Proxy ARP

This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.

 

Address Resolution Protocol

We’ve discussed the use cases and role of traditional ARP in the prior article of this series. In this article we will discuss Proxy ARP and its role and significance.

Proxy ARP occurs when one node is responding to an ARP request on behalf of another node.

Proxy ARP is not a malicious event, it occurs to enable connectivity between two hosts that wouldn’t otherwise be possible.

 

Original Use Case

The original thought process for Proxy ARP was to accommodate hosts with misconfigured subnet masks.

As we’ve discussed before, when a host is speaking to another host on the same IP network, the target for the ARP request is the other host’s IP address. If a host is speaking to another host on a different IP network, the target for the ARP request will be the Default Gateway’s IP address.

The item which tells a host whether another IP address is on the same network or a different network is the subnet mask. This topology will illustrate how it works:

arp-media-proxy-arp-topology

Host A is configured with the IP address 10.0.0.11 and a subnet mask of 255.255.255.0 (or /24 in CIDR). Host A will consider any IP address in the range of 10.0.0.010.0.0.255 on its local network.

Host B is configured with the IP address 10.0.0.22 and misconfigured with a subnet mask of 255.255.0.0 (or /16 in CIDR). Host B will consider any IP address in the range of 10.0.0.010.0.255.255 on its local network.

Presume both of these hosts are trying to speak to Host D, which exists on a different network and has the IP address 10.0.4.44.

When Host A tries to speak to 10.0.4.44, it would (correctly) consider Host D on a different network and would use traditional ARP to send the packet to the default gateway.

However, when Host B tries to speak to 10.0.4.44, it would (incorrectly) consider Host D on the same network and would instead try to ARP for Host D’s MAC address directly.

Host B’s ARP Request will be broadcast to the local network, but will never make it across the Router to Host D. Therefore, the ARP Request will go unanswered, and Host B will be unable to communicate with Host D.

Unless the Router itself responds to Host B’s ARP Request on behalf of Host D – which is the exact definition of a Proxy ARP.

Here is the process in action (Host A is not pictured):

Proxy ARP - Practical Networking .net

The ARP Response sent by the Router looks exactly like a normal ARP response. Host B will use the response to create an ARP mapping that states the IP 10.0.4.44 maps to the MAC address 0053.ffff.9999. All subsequent packets sent to Host D will use this MAC address in the L2 header.

So despite the misconfigured Subnet Mask, Host B will be able to speak to Host D, due to the Router’s heroic use of Proxy ARP.

 

That being said, it does impose additional work load on the Router. We used the specific example of Host D’s single IP address, but due to Host B’s misconfigured subnet mask there are roughly 65,000 IP addresses that Host B now considers on its local network. When in reality only about 250 could possibly exist on its local network.

So while Proxy ARP enabled connectivity in this example, it unfortunately does not scale indefinitely and should not be relied upon. The long term solution is to correct the misconfigured Subnet mask on Host B.

Moreover, this specific use case for Proxy ARP is based solely around enabling routing despite there being a misconfiguration. With Proxy ARP, Host B may never even realize it has an incorrect Subnet Mask.

There is another school of thought that instead would prefer Host B’s misconfiguration to cause the communication to fail in order for Host B to be notified that something is wrong. Thereby creating an opportunity for Host B to fix the root problem.

Many routers these days do not send Proxy ARPs by default for this very reason. Although most include a way to enable it if desired.

That said, there is a very important and legitimate use case for Proxy ARP — one which does not stem from a misconfiguration. We’ll take a look at it after exploring the Packet Structure for Proxy ARP next.

Proxy ARP Packet Structure

The ARP Request looks identical to the traditional ARP Request we looked at in the last article. In fact, it is a traditional ARP request, as the initiator of the ARP Request does not know whether the response will come in via proxy.

The Proxy ARP Response is slightly different, but has the same packet structure as the traditional ARP Response packet:

proxy-arp-packet-structure

Notice the response is sent Unicast, directly from the Router’s MAC address to Host B’s MAC address.

The Opcode still contains the value 2, indicating an ARP response.

The crux of the Proxy ARP is in the Sender MAC and Sender IP address fields.

Notice, the Sender MAC address is the Router’s MAC address, but the Sender’s IP address is Host D’s IP address. The Router is providing its own MAC address as the owner for another hosts IP address, hence responding to the ARP on behalf of Host D.

Finally, the Target MAC and Target IP address fields, as expected, contain the information correlating to Host B, which is the intended recipient of this ARP Response.

