NETASQ Technical Support Training Session 7
ARP
© NETASQ 2007
Summary •
The ARP protocol and the MAC addresses: – General concepts and usage • ARP, MAC Addresses, Ethernet Frame format • usage: host-to-host, routing, hosts and services discovery, network equipments
– The ARP cache, arp command and arguments – ARP spoofing, assigning a static MAC to objects – NETASQ Bridge features: FastRoute, loop – ARP proxy, PPTP links – High Availability – Console messages NETASQ – CORPORATE PRESENTATION
2
General concepts: ARP • The ARP protocol : – Address Resolution Protocol (defined in RFC 826) • was originally developped for Ethernet media; but was extended to radio / wireless media • establishes the link between Level 2 (ethernet) and level 3 (IP) • gives the ability to dynamically maintains the table associating hardware addresses (MAC) with logical addresses (IP) • is based on a simple request-reply dialog
NETASQ – CORPORATE PRESENTATION
3
General concepts: MAC address • The MAC address : – Overview • stands for Media Access Control address • is a 48 bits (6 bytes) unique identifier • is most of the time symbolized : a0:b1:c2:d3:e4:f5 or a0-b1-c2-d3-e4-f5 • hardcoded in the Ethernet hardware • first 3 bytes identify the manufacturer or vendor (assigned by a consortium to be unique worldwide; see the appendix 1 for NETASQ products network cards) • may be forced on some operating system depending on the network implementation (UNIX) or the driver options (Windows) NETASQ – CORPORATE PRESENTATION
4
General concepts: MAC address • MAC address use: – Used to define the source and the destination host for hardware addressing on a local LAN • for host-to-host direct communication • for host-to-router transport • broadcasts for services discovery and use (NetBIOS, DHCP,…) • used by network switches to limit spreading/diffusion on ethernet networks
NETASQ – CORPORATE PRESENTATION
5
General concepts: Ethernet frame format
• • • • •
Destination MAC address (6 bytes) Source MAC address (6 bytes) Ethernet type (2 bytes) payload (between 46 and 1500 bytes) CRC checksum (4 bytes)
NETASQ – CORPORATE PRESENTATION
6
Usage: host-to-host communication • Host-to-host communication : – This kind of communication occurs on a LAN, and will begin with an ARP request to resolve the MAC address of the destination host • •
arp who-has dstIP_addr tell srcIP_addr arp reply dstIP_addr is-at dstMAC_addr
– Then, the real communication will begin through the needed protocol (tcp, udp, icmp,…)
NETASQ – CORPORATE PRESENTATION
7
Usage: host-to-host communication • Host-to-host communication : – Here is a sample capture to illustrate the steps involved in this kind of communication: Capture sample: here is a host 10.0.0.1 that needs to connect to its neighbor 10.0.0.138 for a telnet session F1000C9999999999>tcpdump -nei fxp0 arp or port 23 tcpdump: listening on fxp0 0:d:b4:0:c5:e0 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.0.0.138 tell 10.0.0.1 0:90:d0:e2:a4:27 0:d:b4:0:c5:e0 0806 60: arp reply 10.0.0.138 is-at 0:90:d0:e2:a4:27 0:d:b4:0:c5:e0 0:90:d0:e2:a4:27 0800 74: 10.0.0.1.1312 > 10.0.0.138.23: S 1566967899:1566967899(0) win 57344 (DF) [tos 0x10]
NETASQ – CORPORATE PRESENTATION
8
Usage: host-to-host communication • Host-to-host communication : – The target host belongs to the same IP range as the source host; they can communicate directly. •
the source host first resolves the MAC address by sending a arprequest "arp who-has" to the whole local network
•
it gets an "arp-reply" back with the MAC address in the ARP payload
•
then it sends the TCP SYN connection request to the destination IP and destination MAC address that was given in the arp-reply
NETASQ – CORPORATE PRESENTATION
9
Usage: routing • Host-to-router transport : – Packets routing to a foreign IP range •
resolves the Mac address of its gateway
•
