Address Resolution Protocol - Case Study
-
Upload
cckakhandki -
Category
Documents
-
view
218 -
download
0
Transcript of Address Resolution Protocol - Case Study
-
8/2/2019 Address Resolution Protocol - Case Study
1/16
T.Z.A.S.P. MANDALS
PRAGATI COLLEGE OF ARTS, COMMERCE AND SCIENCE
T. Y. B. Sc. (I.T.)
CERTIFICATE
THIS IS TO CERTIFY THAT MR. CHETAN C. KAKHANDKI HAS COMPLETED THE CASE STUDY
OF INTERNET TECHNOLOGY SATISFACTORILY DURING THE ACADEMICYEAR 2011-2012.
DATE: 3-MARCH-2012
PROFESSOR IN-CHARGE
(B.Sc.IT)
-
8/2/2019 Address Resolution Protocol - Case Study
2/16
T.Z.A.S.P. MANDALS
PRAGATI COLLEGE OF ARTS, COMMERCE AND SCIENCE
Internet Technology
A CASE STUDY REPORT ON
PRESENTATION ON: ARP
ABLY GUIDED BY MRS.VAISHALI GUJARE
T.Y.B.Sc.IT
SUBMITTED BY
MR. CHETAN C. KAKHANDKI
ROLL NO. 31
-
8/2/2019 Address Resolution Protocol - Case Study
3/16
INDEX
Sr.No TOPIC NAME Page No
1. ARP 4
2. Variants Of ARP Protocol 5
3. Comparison between ARP & inARP 6
4. Packet Structure 7
5. The Problems 10
6. Packet Generation 11
7. Packet Reception 13
8. ARP Request & ARP Reply 14
9. Proxy ARP 15
10. Vulnerabilities Of ARP 16
-
8/2/2019 Address Resolution Protocol - Case Study
4/16
Address Resolution Protocol (ARP)
In computer networking, the Address Resolution Protocol (ARP) isthe method for finding a host's hardware address when only its
network layer address is known. Due to the overwhelming prevalence
of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to
Ethernet MAC addresses. It is also used for IP over other LAN
technologies, such as Token Ring, FDDI, or IEEE 802.11, and for IP over
ATM.
ARP is used in four cases of two hosts communicating:1. When two hosts are on the same network and one desires
to send a packet to the other
2. When two hosts are on different networks and must use agateway/router to reach the other host
3. When a router needs to forward a packet for one hostthrough another router
4. When a router needs to forward a packet from one host tothe destination host on the same network
The first case is used when two hosts are on the same physical network
(that is, they can directly communicate without going through a router).
The last three cases are the most used over the Internet as two
computers on the internet are typically separated by more than 3 hops.
Imagine computer A sends a packet to computer D and there are two
routers, B & C, between them. Case 2 covers A sending to B; case 3
covers B sending to C; and case 4 covers C sending to D.
Address Resolution Protocol is defined mainly by RFC 826. Within
Ethernet ARP, there are four types of messages. ARP request: A request
for the destination hardware address that is typically sent to all hosts.
ARP reply: In response, this gives the host the hardware address of the
-
8/2/2019 Address Resolution Protocol - Case Study
5/16
destination host. RARP request: Known as Reverse ARP request, this
requests the IP address of a known MAC address. RARP reply: The
response gives the IP address from a requested hardware address
Variants of the ARP protocol
1. ARP was not originally designed as an IP-only protocolalthough today it is primarily used to map IP addresses to
MAC addresses.
2. ARP can be used to resolve MAC addresses to manydifferent Layer 3 protocols addresses. ARP has also been
adapted to resolve other kinds of Layer 2 addresses; for
example, ATMARP is used to resolve ATM NSAP addresses in
the Classical IP over ATM protocol.
3.ARP Mediation
ARP Mediation refers to the process of resolving Layer 2
addresses when different resolution protocols are used on either
circuit, for e.g. ATM on one end and Ethernet on the other.
