Proxy ARP
Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution
Protocol (ARP) queries for an IP address that is not on that network. The proxy is aware of the location of
the traffic's destination and offers its own MAC address as the (ostensibly final) destination.[1] The traffic
directed to the proxy address is then typically routed by the proxy to the intended destination via another
interface or via a tunnel.
The process, which results in the proxy server responding with its own MAC address to an ARP request for
a different IP address for proxying purposes, is sometimes referred to as publishing.
Uses
Below are some typical uses for proxy ARP:
Joining a broadcast LAN with serial links (e.g., dialup or VPN connections).
Assume an Ethernet broadcast domain (e.g., a group of stations connected to the same
hub or switch (VLAN)) using a certain IPv4 address range (e.g., 192.168.0.0/24, where
192.168.0.1 – 192.168.0.127 are assigned to wired nodes). One or more of the nodes is an
access router accepting dialup or VPN connections. The access router gives the dial-up
nodes IP addresses in the range 192.168.0.128 – 192.168.0.254; for this example, assume
a dial-up node gets IP address 192.168.0.254.
The access router uses proxy ARP to make the dial-up node present in the subnet without
being wired into the Ethernet: the access router 'publishes' its own MAC address for
192.168.0.254. Now, when another node wired into the Ethernet wants to talk to the dial-up
node, it will ask on the network for the MAC address of 192.168.0.254 and find the access
router's MAC address. It will therefore send its IP packets to the access router, and the
access router will know to pass them on to the particular dial-up node. All dial-up nodes
therefore appear to the wired Ethernet nodes as if they are wired into the same Ethernet
subnet.
Taking multiple addresses from a LAN
Assume a station (e.g., a server) with an interface (10.0.0.2) connected to a network
(10.0.0.0/24). Certain applications may require multiple IP addresses on the server.
Provided the addresses have to be from the 10.0.0.0/24 range, the way the problem is
solved is through proxy ARP. Additional addresses (say, 10.0.0.230-10.0.0.240) are
aliased to the loopback interface of the server (or assigned to special interfaces, the latter
typically being the case with VMware/UML/jails/vservers/other virtual server environments)
and 'published' on the 10.0.0.2 interface (although many operating systems allow direct
allocation of multiple addresses to one interface, thus eliminating the need for such
workarounds).
On a firewall
In this scenario a firewall can be configured with a single IP address. One simple example
of a use for this would be placing a firewall in front of a single host or group of hosts on a
subnetwork. Example: A network (10.0.0.0/8) has a server (10.0.0.20) that should be
protected. A proxy ARP firewall can be placed in front of the server. In this way the server is
put behind a firewall without having to make any further changes to the network.
�Mobile-IP
In case of Mobile-IP the Home Agent uses proxy ARP in order to receive messages on
behalf of the Mobile Node so that it can forward the appropriate message to the actual
mobile node's address (Care-of address).
Transparent subnet gatewaying
A setup that involves two physical segments sharing the same IP subnet and connected
together via a router. This use is documented in RFC 1027.
Redundancy
ARP manipulation techniques are the basis for protocols providing redundancy on
broadcast networks (e.g., Ethernet), most notably Common Address Redundancy Protocol
and Virtual Router Redundancy Protocol.
Disadvantages
Disadvantage of proxy ARP include scalability as ARP resolution by a proxy is required for every device
routed in this manner, and reliability as no fallback mechanism is present, and masquerading can be
confusing in some environments.
Proxy ARP can create DoS attacks on networks if misconfigured. For example, a misconfigured router with
proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in
response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these
packets on to their final destination, thus blackholing the traffic.
Proxy ARP can hide device misconfigurations, such as a missing or incorrect default gateway.
Implementations
OpenBSD implements proxy ARP.[2]
Linux implements proxy ARP.[3]
References
1. Hal Stern (October 10, 2001). "ARP networking tricks" (https://www.itworld.com/article/27945
63/data-center/arp-networking-tricks.html). ITworld. Archived (https://web.archive.org/web/20
171107023310/https://www.itworld.com/article/2794563/data-center/arp-networking-tricks.ht
ml) from the original on November 7, 2017. Retrieved November 3, 2017.
2. "arp(8) man page" (https://man.openbsd.org/arp.8). Archived (https://web.archive.org/web/20
190627231913/https://man.openbsd.org/arp.8) from the original on 2019-06-27. Retrieved
2019-08-09.
3. "Pseudo-bridges with Proxy-ARP" (https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.bridgi
ng.proxy-arp.html). Archived (https://web.archive.org/web/20221206214000/https://tldp.org/H
� OWTO/Adv-Routing-HOWTO/lartc.bridging.proxy-arp.html) from the original on 2022-12-06.
Retrieved 2022-12-06.
Further reading
Multi-LAN Address Resolution. RFC 925 (https://tools.ietf.org/html/rfc925).
Using ARP to Implement Transparent Subnet Gateways. RFC 1027 (https://tools.ietf.org/html/
rfc1027).
W. Richard Stevens. The Protocols (TCP/IP Illustrated, Volume 1). Addison-Wesley
Professional; 1st edition (December 31, 1993). ISBN 0-201-63346-9
Retrieved from "https://en.wikipedia.org/w/index.php?title=Proxy_ARP&oldid=1218268935"
