Understanding IP Proxy ARP

By | 17. August 2014

One of the somewhat confusing protocols in Layer 2 networking is Proxy ARP. Probably most of you already know how ARP works. In this post I will explain the principles behind Proxy ARP, and have a short look at the benefits and drawbacks.

ARP Basics

The Address Resolution Protocol is responsible to find the MAC adress of a host with a known IP address. ARP is based directly on Ethernet and has a protocol type value of 0x0806. The following image shows the typical ARP header, when querying for an IPv4 target address.

The ARP header for an IPv4 request

ARP Ipv4 Header

The image shows the ARP header for an IPv4 request, as the sender and target protocol address has exactly 4 octects. The following list explains the different header fields.

  • Hardware Type is the Layer 2 protocol. Typically the Layer 2 address is known. In general, this is Ethernet (value: 1)
  • Protocol Type is the Layer 3 protocol, which is requested using this ARP request. Typically this is IPv4 (value: 0x0800)
  • Hardware and Protocol Length is the length of the Layer 2 and 3 addresses in octets (values: Ethernet: 6 octets, IPv4: 4 octets)
  • Sender Hardware address is the L2 address of the host sending the request
  • Sender IP (Protocol) address is the L3 address of the host sending the request
  • Target Hardware address is typically set to “FF:FF:FF:FF:FF:FF”, indicating a broadcast destination
  • Target IP (Protocol) address is the Protocol address. This is typically known to the host which sends the request, and is set in the header

The ARP request is broadcasted into the Layer 2 domain. Each host receiving such a request, looks up the target IP address and answers if this address belongs to the host. It then constructs an ARP reply, which is sent directly to the source MAC address, including both the MAC and IP address of the target host. If the requested IP address does not belong to the host, the message is ignored.

Proxy ARP

So what does Proxy-ARP? It uses exactly the same packet structure as normal ARP. Proxy-ARP allows a router to respond in behalf of clients residing on another subnet of the router. It then answers with its own MAC address, which results in the traffic to be sent to the router. Consider the following scenario, where you have a /27 subnet, which is however not routed to your appliance. The outside interface of the router or firewall has one IP address out of the subnet, and the inside hosts are NATed to this IP.

Proxy ARP Setup

Proxy ARP Setup

In this case, a host on the inside should be NATed to another IP from the outside subnet. The direction from the inside to the outside is no problem, as the host has a static default route pointing to the firewall or router. At the opposite direction, however, the router needs to know where to find the 1.1.1.7 address. It sends out an ARP request, querying for the MAC address of 1.1.1.7.  As no device (including the Router/FW device) has the interface with this IP configured, noone will respond to the ARP request.

However, with Proxy ARP enabled, the FW will respond to the query with its own MAC address, even if it does not have the interface configured. Thus, the router sends the packets destined to 1.1.1.7 to the FW device, which in turn applies the NAT rules and forwards it to the actual host. There is one clue, whatsoever:

The FW will only reply to the Proxy ARP request, if it has a valid route to this destination. In case of a Cisco ASA or a firewall device, there is another gotcha: Proxy ARP is auto-enabled by default in case of static NAT and identity based NAT. I will further explain this in another article to follow.

One thought on “Understanding IP Proxy ARP

  1. Areeb

    Great article is there a way to bridge two networks and have one side’s LAN clients broadcast arp through the tunnel without proxy_arp? So far I cannot find a way and I see how messy proxy_arp is from tcpdump!

    Cheers

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.