Inverse ARP
The Inverse Address Resolution Protocol, also known as Inverse
ARP or InARP, is a protocol used for obtaining Layer 3 addresses (e.g. IP
addresses) of other stations from
Layer 2 addresses (e.g. the DLCI in Frame Relay networks). It is primarily
used in Frame Relay and ATM networks, where Layer 2 addresses ofvirtual circuits are sometimes obtained from Layer 2 signaling, and the
corresponding Layer 3 addresses must be available before these virtual
circuits can be used.
-
8/2/2019 Address Resolution Protocol - Case Study
6/16
Comparison between ARP and InARP
ARP translates Layer 3 addresses to Layer 2 addresses, therefore
InARP can be viewed as its inverse. In addition, InARP is actually
implemented as an extension to ARP. The packet formats are the same,
only the operation code and the filled fields differ.
Reverse ARP (RARP), like InARP, also translates Layer 2 addresses
to Layer 3 addresses. However, RARP is used to obtain the Layer 3address of the requesting station itself, while in InARP the requesting
station already knows its own Layer 2 and Layer 3 addresses, and it is
querying the Layer 3 address of another station. RARP has since been
abandoned in favor of BOOTP which was subsequently replaced by
DHCP.
-
8/2/2019 Address Resolution Protocol - Case Study
7/16
Packet structure
The following is the packet structure used for ARP requests and
replies. On Ethernet networks, these packets use an EtherType of
0x0806, and are sent to the broadcast MAC address of
FF:FF:FF:FF:FF:FF. Note that the packet structure shown in the table has
SHA, SPA, THA, & TPA as 32-bit words but this is just for convenience
their actual lengths are determined by the hardware & protocol length
fields.
ARP PACKET
-
8/2/2019 Address Resolution Protocol - Case Study
8/16
y Hardware type (HTYPE): Each data link layer protocol is assigneda number used in this field. For example, Ethernet is 1.
y Protocol type (PTYPE): Each protocol is assigned a number used inthis field. For example, IPv4 is 0x0800.
y Hardware length (HLEN): Length in bytes of a hardware address.Ethernet addresses are 6 bytes long.
y Protocol length (PLEN): Length in bytes of a logical address. IPv4address are 4 bytes long.Operation specifies the operation thesender is performing:1 for request, and 2 for reply.
y Sender hardware addresses (SHA): Hardware address of thesender.
y Sender protocol address (SPA): Protocol address of the sendery Target hardware address (THA): Hardware address of the
intended receiver. This field is zero on request.
y Target protocol address (TPA): Protocol address of the intendedreceiver.
Request
+ Bits 0 - 7 8 - 15 16 - 31
0 Hardware type = 1 Protocol type = 0x0800
32 Hardware length = 6 Protocol length = 4 Operation = 164 SHA (first 32 bits) = 0x000958D8
96 SHA (last 16 bits) = 0x1122 SPA (first 16 bits) = 0x0A0A
128 SPA (last 16 bits) = 0x0A7B THA (first 16 bits) = 0x0000
160 THA (last 32 bits) = 0x00000000
-
8/2/2019 Address Resolution Protocol - Case Study
9/16
192 TPA = 0x0A0A0A8C
If a host with IPv4 address of 10.10.10.123 and MAC address of
00:09:58:D8:11:22 wants to send a packet to another host at
10.10.10.140 but it does not know the MAC address then it must send
an ARP request to discover the address. The packet shown shows what
would be broadcast over the local network. If the host 10.10.10.140 is
running and available then it would receive the ARP request and send
the appropriate reply.
Reply
+ Bits 0 - 7 8 - 15 16 - 31
0 Hardware type = 1 Protocol type = 0x0800
32 Hardware length = 6 Protocol length = 4 Operation = 2
64 SHA (first 32 bits) = 0x000958D8
96 SHA (last 16 bits) = 0x33AA SPA (first 16 bits) = 0x0A0A
128 SPA (last 16 bits) = 0x0A8C THA (first 16 bits) = 0x0009
160 THA (last 32 bits) = 0x58D81122
192 TPA = 0x0A0A0A7B
Given the scenario laid out in the request section, if the host
10.10.10.140 has a MAC address of 00:09:58:D8:33:AA then it would
send the shown reply packet. Note that the sender and target address
blocks have been swapped (the sender of the reply is the target of the
request; the target of the reply is the sender of the request).