then sends the packet to the destination IP with the MAC address of the gateway as a destination
Sample of a host sending an outgoing request: F1000C9999999999>tcpdump -nei fxp1 arp or host 192.168.60.155 tcpdump: listening on fxp1 0:2:b3:a8:6c:69 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.60.254 tell 192.168.60.155 0:d:b4:0:c5:e1 0:2:b3:a8:6c:69 0806 60: arp reply 192.168.60.254 is-at 0:d:b4:0:c5:e1 0:2:b3:a8:6c:69 0:d:b4:0:c5:e1 0800 74: 192.168.60.155 > 194.206.126.253: icmp: echo request 0:d:b4:0:c5:e1 0:2:b3:a8:6c:69 0800 74: 194.206.126.253 > 192.168.60.155: icmp: echo reply
NETASQ – CORPORATE PRESENTATION
10
Usage: hosts discovery • Hosts discovery / services use (ARP broadcasts) – Hosts discovery for NetBIOS (netbios name service) 0:d:b4:0:c5:e0 ff:ff:ff:ff:ff:ff 0800 92: 10.0.0.1.137 > 10.255.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
– Services discovery for IP address assignment by DHCP •
A host, which doesn't own any IP address yet, uses ARP broadcasts to reach the local DHCP server
NETASQ – CORPORATE PRESENTATION
11
Usage: service discovery (DHCP) • Services discovery and use (ARP broadcasts) – DHCP discovery and use Sample of a DHCP dialog F500XC105830500901>tcpdump -tnei fxp1 arp or port 67 or port 68 tcpdump: listening on fxp1 0:2:b3:a8:6c:69 ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.255.255.255.67: xid:0x65089bde [|bootp] 0:d:b4:0:c5:e1 0:2:b3:a8:6c:69 0800 342: 192.168.60.254.67 > 192.168.60.155.68: xid:0x65089bde Y:192.168.60.155 S:192.168.60.254 [|bootp] [tos 0x10] 0:2:b3:a8:6c:69 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.60.155 tell 192.168.60.155 0:2:b3:a8:6c:69 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.60.155 tell 192.168.60.155 0:2:b3:a8:6c:69 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.60.155 tell 192.168.60.155
NETASQ – CORPORATE PRESENTATION
12
Usage: service discovery (DHCP) • Services discovery and use (ARP broadcasts) – DHCP discovery and use Sample of a DHCP dialog • The DHCP client sends its DHCP discovery request to the whole network using an ARP broadcast • It receives a reply with a DHCP offer delivering an IP address and its default gateway • To avoid IP conflicts, it then the client tests whether this IP address would be already used on the network by sending "arp who-has" requests
NETASQ – CORPORATE PRESENTATION
13
Usage: Switches • Network equipments keep tracks of MAC addresses Switches keep track of the MAC addresses in a table that associate these MAC addresses to the physical port they have been seen on. This limits packet spreading/diffusion that would occur on an ethernet network
NETASQ – CORPORATE PRESENTATION
14
The ARP cache • By default, entries are temporary. • A temporary entry only last 600 seconds (sysctl net.link.ether.inet.max_age). • A permanent entry have no timer. • Permanent entries can’t be overwritten by network traffic (i.e., is-at replies). • Associate an interface and an IP to a MAC address. NETASQ – CORPORATE PRESENTATION
15
Usual ARP commands • Displaying the content of the ARP cache arp –a
• Clearing the ARP cache UNIX: arp –d –a Win32: arp –d *
• Adding a static entry arp -s hostname ether_addr
• Attributes of static entries arp -s hostname ether_addr permanent arp -s hostname ether_addr temp arp -s hostname ether_addr pub NETASQ – CORPORATE PRESENTATION
16
ARP on your IPS-Firewall • Displaying the content of the ARP cache by using arp –a F200XA004370400501>arp –a ? (10.0.0.6) at (incomplete) on sis0 [ethernet] ? (10.1.15.2) at 00:15:f2:89:3a:36 on sis0 [ethernet] dummy (10.1.15.155) at 00:02:b6:33:e5:ef on sis0 permanent published [ethernet] ? (10.1.42.2) at 00:03:47:08:6d:09 on sis0 [ethernet] • • •
Question mark (?) show IP that aren’t part of the object base. (incomplete) show unresolved MAC addresses. Interface only relevant outside of bridges else use sfctl –s host.
