Transcript ARP

CSEE W4140
Networking Laboratory
Lecture 2: ARP
Jong Yul Kim
02.01.2010
Lab schedule
Tue 10 am
Tue 4:10 pm
Wed 6:10 pm
Varun
Kyung Wha
Aylin
Enlin
Fan
Dan
Sumeet
Edward
Alfredo
Sean
Xiaotian
Shashank
Mike
Jack
Monal
Marouane
Yufei
Tarun
Hung-Sheng
Hao
Zicong
Shafee
Xu
Cheng-Han
Chung-Ying
Chao
Xiao
Mandar
Zhi An
Abhishek
Xin
Akash
Lab access
 You should have access by now.
 Please try the CRF door today and let me
know if it doesn’t work.
 Lab door code
Any question?
 About the homework
 About the lab
Hubs
 In the lab, PCs are connected to a hub
 Hubs are simple repeaters
Hub
Bus Topology
 Connecting PCs to hubs leads to a bus topology
(logically)
 Frame sent from one PC is sent to all PCs that
share the bus
 But only the PC that matches destination MAC
address will process that frame
00:00:00:00:00
11:11:11:11:11:11
Ethernet
22:22:22:22:22:22
Ethernet Encapsulation
00:00:00:00:00:00802.3 MAC
11:11:11:11:11:11
destination
address
source
address
type
data
CRC
6
6
2
46-1500
4
0800
IP datagram
2
38-1492
0806
ARP request/reply
2
28
0835
2
PAD
10
RARP request/reply PAD
28
10
What is ARP?
 What does it stand for?
 Address Resolution Protocol
 What does it do?
 Finds the MAC address of the owner of
an IP address
IP address
(32 bit)
ARP
Ethernet MAC
address
(48 bit)
 Why do we need to find the MAC
address?
ARP Demo
 http://www.osischool.com/protocol/ar
p/basic/index.php
 Request is broadcast at layer 2
 Reply is unicast at layer 2
 ARP is plug-and-play.
Administrators love plug-and-play.
ARP Players
 ARP module
 Processes ARP packets
 ARP cache
 Stores <MAC addr, IP addr> in memory
 Deletes entry after timeout
(Typically 20 minutes)
 ARP protocol
 Specifies the behavior of senders and receivers
 Defines the format of ARP packet
 Implemented in ARP module
ARP Packet Format
Ethernet II header
Destination
address
Source
address
Type
0x8060
6
6
2
ARP Request or ARP Reply
28
Hardware type (2 bytes)
Hardware address
length (1 byte)
Padding
Protocol address
length (1 byte)
10
CRC
4
Protocol type (2 bytes)
Operation code (2 bytes)
Source hardware address (sha)*
Source protocol address (spa)*
Target hardware address (tha)*
Target protocol address (tpa)*
* Note: The length of the address fields is determined by the corresponding address length fields
Transmitting within a LAN
(Flow diagram for Linux)
Figure 26-5 from “Understanding Linux Network Internals” (O’Reilly)
ARP Reception Algorithm in Ethernet and IP networks
Do I have Ethernet?
No
discard
No
discard
No
discard
No
discard
Yes
Do I speak IP?
Set merge_flag = false
Yes
Is the sender IP address already in
my table?
Update the table with
sender MAC addr.
Set merge_flag = true
Yes
No
Am I the target IP address?
Yes
Merge_flag = false?
Add sender’s
<IP addr, MAC addr>
to table
Yes
No
Is this a Request?
Swap MAC/IP addr
fields. Put local IP/MAC
addr in sender field.
Set Opcode to Reply.
Send packet to new
target MAC addr.
Yes
end
Reverse ARP (RFC 903)
 Used before DHCP was invented
 How would a host without an IP
address request it reusing the ARP
packet format?
 How would a server reply?
IPv4 Address Conflict Detection
(RFC5227)
 ARP can be modified slightly to detect
IPv4 address conflicts
 Two types
 Precaution before setting my IP address
 ARP Probe
 Detection while using my IP address
 ARP Announcement
Modified ARP Reception Algorithm in Ethernet and IP networks
Do I speak Ethernet / IP?
Set merge_flag = false
No
discard
Yes
CONFLICT!
(Stop using
or defend.)
No
discard
No
discard
Yes
Is the sender IP address mine?
No
Is the sender IP address already in
my table?
Update the table with
sender MAC addr.
Set merge_flag = true
Yes
No
Am I the target IP address?
Yes
Merge_flag = false?
Add sender’s
<IP addr, MAC addr>
to table
Yes
No
Is this a Request?
Swap MAC/IP addr
fields. Put local IP/MAC
addr in sender field.
Set Opcode to Reply.
Send packet to new
target MAC addr.
Yes
end
ARP Probes
 “Is anyone using this address? If not, I’d
like to use it.”
 Sent when there is any change in
connectivity
 Should not send periodically
 Don’t use address if:
 you see an ARP request or reply with same
address I probed for in sender IP address field
 you see another ARP probe looking for the same
IP address
ARP Probes
 ARP Request packet
 Sender IP  all zero (avoid polluting ARP
caches)
 Sender HW  filled with my own
 Target IP  Address I’m trying to probe
 Target HW  ignored. (recommended:
all zero)
 Broadcast
ARP Announcements
 “I’m using this address.”
 Sent when probe was successful
(No other hosts using the address)
 Purpose: update stale cache entries
in other hosts
ARP Announcements
 ARP Request packet