Furthermore the host 10.10.10.140 has filled in its MAC address in the
sender hardware address.
Any hosts on the same network as these two hosts would also see
the request (since it is a Broadcast) so they are able to cache
information about the source of the request. The ARP reply (if any) is
directed only to the originator of the request so information in the ARP
reply is not available to other hosts on the same network
-
8/2/2019 Address Resolution Protocol - Case Study
10/16
The Problem:
The world is a jungle in general, and the networking game contributes
many animals. At nearly every layer of network architecture there are
several potential protocols that could be used. For example, at a high
level, there is TELNET and SUPDUP for remote login. Somewhere below
that there is a reliable byte stream protocol, which might be CHAOS
protocol, DOD TCP, Xerox BSP or DECnet. Even closer to the hardware
is the logical transport layer, which might be CHAOS, DOD Internet,
Xerox PUP, or DECnet. The 10Mbit Ethernet allows all of these
protocols (and more) to coexist on a single cable by means of a type
field in the Ethernet packet header. However, the 10Mbit Ethernet
requires 48.bit addresses on the physical cable, yet most protocol
addresses are not 48.bits long, nor do they necessarily have any
relationship to the 48.bit Ethernet address of the hardware. For
example, CHAOS addresses are 16.bits, DOD Internet addresses are
32.bits, and Xerox PUP addresses are 8.bits. A protocol is needed to
dynamically distribute the correspondences between a pair and a 48.bit Ethernet address.
Motivation:
Use of the 10Mbit Ethernet is increasing as more manufacturers
supply interfaces that conform to the specification published by DEC,
Intel and Xerox. With this increasing availability, more and more
software is being written for these interfaces. There are two
alternatives: (1) Every implementor invents his/her own method to do
some form of address resolution, or (2) every implementor uses astandard so that his/her code can be
distributed to other systems without need for modification. This
proposal attempts to set the standard.
-
8/2/2019 Address Resolution Protocol - Case Study
11/16
Definitions:
Define the following for referring to the values put in the TYPE
field of the Ethernet packet header:
ether_type$XEROX_PUP,
ether_type$DOD_INTERNET,
ether_type$CHAOS,
and a new one:
ether_type$ADDRESS_RESOLUTION.
Also define the following values (to be discussed later):
ares_op$REQUEST (= 1, high byte transmitted first) and
ares_op$REPLY (= 2),
and
ares_hrd$Ethernet (= 1).
Packet Generation:
As a packet is sent down through the network layers, routing
determines the protocol address of the next hop for the packet and on
which piece of hardware it expects to find the station with theimmediate target protocol address. In the case of the 10Mbit Ethernet,
address resolution is needed and some lower layer (probably the
hardware driver) must consult the Address Resolution module (perhaps
implemented in the Ethernet support module) to convert the pair to a 48.bit Ethernet address. The
Address Resolution module tries to find this pair in a table. If it finds
the pair, it gives the corresponding 48.bit Ethernet address back to the
caller(hardware driver) which then transmits the packet. If it does not, it
probably informs the caller that it is throwing the packet away (on the
assumption the packet will be retransmitted by a higher network layer),
and generates an Ethernet packet with a type field of
ether_type$ADDRESS_RESOLUTION. The Address Resolution module
-
8/2/2019 Address Resolution Protocol - Case Study
12/16
then sets the ar$hrd field to ares_hrd$Ethernet, ar$pro to the protocol
type that is being resolved, ar$hln to 6 (the number of bytes in a 48.bit
Ethernet address), ar$pln to the length of an address in that protocol,
ar$op to ares_op$REQUEST, ar$sha with the 48.bit ethernet address of
itself, ar$spa with the protocol address of itself, and ar$tpa with the
protocol address of the machine that is trying to be accessed. It does
not set ar$tha to anything in particular, because it is this value that it is
trying to determine. It
could set ar$tha to the broadcast address for the hardware (all ones in
the case of the 10Mbit Ethernet) if that makes it convenient for some
aspect of the implementation. It then causes this packet to be
broadcast to all stations on the Ethernet cable originally determined by
the routing mechanism.
