On Wed, 26 Nov 1997, Ed Sawicki wrote:
> I notice that some Unix hosts allow for the publishing
> of one or more hosts in their ARP tables using the "pub"
> parameter in a "arp -s" command. This allows the host
> to respond to ARP requests on behalf of other hosts.
>
> 1. Under what conditions is this useful?
>
> 2. What are the security implications of this?
>
> 3. Do firewalls deal with this issue at all?
>
I'm too lazy to check the switch setting, but I believe you are refering
to proxy ARP.
Proxy ARP has a number of practical uses. When implemented, it is often
found on a system which is acting as the router for a segment. It allows
the router to accept/forward traffic for/to systems on the serviced
segment without having to send an ARP to obtain a MAC/IP address pairing.
It can be used to supply connectivity to systems which do not speak ARP,
or to supply off-segment connectivity for systems which do not comprehend
a default gateway. Since IP is fairly standardized these days, one does
not often run into proxy ARP mcuh any more.
>From a security perspective, I have used static ARP entries at a router to
enforce the use of an assigned IP address / MAC address combination, and
to deny the use of unassigned addresses (Not foolproof, as spoofing could
still take place, but every little bit helps).This is not the same as
using proxy arp, but should illustrate how arp entries and security are
related. A compromised router w/ static entries added to its ARP table
would effectively deny service to a MAC address, or could be used to
re-direct traffic destined to a system to another system on the segment.
As for firewalls, ARP is used at the destination segment, to reconcile
the MAC address / IP address pairing; it doesn't have bearing off the
local segment, so a firewall should not enter into the question where ARP
is concerned.
My recent ARP abuse annecdote: I recently helped out an ISP who had a
customer who was experiencing strange problems; the customer was
dual-homed to two ISPs, (without BGP, mistake #1) and the "other" ISP
connection had been in place first, with proxy ARP turned on at the
router. The customer was running some NT systems (mistake #2?), and was
trying to set them up on the "new" addresses provided by the second ISP.
For some reason, they were putting these on the same segment as the
original addresses (which was mistake #3).
The interesting part, though, was that the NT system would come up with a
newly assigned IP address. The router w/ proxy arp would pick up the
IP/MAC address combination, and add it to its table. The NT system would
then send an ARP, querying its *OWN* IP address, to check to make sure that
the address was not already in use. The router w/ proxy arp enabled would
respond to the ARP broadcast (proxy), and the NT system would "think" another
system was using its address! :) After several hours of fooling around,
the customer had managed to "use up" all the new IP addresses, and had
more "used up" addresses than they had systems - they called the second
ISP to complain that they had been given "bad addresses", and wanted some
"good ones."
:0 ARGGGGH!
-r.w.
References:
|
|
