Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Proxy ARP
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{short description|Technique by which a proxy device answers ARP queries for an IP address that is not on its network}} '''Proxy ARP''' is a technique by which a [[proxy server]] on a given network answers the [[Address Resolution Protocol]] (ARP) queries for an [[IP address]] that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own [[MAC address]] as the (ostensibly final) destination.<ref>{{cite web |url=https://www.itworld.com/article/2794563/data-center/arp-networking-tricks.html |title=ARP networking tricks |date=October 10, 2001 |author=Hal Stern |publisher=ITworld |access-date=November 3, 2017 |archive-date=November 7, 2017 |archive-url=https://web.archive.org/web/20171107023310/https://www.itworld.com/article/2794563/data-center/arp-networking-tricks.html |url-status=live }}</ref> The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a [[Tunneling protocol|tunnel]]. The process, which results in the proxy server responding with its own MAC address to an ARP request for a different IP address for proxying purposes, is sometimes referred to as ''publishing''. ==Uses== Below are some typical uses for proxy ARP: ;Joining a broadcast LAN with [[serial communications|serial]] links (e.g., [[dial-up access|dialup]] or [[virtual private network|VPN]] connections). :Assume an Ethernet broadcast domain (e.g., a group of stations connected to the same hub or switch (VLAN)) using a certain IPv4 address range (e.g., 192.168.0.0/24, where 192.168.0.1 β 192.168.0.127 are assigned to wired nodes). One or more of the nodes is an [[router (computing)|access router]] accepting dialup or VPN connections. The access router gives the dial-up nodes IP addresses in the range 192.168.0.128 β 192.168.0.254; for this example, assume a dial-up node gets IP address 192.168.0.254. :The access router uses proxy ARP to make the dial-up node present in the subnet without being wired into the Ethernet: the access router 'publishes' its own MAC address for 192.168.0.254. Now, when another node wired into the Ethernet wants to talk to the dial-up node, it will ask on the network for the MAC address of 192.168.0.254 and find the access router's MAC address. It will therefore send its IP packets to the access router, and the access router will know to pass them on to the particular dial-up node. All dial-up nodes therefore appear to the wired Ethernet nodes as if they are wired into the same Ethernet subnet. ;Taking multiple addresses from a LAN :Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network (10.0.0.0/24). Certain applications may require multiple IP addresses on the server. Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is solved is through proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are [[IP aliasing|aliased]] to the [[loopback]] interface of the server (or assigned to special interfaces, the latter typically being the case with [[VMware]]/[[User-mode Linux|UML]]/[[Operating-system-level virtualization|jails]]/[[Linux-VServer|vservers]]/other virtual server environments) and 'published' on the 10.0.0.2 interface (although many operating systems allow direct allocation of multiple addresses to one interface, thus eliminating the need for such workarounds). ;On a firewall :In this scenario a firewall can be configured with a single IP address. One simple example of a use for this would be placing a firewall in front of a single host or group of hosts on a subnetwork. Example: A network (10.0.0.0/8) has a server (10.0.0.20) that should be protected. A proxy ARP firewall can be placed in front of the server. In this way the server is put behind a firewall without having to make any further changes to the network. ;Mobile-IP :In case of [[Mobile IP |Mobile-IP]] the Home Agent uses proxy ARP in order to receive messages on behalf of the Mobile Node so that it can forward the appropriate message to the actual mobile node's address ([[Care-of address]]). ;Transparent subnet gatewaying :A setup that involves two physical segments sharing the same IP subnet and connected together via a [[router (computing)|router]]. This use is documented in RFC 1027. ;Redundancy :ARP manipulation techniques are the basis for protocols providing [[redundancy (engineering)|redundancy]] on broadcast networks (e.g., [[Ethernet]]), most notably [[Common Address Redundancy Protocol]] and [[Virtual Router Redundancy Protocol]]. ==Disadvantages== Disadvantage of proxy ARP include scalability as ARP resolution by a proxy is required for every device routed in this manner, and reliability as no fallback mechanism is present, and masquerading can be confusing in some environments. Proxy ARP can create DoS attacks on networks if misconfigured. For example, a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic. Proxy ARP can hide device misconfigurations, such as a missing or incorrect [[default gateway]]. == Implementations == * [[OpenBSD]] implements proxy ARP.<ref>{{cite web| url = https://man.openbsd.org/arp.8| title = arp(8) man page| access-date = 2019-08-09| archive-date = 2019-06-27| archive-url = https://web.archive.org/web/20190627231913/https://man.openbsd.org/arp.8| url-status = live}}</ref> * [[Linux]] implements proxy ARP.<ref>{{cite web| url = https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.bridging.proxy-arp.html| title = Pseudo-bridges with Proxy-ARP| access-date = 2022-12-06| archive-date = 2022-12-06| archive-url = https://web.archive.org/web/20221206214000/https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.bridging.proxy-arp.html| url-status = live}}</ref> ==References== {{Reflist}} ==Further reading== * {{cite IETF |RFC=925 |title=Multi-LAN Address Resolution}} * {{cite IETF |RFC=1027 |title=Using ARP to Implement Transparent Subnet Gateways}} * [[W. Richard Stevens]]. The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley Professional; 1st edition (December 31, 1993). {{ISBN|0-201-63346-9}} [[Category:Internet protocols]] [[Category:Internet Standards]] [[de:Address Resolution Protocol#Proxy ARP]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite IETF
(
edit
)
Template:Cite web
(
edit
)
Template:ISBN
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)