T.Z.A.S.P. MANDAL S PRAGATI COLLEGE OF ARTS, COMMERCE AND SCIENCE T. Y. B. Sc. (I.T.

CERTIFICATE

THIS IS TO CERTIFY THAT MR. CHETAN C. KAKHANDKI HAS COMPLETED THE CASE STUDY OF INTERNET TECHNOLOGY SATISFACTORILY DURING THE ACADEMIC YEAR 2011-2012.

DATE: 3-MARCH-2012

PROFESSOR IN-CHARGE (B.Sc.IT)

T.Z.A.S.P. MANDAL S PRAGATI COLLEGE OF ARTS, COMMERCE AND SCIENCE

Internet Technology
A CASE STUDY REPORT ON

PRESENTATION ON: ARP

ABLY GUIDED BY MRS.VAISHALI GUJARE T.Y.B.Sc.IT

SUBMITTED BY MR. CHETAN C. KAKHANDKI ROLL NO. 31

INDEX
Sr.No 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. ARP Variants Of ARP Protocol Comparison between ARP & inARP Packet Structure The Problems Packet Generation Packet Reception ARP Request & ARP Reply Proxy ARP Vulnerabilities Of ARP TOPIC NAME Page No 4 5 6 7 10 11 13 14 15 16

Address Resolution Protocol (ARP)

In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host's hardware address when only its network layer address is known. Due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses. It is also used for IP over other LAN technologies, such as Token Ring, FDDI, or IEEE 802.11, and for IP over ATM. ARP is used in four cases of two hosts communicating: 1. When two hosts are on the same network and one desires to send a packet to the other 2. When two hosts are on different networks and must use a gateway/router to reach the other host 3. When a router needs to forward a packet for one host through another router 4. When a router needs to forward a packet from one host to the destination host on the same network The first case is used when two hosts are on the same physical network (that is, they can directly communicate without going through a router). The last three cases are the most used over the Internet as two computers on the internet are typically separated by more than 3 hops. Imagine computer A sends a packet to computer D and there are two routers, B & C, between them. Case 2 covers A sending to B; case 3 covers B sending to C; and case 4 covers C sending to D. Address Resolution Protocol is defined mainly by RFC 826. Within Ethernet ARP, there are four types of messages. ARP request: A request for the destination hardware address that is typically sent to all hosts. ARP reply: In response, this gives the host the hardware address of the

destination host. RARP request: Known as Reverse ARP request, this requests the IP address of a known MAC address. RARP reply: The response gives the IP address from a requested hardware address

Variants of the ARP protocol

1. ARP was not originally designed as an IP-only protocol although today it is primarily used to map IP addresses to MAC addresses. ARP can be used to resolve MAC addresses to many different Layer 3 protocols addresses. ARP has also been adapted to resolve other kinds of Layer 2 addresses; for example, ATMARP is used to resolve ATM NSAP addresses in the Classical IP over ATM protocol.

2.

3. ARP Mediation ARP Mediation refers to the process of resolving Layer 2 addresses when different resolution protocols are used on either circuit, for e.g. ATM on one end and Ethernet on the other.

Inverse ARP The Inverse Address Resolution Protocol, also known as Inverse ARP or InARP, is a protocol used for obtaining Layer 3 addresses (e.g. IP addresses) of other stations from Layer 2 addresses (e.g. the DLCI in Frame Relay networks). It is primarily used in Frame Relay and ATM networks, where Layer 2 addresses of virtual circuits are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before these virtual circuits can be used.

Comparison between ARP and InARP ARP translates Layer 3 addresses to Layer 2 addresses, therefore InARP can be viewed as its inverse. In addition, InARP is actually implemented as an extension to ARP. The packet formats are the same, only the operation code and the filled fields differ. Reverse ARP (RARP), like InARP, also translates Layer 2 addresses to Layer 3 addresses. However, RARP is used to obtain the Layer 3 address of the requesting station itself, while in InARP the requesting station already knows its own Layer 2 and Layer 3 addresses, and it is querying the Layer 3 address of another station. RARP has since been abandoned in favor of BOOTP which was subsequently replaced by DHCP.

Packet structure The following is the packet structure used for ARP requests and replies. On Ethernet networks, these packets use an EtherType of 0x0806, and are sent to the broadcast MAC address of FF:FF:FF:FF:FF:FF. Note that the packet structure shown in the table has SHA, SPA, THA, & TPA as 32-bit words but this is just for convenience their actual lengths are determined by the hardware & protocol length fields.