NETASQ – CORPORATE PRESENTATION
17
ARP on your IPS-Firewall • Deleting all entries arp –d –a
• Deleting a specific entry arp –d hostname
NETASQ – CORPORATE PRESENTATION
18
ARP on your IPS-Firewall • Adding a static entry arp -s hostname ether_addr
• Adding a temporary entry arp -s hostname ether_addr temp
• Adding a published entry arp -s hostname ether_addr pub
• Adding a permanent and published entry arp -s hostname ether_addr permanent pub
NETASQ – CORPORATE PRESENTATION
19
ARP spoofing • Providing a wrong MAC address. • Use of is-at replies. • Some platforms let their ARP cache be poisoned by unsolicited replies. • IPS-Firewall’s ARP cache can be protected by giving static MAC addresses to host objects.
NETASQ – CORPORATE PRESENTATION
20
Objects: static MAC address and DHCP • Static MAC Address association to hosts created in the objects • automatically adds a "permanent" entry in the ARP cache for the corresponding host (protects against ARP spoofing) • makes this object available for the static IP delivery feature of the DHCP service (to only deliver IP addresses to "known" hosts, to always assign the same IP address in order to easily identify each host of the network without having to setup its IP locally)
NETASQ – CORPORATE PRESENTATION
21
Bridge: Keep initial routing (FastRoute) • Only relevant in bridges. • Parameter FastRoute in ~/ConfigFiles/network. • When FastRoute=1, avoid enforcing IPSFirewall’s routing policy. • When FastRoute=0 (default), overwritte the destination MAC address. NETASQ – CORPORATE PRESENTATION
22
Bridge: Protecting against loops • • • •
Only relevant in bridges. Occurs when a MAC address switches from one interface to another more than 10 times. Disable packet reception during a short period of time. Parameter LoopAddrIgnore (~/ConfigFiles/network) list MAC addresses that must not trigger interface muting. E.g., LoopAddrIgnore=00-00-00-00-fe-00,00-00-00-00-fe-01,0100-5e-0a-78-01,01-00-5e-0a-78-05
•
Logs shown only on: console, dmesg and ASQ verbose output.
ASQ: loop (10) shost=00:00:00:00:fe:00 dhost=01:00:5e:0a:78:01 new=fxp1 old=fxp0 (ignore) ASQ: loop (11) shost=00:00:00:00:fe:00 dhost=01:00:5e:0a:78:05 new=fxp0 old=fxp1 (muted) ASQ: loop (12) shost=00:00:00:00:fe:00 dhost=01:00:5e:0a:78:01 new=fxp1 old=fxp0 (muted)
NETASQ – CORPORATE PRESENTATION
23
Bridge: Protecting against loops Example with Check Point High Availability Protocol • Send HA packets on each of its interfaces. • Trigger interfaces muting. 0:0:0:0:fe:1 0:0:0:0:fe:0 0:0:0:0:fe:1 0:0:0:0:fe:0 0:0:0:0:fe:0 0:0:0:0:fe:1
1:0:5e:a:78:1 1:0:5e:a:78:5 1:0:5e:a:78:1 1:0:5e:a:78:1 1:0:5e:a:78:5 1:0:5e:a:78:1
0800 0800 0800 0800 0800 0800
78: 66: 78: 78: 76: 78:
0.0.0.0.8116 0.0.0.0.8116 0.0.0.0.8116 0.0.0.0.8116 0.0.0.0.8116 0.0.0.0.8116
> > > > > >
10.0.0.0.8116: 10.0.0.0.8116: 10.0.0.0.8116: 10.0.0.0.8116: 10.0.0.0.8116: 10.0.0.0.8116:
udp udp udp udp udp udp
NETASQ – CORPORATE PRESENTATION
36 24 36 36 34 36
24
ARP proxy • Associating IP addresses to the MAC address of IPS-Firewall's interfaces. • Based on published static ARP entries. • IPS-Firewall replying to who-as request even if they don't match one of the IP addresses of its interfaces.