Sender IP  Address I’m currently using
Sender HW  filled with my own
Target IP  Address I’m currently using
Target HW  ignored. (recommended:
all zero)
 Broadcast
Ongoing Conflict Detection
 If ARP request or reply has my IP address
inside sender IP address field, there is an
ongoing conflict.
 Options:
 Cease using your IP address
 Defend your address
(awesome.. but what are the consequences?)
 Ignoring is worst than ceasing. Why?
ARP Spoofing
 Malicious host sends unsolicited ARP
replies to take over another host’s IP
address
 To do what?
 Passive sniffing
 Modifying packets
 Denial-of-service attack
Proxy ARP
 Host or router responds to ARP
Request that arrives from one of its
connected networks for a host that is
on another of its connected networks.
Argon
Neon
Router137
128.143.137.144/16
128.143.137.1/16
00:e0:f9:23:a8:20
128.143.0.0/16
Subnet
ARP Request:
What is the MAC address
of 128.143.71.21?
ARP Reply:
The MAC address of
128.143.71.21 is
00:e0:f9:23:a8:20
128.143.71.1/
24
128.143.71.21/24
00:20:af:03:98:28
128.143.71.0/24
Subnet
Additional Questions
 Why not broadcast ARP replies?
 When does it make sense to broadcast ARP
replies?
(Hint: detection of address conflict)
 Why do we even have MAC addresses?
(This is more related to Ethernet than ARP)
Other topics
 ARPING
 Software tool to ‘ping’ another host using
ARP
 Inverse ARP (InARP)
 Layer 2  layer 3
“What IP address are you using?”
 Used in frame relay and ATM networks
Main Points of Lab 2
 Network tools




tcpdump
wireshark
netstat
ifconfig
 ARP and netmasks
 Security of network applications
Homework
 Prelab 3 due on Friday (02.05.2010)
 Lab report 1 due this week
 Lab report 2 due by next week
 Read Textbook Introduction
 Pages 25 ~ 34 (tcpdump, wireshark) – lab 2
 pages 34 ~ 43 (Cisco IOS) – lab 3
ARP in the network stack
Figure from TCP/IP Tutorial and Technical Overview
Processing of IP packets by
network drivers
IP Input
IP Output
Put on IP
input queue
Yes
Yes
IP destination = multicast
or broadcast ?
No
IP destination of packet
= local IP address ?
loopback
Driver
Put on IP
input queue
No: get MAC
address with
ARP
Ethernet
Ethernet
Driver
ARP
ARP
Packet
IP datagram
demultiplex
Ethernet Frame