The first case is used when two hosts are on the same physical network

(that is, they can directly communicate without going through a router).

The last three cases are the most used over the Internet as two

computers on the internet are typically separated by more than 3 hops.

Imagine computer A sends a packet to computer D and there are two

routers, B & C, between them. Case 2 covers A sending to B; case 3

covers B sending to C; and case 4 covers C sending to D.

Address Resolution Protocol is defined mainly by RFC 826. Within

Ethernet ARP, there are four types of messages. ARP request: A request

for the destination hardware address that is typically sent to all hosts.

ARP reply: In response, this gives the host the hardware address of the


5/16

destination host. RARP request: Known as Reverse ARP request, this

requests the IP address of a known MAC address. RARP reply: The

response gives the IP address from a requested hardware address

Variants of the ARP protocol

1. ARP was not originally designed as an IP-only protocolalthough today it is primarily used to map IP addresses to

MAC addresses.

2. ARP can be used to resolve MAC addresses to manydifferent Layer 3 protocols addresses. ARP has also been

adapted to resolve other kinds of Layer 2 addresses; for

example, ATMARP is used to resolve ATM NSAP addresses in

the Classical IP over ATM protocol.

3.ARP Mediation

ARP Mediation refers to the process of resolving Layer 2

addresses when different resolution protocols are used on either

circuit, for e.g. ATM on one end and Ethernet on the other.

Inverse ARP

The Inverse Address Resolution Protocol, also known as Inverse

ARP or InARP, is a protocol used for obtaining Layer 3 addresses (e.g. IP

addresses) of other stations from

Layer 2 addresses (e.g. the DLCI in Frame Relay networks). It is primarily

used in Frame Relay and ATM networks, where Layer 2 addresses ofvirtual circuits are sometimes obtained from Layer 2 signaling, and the

corresponding Layer 3 addresses must be available before these virtual

circuits can be used.


6/16

Comparison between ARP and InARP

ARP translates Layer 3 addresses to Layer 2 addresses, therefore

InARP can be viewed as its inverse. In addition, InARP is actually

implemented as an extension to ARP. The packet formats are the same,

only the operation code and the filled fields differ.

Reverse ARP (RARP), like InARP, also translates Layer 2 addresses

to Layer 3 addresses. However, RARP is used to obtain the Layer 3address of the requesting station itself, while in InARP the requesting

station already knows its own Layer 2 and Layer 3 addresses, and it is

querying the Layer 3 address of another station. RARP has since been

abandoned in favor of BOOTP which was subsequently replaced by

DHCP.


7/16

Packet structure

The following is the packet structure used for ARP requests and

replies. On Ethernet networks, these packets use an EtherType of

0x0806, and are sent to the broadcast MAC address of

FF:FF:FF:FF:FF:FF. Note that the packet structure shown in the table has

SHA, SPA, THA, & TPA as 32-bit words but this is just for convenience

their actual lengths are determined by the hardware & protocol length

fields.

ARP PACKET


8/16

y Hardware type (HTYPE): Each data link layer protocol is assigneda number used in this field. For example, Ethernet is 1.

y Protocol type (PTYPE): Each protocol is assigned a number used inthis field. For example, IPv4 is 0x0800.

y Hardware length (HLEN): Length in bytes of a hardware address.Ethernet addresses are 6 bytes long.

y Protocol length (PLEN): Length in bytes of a logical address. IPv4address are 4 bytes long.Operation specifies the operation thesender is performing:1 for request, and 2 for reply.

y Sender hardware addresses (SHA): Hardware address of thesender.

y Sender protocol address (SPA): Protocol address of the sendery Target hardware address (THA): Hardware address of the

intended receiver. This field is zero on request.

y Target protocol address (TPA): Protocol address of the intendedreceiver.

Request

+ Bits 0 - 7 8 - 15 16 - 31

0 Hardware type = 1 Protocol type = 0x0800

32 Hardware length = 6 Protocol length = 4 Operation = 164 SHA (first 32 bits) = 0x000958D8

96 SHA (last 16 bits) = 0x1122 SPA (first 16 bits) = 0x0A0A

128 SPA (last 16 bits) = 0x0A7B THA (first 16 bits) = 0x0000

160 THA (last 32 bits) = 0x00000000


9/16

192 TPA = 0x0A0A0A8C

If a host with IPv4 address of 10.10.10.123 and MAC address of

00:09:58:D8:11:22 wants to send a packet to another host at

10.10.10.140 but it does not know the MAC address then it must send

an ARP request to discover the address. The packet shown shows what

would be broadcast over the local network. If the host 10.10.10.140 is

running and available then it would receive the ARP request and send

the appropriate reply.

