L05ARP,BOOTP_DHCP

Lecture05ARP,BOOTP&DHCPITA-L05:ARP,BOOTP&DHCPprotocols2/35OutlineARPpacketARPdetailedconceptProxyARPGratuitousARPAutomaticassignmentofIPaddressesBOOTPmessagesDHCPmessagesARPpacketITA-L05:ARP,BOOTP&DHCPprotocols4/35OverviewofARP/RARPFunctionalities:AddressResolutionProtocol(ARP):higher-levelprotocoladdresses(suchasIPaddresses)tophysicalnetworkaddresses.ReverseAddressResolutionProtocol(RARP):physicalnetworkaddressestohigher-levelprotocoladdresses(suchasIPaddresses).RFCs:RFC826:ARPRFC903:RARPITA-L05:ARP,BOOTP&DHCPprotocols5/35ARPpacketforEthernet&IPv4Destinationaddress6ARPRequestorARPReply28Sourceaddress62CRC4Type0x8060Padding10EthernetheaderHardwaretypeHardwareaddresslengthProtocoladdresslengthOperationcodeTargethardwareaddressProtocoltypeSenderhardwareaddressSenderprotocoladdressTargetprotocoladdressSenderhardwareaddressTargethardwareaddressSenderprotocoladdress1：Ethernetaddresses6：IEEE802addresses0x0800：IPv4addresses1：ARPrequest2：ARPreply3：RARPrequest4：RARPreplyARPDetailedConceptITA-L05:ARP,BOOTP&DHCPprotocols7/35ProcessingofIPpacketsProcessingofIPpacketsbynetworkdevicedriversloopbackDriverIPInputPutonIPinputqueueARPdemultiplexEthernetFrameEthernetIPdestinationofpacket=localIPaddress?IPdestination=multicastorbroadcast?IPOutputPutonIPinputqueueNo:getMACaddresswithARPARPPacketIPdatagramNoYesYesEthernetDriverITA-L05:ARP,BOOTP&DHCPprotocols8/35AddressTranslationwithARPARPRequest:ArgonbroadcastsanARPrequesttoallstationsonthenetwork:“WhatisthehardwareaddressofRouter137?”Argon128.143.137.14400:a0:24:71:e4:44Router137128.143.137.100:e0:f9:23:a8:20ARPRequest:WhatistheMACaddressof128.143.137.1?ITA-L05:ARP,BOOTP&DHCPprotocols9/35AddressTranslationwithARPARPReply:Router137respondswithanARPReplywhichcontainsthehardwareaddressArgon128.143.137.14400:a0:24:71:e4:44Router137128.143.137.100:e0:f9:23:a8:20ARPReply:TheMACaddressof128.143.137.1is00:e0:f9:23:a8:20ITA-L05:ARP,BOOTP&DHCPprotocols10/35ExampleARPRequestfromArgon:Sourcehardwareaddress:00:a0:24:71:e4:44Sourceprotocoladdress:128.143.137.144Targethardwareaddress:00:00:00:00:00:00Targetprotocoladdress:128.143.137.1ARPReplyfromRouter137:Senderhardwareaddress:00:e0:f9:23:a8:20Senderprotocoladdress:128.143.137.1Targethardwareaddress:00:a0:24:71:e4:44Targetprotocoladdress:128.143.137.144ITA-L05:ARP,BOOTP&DHCPprotocols11/35ARPcacheWhyisARPcacherequired?SincesendinganARPrequest/replyforeachIPdatagramisinefficient,hostsmaintainacache(ARPCache)ofcurrententries.Theentriesexpireafter20minutes.ExampleofcontentsoftheARPcache:(128.143.71.37)at00:10:4B:C5:D1:15[ether]oneth0(128.143.71.36)at00:B0:D0:E1:17:D5[ether]oneth0(128.143.71.35)at00:B0:D0:DE:70:E6[ether]oneth0(128.143.136.90)at00:05:3C:06:27:35[ether]oneth1(128.143.71.34)at00:B0:D0:E1:17:DB[ether]oneth0(128.143.71.33)at00:B0:D0:E1:17:DF[ether]oneth0ITA-L05:ARP,BOOTP&DHCPprotocols12/35VulnerabilitiesofARPVulnerabilitiesofARP:SinceARPdoesnotauthenticaterequestsorreplies,ARPRequestsandRepliescanbeforged.ARPisstateless:ARPRepliescanbesentwithoutacorrespondingARPRequest.AccordingtotheARPprotocolspecification,anodereceivinganARPpacket(RequestorReply)mustupdateitslocalARPcachewiththeinformationinthesourcefields,ifthereceivingnodealreadyhasanentryfortheIPaddressofthesourceinitsARPcache.ITA-L05:ARP,BOOTP&DHCPprotocols13/35IntrudingusingARPTypicalexploitationofthesevulnerabilities:AforgedARPRequestorReplycanbeusedtoupdatetheARPcacheofaremotesystemwithaforgedentry(ARPPoisoning)ThiscanbeusedtoredirectIPtraffictootherhosts.ProxyARPITA-L05:ARP,BOOTP&DHCPprotocols15/35ARPandsubnetsTheARPprotocolremainsunchangedinthepresenceofsubnets.RememberthatEachIPdatagramfirstgoesthroughtheIProutingalgorithm.Thisalgorithmdeterminesthenexthopandselectsthehardwaredevicedriverthatshouldsendoutthepacket.Onlythen,theARPmoduleassociatedwiththatdevicedriverisconsulted.ITA-L05:ARP,BOOTP&DHCPprotocols16/35TransparentsubnettingReviewoftransparentsubnetting:DescribedinRFC925Itisanothermethodtoconstructlocalsubnets,withouttheneedforamodificationtotheIProutingalgorithmoflocalhosts,butwithmodificationstotheroutersthatinterconnectthesubnets.So,thissubnettingistransparenttolocalhosts.CanstandardARPworkwellinthepresenceoftransparentsubnetting?TheanswerisNO!ITA-L05:ARP,BOOTP&DHCPprotocols17/35ProxyARPTransparentsubnettingsupportedbyproxyARP:Normalhostsdonotknowaboutsubnetting,sotheyusethe“old”IProutingalgorithm.Theroutersbetweensubnetshaveto:UsethesubnetIProutingalgorithm.UseamodifiedARPmodule,whichcanreplyonbehalfofotherhosts.ITA-L05:ARP,BOOTP&DHCPprotocols18/35Principleofproxy-ARPITA-L05:ARP,BOOTP&DHCPprotocols19/35Exampleofproxy-ARP128.143.137.1/1600:e0:f9:23:a8:20128.143.71.1/24128.143.0.0/16Subnet128.143.71.0/24SubnetRouter137ARPRequest:WhatistheMACaddressof128.143.71.21?128.143.137.144/16128.143.171.21/2400:20:af:03:98:28ArgonNeonARPReply:TheMACaddressof128.143.71.21is00:e0:f9:23:a8:20GratuitousARPITA-L05:ARP,BOOTP&DHCPprotocols21/35GratuitousARPGratuitousARPRequests:AhostsendsanARPrequestforitsownIPaddress.Usages:Usefulfor