Making proxy ARP more secure

PeterUK
PeterUK Posts: 1,090  Guru Member
edited August 12 in Security Ideas

So this is a bit of both how to use proxy arp and making it more secure as the current way is needed for clients that have static IPs without a gateway set.

With ARP for ports 15, 16 and 18 are sent to out to port 17 this is where proxy arp comes in to play so 192.168.255.55 wants a connection with 192.168.255.53 ARP is sent who has 192.168.255.53 tell 192.168.255.55 this goes to the VPN300 ge5 the VPN300 sends its MAC for 192.168.255.53 then VPN300 asks who has 192.168.255.53 tell 192.168.255.49 then 192.168.255.53 sends its MAC and 192.168.255.53 does a who has 192.168.255.55 tell 192.168.255.53 which the VPN300 ge5 sends its MAC.

The Proxy ARP setup stops ARP spoofing for the gateway so say 192.168.255.62 trys to spoof 192.168.255.55 it can't. But thats all because ARP spoofing on the LAN not going to the gateway can be spoofed, heres how 192.168.255.55 wants a connection with 192.168.255.53 ARP is sent who has 192.168.255.53 tell 192.168.255.55 this goes to the VPN300 ge5 the VPN300 sends its MAC for 192.168.255.53 then VPN300 asks who has 192.168.255.53 tell 192.168.255.49 at this point 192.168.255.62 could send a lot of ARP 192.168.255.53 is at this MAC before 192.168.255.53 says its MAC!

Now this is a small problem really and the way proxy ARP works like I said is needed for clients that have no gateway set which if it was then proxy ARP can be made secure. Heres how clients set with the gateway will ARP for the gateway 192.168.255.49 its at this point the VPN300 knows the MAC for the given client so proxy ARP can use this list to NEVER ARP the clients only sends its MAC making the network more secure so a simple check box to fix the problem would be nice.

https://us.v-cdn.net/6029482/uploads/editor/yp/g2ksjvxylem7.png


Edit

Thinking about it would IP Source Guard (DAI) stop this... ;)

2 votes

Active · Last Updated