Friday, September 4, 2009

What is Arp-Proxy (Proxy Arp), where it is used and why?

What does the word Proxy mean?
We all are very much familiar with this word in our life. Somewhere, someday we need to stand in for someone for their work, accompany  someone as the original person is not available or assign someone to do something's on our behalf, may be mark our attendance in class when we would be late or we bunk the class.
Similarly in this computer world when we ask a resource to perform a specific function on someone's behalf  it is called a proxy. We also have heard the word "Proxy" in context of internet surfing a lot but what is it ??????????????

After all I am DUMB.  

So Let us start

Objective: What is proxy arp or arp proxy, where and why it is used?
I would walk you through some scenarios. Please be patient and follow closely.     
Scenario: We have 3 machines each with following IP addresses and MAC (Media access Control) addresses.
  • PC 1 -----------, --------Mac Address = Mac1
  • PC 2 -----------, --------Mac Address = Mac2
  • PC 3 -----------     , --------Mac Address = Mac3
       Scenario 1:  The PC number 1, 2 and 3 connected to the same switch.
       Scenario 2: The PC number 1, 2 and 3 connected to a router.
Explanation: What is going on behind the scene????????????

When Machines start to communicate with each other over TCP/IP and on Ethernet, this is a generic process they follow irrespective of the operating system installed. To explain let assume PC1 is trying to Ping with PC2 and PC3.
PC1 when starts to ping PC2 first thing it does is try to check whether the destination IP is local to it or remote. What I mean is it does an operation called ANDing where it tries to calculate the network ID of the destination by comparing it to its own subnet mask value and then comparing to its network ID.
If it is a match the destination is termed as LOCAL. If the network ID's do not match then the destination is termed REMOTE. The system follows different actions for different types of destinations.

WHEN Destination is LOCAL:

  1. The PC1 searches its ARP table to find the MAC address of the PC with IP address. In our case it tries to find MAC address corresponding to

  2. When an entry is found, the frames are marked for the MAC and sent on the wire.

  3. Else PC1 does a broadcast on network shouting IP what is your MAC address. In the packet it also sends its IP and MAC.

  4. PC2 listens to and accepts the packet as it is for him and updates its ARP table, also called its MAC table with IP of PC1 corresponding to MAC 1 and sends a unicast reply back to the PC1 on MAC1.

  5. PC1 accepts the reply updates its MAC with entry of PC2. Thereafter communications happen and we see ping replies on the screen of PC1

  1. When the destination is marked as remote, the PC1 parses its routing table to find if it has a route to the destination.
  2. The route preference is as follows:

    1. Specific route.
    2. Network route.
    3. Default route.

  3. If there is a match, then the processing continues, else we receive Destination Host Unreachable message on our scenes.
  4. When there is a match of route, the PC tried to find the MAC of next hop (gateway) by the above mentioned LOCAL process and sends the frames across.
  5. Important: PC 2 has to follow the same steps to return the packet and also hope that devices (routers) in the path know the routes to destination or original source.


What is Proxy ARP?

Imagine Scenario 2 where all three PC's are behind different interfaces of the router. Now when the PC1 tries to ping PC3 on a different Network ID, it pings fine due to presence of default route on PC1 and PC3.
But now as we try to ping PC2 from PC1 it does not ping ??????????
Did you guess it, why it fails….


when PC1 tries to ping PC2 it tends to resolve the MAC of PC2 by doing ARP broadcast as the destination is on same subnet (LOCAL).
Router would block request to pass through, therefore it would not get reply of MAC finding request of PC1 which can be considered to be on a different physical subnet.
To make this work, a machine each can be setup in both the subnets such that when we do not get an answer of MAC requests and there is a request time out, this device provides its MAC back to source. Hence a proxy is done for ARP.
PC1 requested MAC of PC2 but as it is not available, the router with proxy arp enable replies back with its MAC to PC1 stating it is MAC of PC2.
Dumb PC1 sends packets to discovered MAC which bridges the packets to destination network. This is how proxy arp is formed or works.

Where is this proxy arp used?
This was used primarily in bridges which connected different physical subnets to make a big network.
Used in some firewalls in website publishing scenarios.
Used by attackers to do MITM attacks…..
......many more........

Keywords: dummy, dummy2dummies, Arp-proxy, Proxy-ARP