NETASQ – CORPORATE PRESENTATION
25
ARP proxy •
Used by NAT (either rdr, map or bimap) :
rdr out from any to server.com port http -> webserver port http F200XA004370400501>arp –a server.com (66.102.9.99) at 00:02:b6:33:e5:ef on sis0 permanent published [ethernet]
•
Publication is done only when needed and possible (i.e., IP to publish belong to the IPS-Firewall’s interface):
rdr out from any to Firewall_out port http -> webserver port http F200XA004370400501>arp –a F200XA004370400501> NETASQ – CORPORATE PRESENTATION
26
Point-to-Point Tunneling Protocol • The PPTP interface is bridged with the local one F200XA106530400601>ifinfo interface list: dynbdg0 172.16.15.63/255.255.255.0 dmz (sis3) PPTP0 (ng8) bridge 10.1.15.63/255.0.0.0 out (sis0) in (protected,sis1)
NETASQ – CORPORATE PRESENTATION
27
Point-to-Point Tunneling Protocol •
The IP address assigned from the PPTP pool is published on the local interface F200XA106530400601>ifconfig ng8 ng8: flags=88d1 mtu 1496 inet 172.16.15.63 --> 172.16.15.10 netmask 0xffffffff F200XA106530400601>ifconfig sis3 sis3: flags=8843 mtu 1500 options=40 inet 172.16.15.63 netmask 0xffffff00 broadcast 172.16.15.255 ether 00:80:b6:02:45:29 F200XA106530400601>arp –a ? (10.0.0.12) at 00:0d:b4:00:e8:58 on sis0 [ethernet] ? (10.0.0.124) at 00:e0:18:bd:7f:8e on sis0 [ethernet] ? (172.16.15.10) at 00:80:b6:02:45:29 on sis3 permanent published (proxy only) [ethernet] ? (10.1.42.1) at 00:02:b3:32:b0:0c on sis0 [ethernet]
NETASQ – CORPORATE PRESENTATION
28
High availability • MAC addresses of each interface are kept synced through ~/ConfigFiles/network. • MAC addresses synchronization only done on HA synchronization (not initialization). • Synchronization only done if the corresponding MACAddress parameter is missing in ~/ConfigFiles/network. • MACAddress parameter is ignored for HA links (both main and backup links): native MAC addresses are always used. • If the option is activated, gracious ARP packets are sent periodically (every 10 sec by default) NETASQ – CORPORATE PRESENTATION
29
Console messages arp:: $MAC is using my IP address $IP! arp ARP has discovered another host on the local network ($MAC) which responds to mapping requests for its own IP address ($IP) with a different MAC address, generally indicating that two hosts are attempting to use the same IP address.
NETASQ – CORPORATE PRESENTATION
30
Console messages arp:: $IP moved from $MAC to $NEWarp $NEW-MAC ARP had a cached value for the MAC address ($MAC) of the referenced host ($IP), but received a reply indicating that the host is at a new address ($NEWMAC). This can happen normally when host hardware addresses change, or when a mobile node arrives or leaves the local subnet. It can also indicate a problem with proxy ARP. NETASQ – CORPORATE PRESENTATION
31
Console messages arp:: $IP is on $IF but got reply from $MAC on arp $WRONG$WRONG-IF ARP had a cached value for the IP address of the referenced host ($IP), but received a reply indicating that the host is seen on another interface ($WRONG-IF). It’s usually due to loops in the Ethernet infrastructure (physical cabling).
NETASQ – CORPORATE PRESENTATION
32
APPENDICES
NETASQ – CORPORATE PRESENTATION
33
Appendix 1: NETASQ products MAC Id • NETASQ products are based on several network chips em
00:e0:ed:_:_:_
Silicom
(gigabit)
00:30:48:_:_:_
Intel
fxp
00:80:b6:_:_:_
Tekelec
(fast ethernet)
00:0d:b4:_:_:_
NETASQ
sis (fast ethernet)
00:02:b6:_:_:_
Acrosser
NETASQ – CORPORATE PRESENTATION
34