Reply

+ Bits 0 - 7 8 - 15 16 - 31

0 Hardware type = 1 Protocol type = 0x0800

32 Hardware length = 6 Protocol length = 4 Operation = 2

64 SHA (first 32 bits) = 0x000958D8

96 SHA (last 16 bits) = 0x33AA SPA (first 16 bits) = 0x0A0A

128 SPA (last 16 bits) = 0x0A8C THA (first 16 bits) = 0x0009

160 THA (last 32 bits) = 0x58D81122

192 TPA = 0x0A0A0A7B

Given the scenario laid out in the request section, if the host

10.10.10.140 has a MAC address of 00:09:58:D8:33:AA then it would

send the shown reply packet. Note that the sender and target address

blocks have been swapped (the sender of the reply is the target of the

request; the target of the reply is the sender of the request).

Furthermore the host 10.10.10.140 has filled in its MAC address in the

sender hardware address.

Any hosts on the same network as these two hosts would also see

the request (since it is a Broadcast) so they are able to cache

information about the source of the request. The ARP reply (if any) is

directed only to the originator of the request so information in the ARP

reply is not available to other hosts on the same network


10/16

The Problem:

The world is a jungle in general, and the networking game contributes

many animals. At nearly every layer of network architecture there are

several potential protocols that could be used. For example, at a high

level, there is TELNET and SUPDUP for remote login. Somewhere below

that there is a reliable byte stream protocol, which might be CHAOS

protocol, DOD TCP, Xerox BSP or DECnet. Even closer to the hardware

is the logical transport layer, which might be CHAOS, DOD Internet,

Xerox PUP, or DECnet. The 10Mbit Ethernet allows all of these

protocols (and more) to coexist on a single cable by means of a type

field in the Ethernet packet header. However, the 10Mbit Ethernet

requires 48.bit addresses on the physical cable, yet most protocol

addresses are not 48.bits long, nor do they necessarily have any

relationship to the 48.bit Ethernet address of the hardware. For

example, CHAOS addresses are 16.bits, DOD Internet addresses are

32.bits, and Xerox PUP addresses are 8.bits. A protocol is needed to

dynamically distribute the correspondences between a pair and a 48.bit Ethernet address.

Motivation:

Use of the 10Mbit Ethernet is increasing as more manufacturers

supply interfaces that conform to the specification published by DEC,

Intel and Xerox. With this increasing availability, more and more

software is being written for these interfaces. There are two

alternatives: (1) Every implementor invents his/her own method to do

some form of address resolution, or (2) every implementor uses astandard so that his/her code can be

distributed to other systems without need for modification. This

proposal attempts to set the standard.


11/16

Definitions:

Define the following for referring to the values put in the TYPE

field of the Ethernet packet header:

ether_type$XEROX_PUP,

ether_type$DOD_INTERNET,

ether_type$CHAOS,

and a new one:

ether_type$ADDRESS_RESOLUTION.

Also define the following values (to be discussed later):

ares_op$REQUEST (= 1, high byte transmitted first) and

ares_op$REPLY (= 2),

and

ares_hrd$Ethernet (= 1).

Packet Generation:

As a packet is sent down through the network layers, routing

determines the protocol address of the next hop for the packet and on

which piece of hardware it expects to find the station with theimmediate target protocol address. In the case of the 10Mbit Ethernet,

address resolution is needed and some lower layer (probably the

hardware driver) must consult the Address Resolution module (perhaps

implemented in the Ethernet support module) to convert the pair to a 48.bit Ethernet address. The