You can download the packet capture of the Proxy ARP conversation above here. It can be studied using Wireshark.

 

Proxy ARP in Network Address Translation

Earlier we discussed Proxy ARP and its use case for routing for misconfigured hosts. Of course, that use case all but disappears if every host is configured properly.

However, there is a very legitimate and necessary use case for Proxy ARP, and that has to do with Network Address Translation, or NAT.

We will use this topology to describe it:

arp-media-proxy-arp-nat-topology

Our Firewall has the IP address 72.3.4.2 in the 72.3.4.0/24 network. Our Firewall is also configured with a Static NAT that translates the IP address 72.3.4.55 to 10.3.4.55. These IP addresses belong to Host Y, with the IP address 10.3.4.55. Host X is simply some host on the other side of the Internet, using the IP 66.7.8.9.

If Host X sends a packet to Host Y, that packet will have a Source IP of 66.7.8.9 and a Destination IP of 72.3.4.55. Routing will take that packet across the internet until it finally arrives at Router C.

Router C now needs to deliver a packet that is destined to a network it is directly attached to (72.3.4.0/24). Router C initiates an ARP Request to determine the MAC address which owns the IP address 72.3.4.55.

But the device which owns that IP address is Host Y, which is not in the same network as Router C. So Host Y would be unable to respond to this query.

The Firewall, however, having been configured to translate packets from 72.3.4.55 to 10.3.4.55, knows it must receive the packets destined to 72.3.4.55 so that it can translate them and deliver them to Host Y.

Therefore, the Firewall will use Proxy ARP to respond to Router C’s ARP Request for the 72.3.4.55 IP address on behalf of Host Y.

The entire process is illustrated in this animation:

proxy-arp-nat

If not for the Firewall participating in Proxy ARP, the Network Address Translation would fail, since packets sent from Router C would never arrive to the Firewall.

Hence, for Network Address Translation to work properly, the translation device must use Proxy ARP to properly receive packets to be translated.

As demonstrated, any NAT deployment will require the use of Proxy ARP to properly receive packets which must be translated.

There are ways around requiring Proxy ARP on a NAT device, but they involves using Static Routes on the upstream Router to manually instruct the Router to send packets which must be translated to the Firewall’s interface. While viable, this solution does not scale.

 

Series Navigation

Traditional ARP >>Gratuitous ARP >>

Tags:
0 0 votes
Article Rating
Subscribe
Notify of
47 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Thank you so much for sharing this! Excellent explanation! =)

Well said,

The nat section is a great info

I have a question if you

Will the firwall then check the nat table and if entry found . It will replay with proxy arp ?

Hi,

Thanks for such detail articles. Finding them very useful. I have a question in this particular topic. Do you have a seperate firewall device or the firewall on the Host Y?
1. If Firewall on Host Y, then do we need the address translation, its as good Host Y owning the 72.x ip as well and any communication to 72.x IP will reach to it with direct routing and traditional arp.
2. If Firewall is external to it, does it have a different IP? And along with responding its own IP its also proxy responding to Host Y IP? (means the .1 and .2 interfaces on firewall have different IPs but are transparent to outside world?

Can you please elaborate. Thanks.

Hi ed,

Actually with static NAT on a CISCO router, the proxy ARP is not needed. As soon as the static NAT command is entered, the router create a static ARP entry with his own mac-address.
For the (Inside Global) 72.3.4.55 10.3.4.55 (Inside local).

I guess the behavior is the same with real FW.

But thank you for the serie on ARP, i’ve learned some new things and other things are more clear now.

Thank you for sharing this very good explantion! Very helpfull infos!

First, love the blog! Really helpful in starting my CCENT studying.

1. Just to clarify, if host Y were to respond to host X, would the source IP be 10.3.4.55? Would the firewall then change the L3 header with NAT translation?

your explanation is very clear and useful

Thank you very much.

Thanks A LOT for helping beginners like me… Quick and Clear way of explanation is where You stand high…

Excellent explanation.. Thank you very much.

Proxy Arp will not take place for the Private IP of Y but for the Interface IP of the FW which will be configured on the external interface

Hey Ed,
Thanks for the wonderful articles.
They are really helpful i read types of Arp and its pretty sorted.
going through Vlan sections now

However i have few doubts.

when the packet at C asks for an Mac address for host 72.3.4.55 — what is host 72.3.4.55 here.
firewall? / some devices missing from the diagram?

