One of the somewhat confusing protocols in Layer 2 networking is Proxy ARP. Probably most of you already know how ARP works. In this post I will explain the principles behind Proxy ARP, and have a short look at the benefits and drawbacks.
The Address Resolution Protocol is responsible to find the MAC adress of a host with a known IP address. ARP is based directly on Ethernet and has a protocol type value of 0x0806. The following image shows the typical ARP header, when querying for an IPv4 target address.
The image shows the ARP header for an IPv4 request, as the sender and target protocol address has exactly 4 octects. The following list explains the different header fields.
- Hardware Type is the Layer 2 protocol. Typically the Layer 2 address is known. In general, this is Ethernet (value: 1)
- Protocol Type is the Layer 3 protocol, which is requested using this ARP request. Typically this is IPv4 (value: 0x0800)
- Hardware and Protocol Length is the length of the Layer 2 and 3 addresses in octets (values: Ethernet: 6 octets, IPv4: 4 octets)
- Sender Hardware address is the L2 address of the host sending the request
- Sender IP (Protocol) address is the L3 address of the host sending the request
- Target Hardware address is typically set to “FF:FF:FF:FF:FF:FF”, indicating a broadcast destination
- Target IP (Protocol) address is the Protocol address. This is typically known to the host which sends the request, and is set in the header
The ARP request is broadcasted into the Layer 2 domain. Each host receiving such a request, looks up the target IP address and answers if this address belongs to the host. It then constructs an ARP reply, which is sent directly to the source MAC address, including both the MAC and IP address of the target host. If the requested IP address does not belong to the host, the message is ignored.
So what does Proxy-ARP? It uses exactly the same packet structure as normal ARP. Proxy-ARP allows a router to respond in behalf of clients residing on another subnet of the router. It then answers with its own MAC address, which results in the traffic to be sent to the router. Consider the following scenario, where you have a /27 subnet, which is however not routed to your appliance. The outside interface of the router or firewall has one IP address out of the subnet, and the inside hosts are NATed to this IP.
In this case, a host on the inside should be NATed to another IP from the outside subnet. The direction from the inside to the outside is no problem, as the host has a static default route pointing to the firewall or router. At the opposite direction, however, the router needs to know where to find the 220.127.116.11 address. It sends out an ARP request, querying for the MAC address of 18.104.22.168. As no device (including the Router/FW device) has the interface with this IP configured, noone will respond to the ARP request.
However, with Proxy ARP enabled, the FW will respond to the query with its own MAC address, even if it does not have the interface configured. Thus, the router sends the packets destined to 22.214.171.124 to the FW device, which in turn applies the NAT rules and forwards it to the actual host. There is one clue, whatsoever:
The FW will only reply to the Proxy ARP request, if it has a valid route to this destination. In case of a Cisco ASA or a firewall device, there is another gotcha: Proxy ARP is auto-enabled by default in case of static NAT and identity based NAT. I will further explain this in another article to follow.