Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface or via a tunnel.
The process which results in the node responding with its own MAC address to an ARP request for a different IP address for proxying purposes is sometimes referred to as 'publishing'.A Proxy ARP Simulation visualizes how a router responds to ARP request on behalf of the target host at different networks. See ARP cache updates at host, router, remote host.
Below are some typical uses for proxy ARP:
The advantage of Proxy ARP over other networking schemes is simplicity. A network can be extended using this technique without the knowledge of the upstream router.
For example, suppose a host, say A, wants to contact another host B, where B is on a different subnet/broadcast domain than A. For this, host A will send an ARP request with a Destination IP address of B in its ARP packet. The multi-homed router which is connected to both the subnets, responds to host A's request with its MAC address instead of host B's actual MAC address, thus proxying for host B. In the due course of time, when host A sends a packet to the router which is actually destined to host B, the router just forwards the packet to host B. The communication between host A and B is totally unaware of the router proxying for each other.
Disadvantage of Proxy ARP include scalability (ARP resolution is required for every device routed in this manner) and reliability (no fallback mechanism is present, and masquerading can be confusing in some environments). ARP manipulation techniques, however, are the basis for protocols providing redundancy on broadcast networks (e.g., Ethernet), most notably CARP and Virtual Router Redundancy Protocol.
Proxy ARP can create DoS attacks on networks if misconfigured. For example a misconfigured router with proxy ARP has the ability to receive packets destined for other hosts (as it gives its own MAC address in response to ARP requests for other hosts/routers), but may not have the ability to correctly forward these packets on to their final destination, thus blackholing the traffic.
Full article ▸