Because provider edge router C is asking for the mac address of the customer edge device(firewall doing Natting)
then why do we need to enable proxy?

wont the layer 3 header be changed at customer edge device (firewall in your case)

confused ??? please assist ?

ED,
In the routing table of C,
the next hop for the network 72.3.4.0/24 will be 72.23.4.2 or what?
generally wont it arp for 72.3.4.2 to reach 172.3.4.0 network// or since its a 1-1 mapping
it’ll arp 72.23.4.55 instead of 72.3.4.2 just because its static
is that what you mean?

Your articles are really helpful, because you do what most writers cannot achieve: You explain it in an understandable way.

But one thing in this part of the series is funny: Do you really want to state, that Proxy ARP is intended as a means to prevent missconfigured computers from not working??

😉

Yes, and as afnaan says, there are doubts. When you state that “the device which owns that IP address [72.3.4.55] is Host Y” this is not correct in my opinion. IP address of Host Y is 10.3.4.55. In your example 72.3.4.55 is the second IP address of the firewalls interface (beside 72.3.4.2). There is no need to do Proxy ARP (but to do NAT).

Thanks Ed, that makes sense.

Hi I love your blog, it’s very informative:

Just a question.

Why Host Y has two IP addressess 72.3.4.55 and 10.3.4.55.

Is the IP address 72.3.4.55 belongs to Host Y or belong to Firewall.

Please Explain

Thanks Ed for this wonderful article on Proxy Arp.

Loved it…thanks much for sharing !! Cheers !!

thanks so much this is so helpfull and easy learned

Hi
Thanks for the detailed explaination.
I have a question say there is one more device Z with IP 10.3.4.56 and same public address 72.3.4.55 is configured as NAT for device Z. In this case when HOST X sends arp request with dest IP as 72.3.4.55 what will the returned mac address .. is it Host Y mac or Host Z mac???

Regards,
Rakshith.

Hi and thanks for the explanation.
One question though, I have a similiar situation in my network and I always disable proxy arp on interfaces, however NAT seems to bypass it. How come?

Really lots of hard work done to make it simplest.
In fact i am beginner, but still I could understand.

Internal/External Routing Protocols would also work in place of a static route.

Good Article

Hi, is this a Cisco-specific setup?

For my understanding, it makes no sense to do Proxy-ARP and DNAT at the same time?

In one case, there are two public addresses on the 72.3.4.0/24 facing interface of the firewall (72.3.4.2 and 72.3.4.55). In this case I can make a simple DNAT pointing to 10.3.4.55.

In the other case, the 72.3.4.55 is bound on Host-Y. In this case, Proxy-ARP on both Interfaces of the Firewall is required.

But why do you suggest Proxy-ARP and DNAT at the same time? Is this Cisco-specific?

Regards

Is there a scenario where proxy arp would cause a firewall to respond for an external address where there is no NAT rule defined and create a potential IP conflict with other devices attached to router c?
To use your NAT illustration; traffic from 66.7.8.0/24, destined for a server host at 72.3.4.54/24 and connected to router c (it appears you have only a single address nat-ed and it is .55, not other addresses in 72.3.4.0/24 like .54, thus leaving them open for use by hosts like this fictitious server on .54).

Can you describe the conditions needed to cause this conflict situation, why this would be desirable behavior and how to work around it (perhaps intentionally create a nat for the 72.3.4.54/24 and set it to no-proxy-arp, thus removing this one address from arp response to router c and allowing the traffic to flow to the actual server host at 72.3.4.54/24?)?
Thank you for the help.

As BryanB’s colleague, to clarify, the scenario would be 2 firewalls attached to router C on the same 72.3.4.0/24 subnet with their own private networks behind them maintaining separate, non-conflicting IP’s and NAT tables. Would both firewalls respond to an ARP request if only one of them had a matching NAT table entry simply because they are on the same 72.3.4.0/24 subnet?

If so, how could that be avoided? The end goal is to have multiple tenants using the same public subnet without interference.

Thank you Ed, particularly for giving BOTH answers; the technical one that explained that there would not normally be a proxy-arp response for an address that has no NAT defined behind it (this helps us with flexibility in how we use our addresses going forward), and then the ideal answer to limit risk in a multitenant situation (this will help us create a plan to limit risk in the future… from a tenant misconfigured NAT as just one example).
Much appreciated.

Thank you. This is a lot. It would have taken me through many books and websites to figure out incompletely. You make it easy as always.

I’m currently studying for Google and Amazon Security Engineering interviews. This tutorial series is straight gold, thank you.