-
8/2/2019 Address Resolution Protocol - Case Study
13/16
Packet Reception:
When an address resolution packet is received, the receiving Ethernet
module gives the packet to the Address Resolution module which goes
through an algorithm similar to the following. Negative conditionals
indicate an end of processing and a discarding of the packet.
-
8/2/2019 Address Resolution Protocol - Case Study
14/16
ARP Request:
Argon broadcasts an ARP request to all stations on the network: What
is the hardware address of Router137?
ARP REQUEST
ARP Reply:
Router 137 responds with an ARP Reply which contains the hardware
address.
Argon
00:a0:24:71:e4:44
Router137
128.143.137.100:e0:f9:23:a8:20
ARP Reply:
The MAC address of 128.143.71.1
is 00:e0:f9:23:a8:20
Argon
128.143.137.14400:a0:24:71:e4:44
Router137
128.143.137.100:e0:f9:23:a8:20
ARP Request:
What is the MAC address
of 128.143.71.1?
(a) ARP Request.
(b) ARP Reply.
Argon
00:a0:24:71:e4:44
Router137
128.143.137.1
00:e0:f9:23:a8:20
ARP Reply:
The MAC address of 128.143.71.1
is 00:e0:f9:23:a8:20
Argon
128.143.137.144
00:a0:24:71:e4:44
Router137
128.143.137.1
00:e0:f9:23:a8:20
ARP Request:
What is the MAC address
of 128.143.71.1?
(a) ARP Request.
(b) ARP Reply.
-
8/2/2019 Address Resolution Protocol - Case Study
15/16
Proxy ARP:
Host or router responds to ARP Request that arrives from one of its
connected networks for a host that is on another of its connected
networks.
Advantages of Proxy ARP
The main advantage of proxy ARP is that it can be added to a single
router on a network and does not disturb the routing tables of the
other routers on the network.
Proxy ARP must be used on the network where IP hosts are not
configured with a default gateway or do not have any routing
intelligence.
128.143.137.1/16
00:e0:f9:23:a8:20128.143.71.1/24
128.143.0.0/16Subnet
128.143.71.0/24Subnet
Router137
ARP Request:
What is the MAC address
of 128.143.71.21?
128.143.137.144/16128.143.171.21/24
00:20:af:03:98:28
Argon Neon
ARP Reply:
The MAC address of
128.143.71.21 is
00:e0:f9:23:a8:20
-
8/2/2019 Address Resolution Protocol - Case Study
16/16
Disadvantages of Proxy ARP
y It increases the amount of ARP traffic on your segment.y Hosts need larger ARP tables in order to handle IP-to-MAC
address mappings.y Security can be undermined. A machine can claim to be another in
order to intercept packets, an act called "spoofing."
y It does not work for networks that do not use ARP for addressresolution.
y It does not generalize to all network topologies. For example,more than one router that connects two physical networks.
Vulnerabilities of ARP
1.Since ARP does not authenticate requests or replies, ARPRequests and replies can be forged
2.ARP is stateless: ARP Replies can be sent without a correspondingARP Request
3.According to the ARP protocol specification, a node receiving anARP packet (Request or Reply) must update its local ARP cache
with the information in the source fields, if the receiving node
already has an entry for the IP address of the source in its ARP
cache. (This applies for ARP Request packets and for ARP Reply
packets).
Typical exploitation of these vulnerabilities:
y A forged ARP Request or Reply can be used to update the ARPcache of a remote system with a forged entry (ARP Poisoning)
y This can be used to redirect IP traffic to other hosts.