ARP PACKET

y Hardware type (HTYPE): Each data link layer protocol is assigned a number used in this field. For example, Ethernet is 1. y Protocol type (PTYPE): Each protocol is assigned a number used in this field. For example, IPv4 is 0x0800. y Hardware length (HLEN): Length in bytes of a hardware address. Ethernet addresses are 6 bytes long. y Protocol length (PLEN): Length in bytes of a logical address. IPv4 address are 4 bytes long.Operation specifies the operation the sender is performing:1 for request, and 2 for reply. y Sender hardware addresses (SHA): Hardware address of the sender. y Sender protocol address (SPA): Protocol address of the sender y Target hardware address (THA): Hardware address of the intended receiver. This field is zero on request. y Target protocol address (TPA): Protocol address of the intended receiver. Request + Bits 0 - 7 8 - 15 16 - 31 0 Hardware type = 1 Protocol type = 0x0800 32 Hardware length = 6 Protocol length = 4 Operation = 1 64 SHA (first 32 bits) = 0x000958D8 96 SHA (last 16 bits) = 0x1122 SPA (first 16 bits) = 0x0A0A 128 SPA (last 16 bits) = 0x0A7B THA (first 16 bits) = 0x0000 160 THA (last 32 bits) = 0x00000000

192 TPA = 0x0A0A0A8C If a host with IPv4 address of 10.10.10.123 and MAC address of 00:09:58:D8:11:22 wants to send a packet to another host at 10.10.10.140 but it does not know the MAC address then it must send an ARP request to discover the address. The packet shown shows what would be broadcast over the local network. If the host 10.10.10.140 is running and available then it would receive the ARP request and send the appropriate reply. Reply + 0 32 64 96 128 160 192 Bits 0 - 7 8 - 15 16 - 31 Hardware type = 1 Protocol type = 0x0800 Hardware length = 6 Protocol length = 4 Operation = 2 SHA (first 32 bits) = 0x000958D8 SHA (last 16 bits) = 0x33AA SPA (first 16 bits) = 0x0A0A SPA (last 16 bits) = 0x0A8C THA (first 16 bits) = 0x0009 THA (last 32 bits) = 0x58D81122 TPA = 0x0A0A0A7B

Given the scenario laid out in the request section, if the host 10.10.10.140 has a MAC address of 00:09:58:D8:33:AA then it would send the shown reply packet. Note that the sender and target address blocks have been swapped (the sender of the reply is the target of the request; the target of the reply is the sender of the request). Furthermore the host 10.10.10.140 has filled in its MAC address in the sender hardware address. Any hosts on the same network as these two hosts would also see the request (since it is a Broadcast) so they are able to cache information about the source of the request. The ARP reply (if any) is directed only to the originator of the request so information in the ARP reply is not available to other hosts on the same network

The Problem: The world is a jungle in general, and the networking game contributes many animals. At nearly every layer of network architecture there are several potential protocols that could be used. For example, at a high level, there is TELNET and SUPDUP for remote login. Somewhere below that there is a reliable byte stream protocol, which might be CHAOS protocol, DOD TCP, Xerox BSP or DECnet. Even closer to the hardware is the logical transport layer, which might be CHAOS, DOD Internet, Xerox PUP, or DECnet. The 10Mbit Ethernet allows all of these protocols (and more) to coexist on a single cable by means of a type field in the Ethernet packet header. However, the 10Mbit Ethernet requires 48.bit addresses on the physical cable, yet most protocol addresses are not 48.bits long, nor do they necessarily have any relationship to the 48.bit Ethernet address of the hardware. For example, CHAOS addresses are 16.bits, DOD Internet addresses are 32.bits, and Xerox PUP addresses are 8.bits. A protocol is needed to dynamically distribute the correspondences between a <protocol, address> pair and a 48.bit Ethernet address. Motivation: Use of the 10Mbit Ethernet is increasing as more manufacturers supply interfaces that conform to the specification published by DEC, Intel and Xerox. With this increasing availability, more and more software is being written for these interfaces. There are two alternatives: (1) Every implementor invents his/her own method to do some form of address resolution, or (2) every implementor uses a standard so that his/her code can be distributed to other systems without need for modification. This proposal attempts to set the standard.

