There are two ways that a device can gather MAC addresses. One way is to monitor the traffic that occurs on the local network segment. As frames are transmitted on the network, the device populates the ARP table with address pairs. Another way a device can get an address pair is to send an ARP request as shown in the figure. Since this is a broadcast, all nodes on the Ethernet LAN will receive it and look at the contents. The distributed approach to address resolution can be subject to attackers.
Although hosts should populate their tables only with information they have requested, not all operating systems are programmed this way. This allows attackers to populate the ARP table with bogus data, resulting in hosts forwarding traffic based on erroneous information. The effect is that the valid network hosts send their traffic to the attacker, who then makes copies of the data and sends the traffic on to the correct destination. This is called a man-in-the-middle attack because the attacker has placed himself between the source and the proper destination and is effectively invisible.
You can diagnose this type of attack by examining the ARP tables on the host machines and the routers, looking for multiple entries with identical MAC addresses. Security heuristics will also look for excessive ARP messages on the network. While these tables are easy to access, overworked network administrators do have to look, so this information is often missed. ARP is absent in IPv6. Rather, network hosts use a series of messages called redirects, solicitations, and advertisements in a process called neighbor discovery.
Instead of using an approach that requires hosts to discover MAC addresses when they are needed, IPv6 adopts a slightly different process. Neighbor solicitation and advertisement messages help discover information about the network before it is needed. These messages are multicast out to all IPv6 nodes. Examples of these packets are given in Chapter 6. ARP, a distributed approach to address resolution and discovery, is not without problems. Consider the traffic generated in a node network, where each host must discover every address on the network.
If nodes do not cache information as a result of a transmission from a neighbor, every node has the potential to send 99 messages. Adding another 99 messages for the corresponding replies brings the total to for that single requesting node.
It is unlikely that most of these frames will be generated at the same time, but there are times for example, at the beginning and end of the workday when a large number of network hosts will be transmitting concurrently. Complicating matters is the fact that ARP tables age out for nodes that are not routinely participating in message exchanges. Refreshing those tables further adds to network traffic.
Thus, when a router receives a message to be sent to a distant host, it must first determine the MAC address of the neighboring router. At the other end, the router receiving an IP packet may have to ARP for the destination host, further adding delays to the message traffic.
As a result, it is not uncommon for the first packet of a transmission to be delayed or lost while addresses are being resolved. For this reason, routers will aggressively populate their ARP tables with known hosts. IPv6 alleviates some of this, but it creates other traffic issues, as the discovery process uses several types of message some of which are multicast.
Switch behavior with multicast is similar in that multicast frames are sent everywhere throughout the Layer 2 domain. While routers, switches, and hosts have some ability to filter multicast traffic, we have increased the number of message types redirects, router advertisements, router solicitations, neighbor advertisements, and neighbor solicitations , arguably increasing the overhead on the network. In this chapter, we examined the problem of Layer 2 address resolution.
After examining the packets themselves and the addressing used, you should now have a solid understanding of ARP. We have also examined several of the operations used and the security threat represented by this distributed approach. This chapter has taken you through the operation and structure of ARP. This information is about all you will need to handle ARP on almost any network.
However, there are some operations or standards that you should familiarize yourself with, even though you are not likely to run into them very often.
Useful resources include:. This is the base address resolution standard. While not very descriptive, current operation is based on this RFC. This RFC approaches the issue of address resolution from the opposite direction. This RFC allows a host to request a particular protocol address for a given hardware address. Describe the Ethernet addressing used in the standard ARP request. Are the source and destination addresses unicast, broadcast, or multicast? Describe the Ethernet addressing used in the standard ARP reply.
The ARP request uses a unicast address for the source and a broadcast address for the destination. The ARP reply uses a unicast address for the source and a unicast address for the destination.
This term refers to a node sending out an ARP request for its own IP address in order to determine if another node is using the same address. It also shows whether each entry is static or dynamic. Hosts then make incorrect forwarding decisions.
ARP transmissions are also sent in the clear. In the run box, type cmd and press Enter. A command window opens. This will display the IP address of your computer. The output will be similar to the following. This shows your IP address and the address of the default gateway:. In the command window, type arp -a. This will provide the same output shown in Figure This gives an idea about nodes on the network with which the computer has recently communicated.
Materials: A Windows computer with a network connection and packet capture software. Back in the command window, ping one of the nodes previously listed in the ARP table. These will be followed by the ICMP traffic. In pinging the default gateway, you may see the return ARP.
Suppose you want to access any website like google. The browser behind the scene will use the application layer services such as HTTP for establishing the connection between two systems. Now, the network layer will add IP information. How will the source computer know about the destination IP address? Now, this data packet is handed down to layer 2 i.
In layer 2, the communication happens mostly over the MAC address or physical address MAC address is the permanent physical address of the computer. So how in the world would the source computer know the destination IP address or the MAC address associated with it? This is where ARP comes into the picture. So, let's dive deep into ARP and start the blog.
0コメント