Address Resolution module tries to find this pair in a table. If it finds

the pair, it gives the corresponding 48.bit Ethernet address back to the

caller(hardware driver) which then transmits the packet. If it does not, it

probably informs the caller that it is throwing the packet away (on the

assumption the packet will be retransmitted by a higher network layer),

and generates an Ethernet packet with a type field of

ether_type$ADDRESS_RESOLUTION. The Address Resolution module


12/16

then sets the ar$hrd field to ares_hrd$Ethernet, ar$pro to the protocol

type that is being resolved, ar$hln to 6 (the number of bytes in a 48.bit

Ethernet address), ar$pln to the length of an address in that protocol,

ar$op to ares_op$REQUEST, ar$sha with the 48.bit ethernet address of

itself, ar$spa with the protocol address of itself, and ar$tpa with the

protocol address of the machine that is trying to be accessed. It does

not set ar$tha to anything in particular, because it is this value that it is

trying to determine. It

could set ar$tha to the broadcast address for the hardware (all ones in

the case of the 10Mbit Ethernet) if that makes it convenient for some

aspect of the implementation. It then causes this packet to be

broadcast to all stations on the Ethernet cable originally determined by

the routing mechanism.


13/16

Packet Reception:

When an address resolution packet is received, the receiving Ethernet

module gives the packet to the Address Resolution module which goes

through an algorithm similar to the following. Negative conditionals

indicate an end of processing and a discarding of the packet.


14/16

ARP Request:

Argon broadcasts an ARP request to all stations on the network: What

is the hardware address of Router137?

ARP REQUEST

ARP Reply:

Router 137 responds with an ARP Reply which contains the hardware

address.

Argon

00:a0:24:71:e4:44

Router137

128.143.137.100:e0:f9:23:a8:20

ARP Reply:

The MAC address of 128.143.71.1

is 00:e0:f9:23:a8:20

Argon

128.143.137.14400:a0:24:71:e4:44

Router137

128.143.137.100:e0:f9:23:a8:20

ARP Request:

What is the MAC address

of 128.143.71.1?

(a) ARP Request.

(b) ARP Reply.

Argon

00:a0:24:71:e4:44

Router137

128.143.137.1

00:e0:f9:23:a8:20

ARP Reply:

The MAC address of 128.143.71.1

is 00:e0:f9:23:a8:20

Argon

128.143.137.144

00:a0:24:71:e4:44

Router137

128.143.137.1

00:e0:f9:23:a8:20

ARP Request:


of 128.143.71.1?

(a) ARP Request.

(b) ARP Reply.


15/16

Proxy ARP:

Host or router responds to ARP Request that arrives from one of its

connected networks for a host that is on another of its connected

networks.

Advantages of Proxy ARP

The main advantage of proxy ARP is that it can be added to a single

router on a network and does not disturb the routing tables of the

other routers on the network.

Proxy ARP must be used on the network where IP hosts are not

configured with a default gateway or do not have any routing

intelligence.

128.143.137.1/16

00:e0:f9:23:a8:20128.143.71.1/24

128.143.0.0/16Subnet

128.143.71.0/24Subnet

Router137

ARP Request:


of 128.143.71.21?

128.143.137.144/16128.143.171.21/24

00:20:af:03:98:28

Argon Neon

ARP Reply:

The MAC address of

128.143.71.21 is

00:e0:f9:23:a8:20


16/16

Disadvantages of Proxy ARP

y It increases the amount of ARP traffic on your segment.y Hosts need larger ARP tables in order to handle IP-to-MAC

address mappings.y Security can be undermined. A machine can claim to be another in

order to intercept packets, an act called "spoofing."

y It does not work for networks that do not use ARP for addressresolution.

y It does not generalize to all network topologies. For example,more than one router that connects two physical networks.

Vulnerabilities of ARP

1.Since ARP does not authenticate requests or replies, ARPRequests and replies can be forged

2.ARP is stateless: ARP Replies can be sent without a correspondingARP Request

3.According to the ARP protocol specification, a node receiving anARP packet (Request or Reply) must update its local ARP cache

with the information in the source fields, if the receiving node

already has an entry for the IP address of the source in its ARP

cache. (This applies for ARP Request packets and for ARP Reply

packets).

Typical exploitation of these vulnerabilities:

y A forged ARP Request or Reply can be used to update the ARPcache of a remote system with a forged entry (ARP Poisoning)

y This can be used to redirect IP traffic to other hosts.

Address Resolution Protocol - Case Study

Documents

Transcript of Address Resolution Protocol - Case Study