Definitions: Define the following for referring to the values put in the TYPE field of the Ethernet packet header: ether_type$XEROX_PUP, ether_type$DOD_INTERNET, ether_type$CHAOS, and a new one: ether_type$ADDRESS_RESOLUTION. Also define the following values (to be discussed later): ares_op$REQUEST (= 1, high byte transmitted first) and ares_op$REPLY (= 2), and ares_hrd$Ethernet (= 1). Packet Generation: As a packet is sent down through the network layers, routing determines the protocol address of the next hop for the packet and on which piece of hardware it expects to find the station with the immediate target protocol address. In the case of the 10Mbit Ethernet, address resolution is needed and some lower layer (probably the hardware driver) must consult the Address Resolution module (perhaps implemented in the Ethernet support module) to convert the <protocol type, target protocol address> pair to a 48.bit Ethernet address. The Address Resolution module tries to find this pair in a table. If it finds the pair, it gives the corresponding 48.bit Ethernet address back to the caller (hardware driver) which then transmits the packet. If it does not, it probably informs the caller that it is throwing the packet away (on the assumption the packet will be retransmitted by a higher network layer), and generates an Ethernet packet with a type field of ether_type$ADDRESS_RESOLUTION. The Address Resolution module

then sets the ar$hrd field to ares_hrd$Ethernet, ar$pro to the protocol type that is being resolved, ar$hln to 6 (the number of bytes in a 48.bit Ethernet address), ar$pln to the length of an address in that protocol, ar$op to ares_op$REQUEST, ar$sha with the 48.bit ethernet address of itself, ar$spa with the protocol address of itself, and ar$tpa with the protocol address of the machine that is trying to be accessed. It does not set ar$tha to anything in particular, because it is this value that it is trying to determine. It could set ar$tha to the broadcast address for the hardware (all ones in the case of the 10Mbit Ethernet) if that makes it convenient for some aspect of the implementation. It then causes this packet to be broadcast to all stations on the Ethernet cable originally determined by the routing mechanism.

Packet Reception: When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following. Negative conditionals indicate an end of processing and a discarding of the packet.

ARP Request: Argon broadcasts an ARP request to all stations on the network: What is the hardware address of Router137?
Argon 128.143.137.144 00:a0:24:71:e4:44
ARP Request: W hat is the MAC address of 128.143.71.1?

Router137 128.143.137.1 00:e0:f9:23:a8:20

ARP REQUEST
(a) ARP Request. Argon 00:a0:24:71:e4:44
ARP Reply: The MAC address of 128.143.71.1 is 00:e0:f9:23:a8:20

Router137 128.143.137.1 00:e0:f9:23:a8:20

(b) ARP Reply.

ARP Reply: Router 137 responds with an ARP Reply which contains the hardware address.
Argon 128.143.137.144 00:a0:24:71:e4:44
ARP Request: W hat is the MAC address of 128.143.71.1?

Router137 128.143.137.1 00:e0:f9:23:a8:20

(a) ARP Request. Argon 00:a0:24:71:e4:44

ARP Reply: The MAC address of 128.143.71.1 is 00:e0:f9:23:a8:20

Router137 128.143.137.1 00:e0:f9:23:a8:20

(b) ARP Reply.

Proxy ARP: Host or router responds to ARP Request that arrives from one of its connected networks for a host that is on another of its connected networks.

Argon Router137 128.143.137.144/16 128.143.137.1/16 00:e0:f9:23:a8:20 128.143.71.1/24 128.143.171.21/24 00:20:af:03:98:28

Neon

128.143.0.0/16 Subnet

128.143.71.0/24 Subnet

ARP Request: What is the MAC address of 128.143.71.21? ARP Reply: The MAC address of 128.143.71.21 is 00:e0:f9:23:a8:20

Advantages of Proxy ARP The main advantage of proxy ARP is that it can be added to a single router on a network and does not disturb the routing tables of the other routers on the network. Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence.

Disadvantages of Proxy ARP

y y

It increases the amount of ARP traffic on your segment. Hosts need larger ARP tables in order to handle IP-to-MAC address mappings. Security can be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing." It does not work for networks that do not use ARP for address resolution. It does not generalize to all network topologies. For example, more than one router that connects two physical networks.

Vulnerabilities of ARP 1. Since ARP does not authenticate requests or replies, ARP Requests and replies can be forged 2. ARP is stateless: ARP Replies can be sent without a corresponding ARP Request 3. According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its local ARP cache with the information in the source fields, if the receiving node already has an entry for the IP address of the source in its ARP cache. (This applies for ARP Request packets and for ARP Reply packets). Typical exploitation of these vulnerabilities: y A forged ARP Request or Reply can be used to update the ARP cache of a remote system with a forged entry (ARP Poisoning) y This can be used to redirect IP traffic to other hosts.