Analysis of ARP protocol security A.H. Muna @abdimuna1 07.09.2013 Wednesday, December 4, 13
Jun 28, 2015
Analysis of ARP protocol security
A.H. Muna@abdimuna1
07.09.2013
Wednesday, December 4, 13
Contents: • What is ARP?
• Logical Address
• Physical Address
• ARP structure
• Mapping
• ARP cache table
•Wednesday, December 4, 13
Contents cont.
• ARP in job
• Problems with ARP
• mARP
•
Wednesday, December 4, 13
ARP
• ARP (англ. Address Resolution Protocol - протокол
разрешения адресов) представляет собой сетевой
протокол, предназначенный для преобразования IP-
адресов (адресов сетевого уровня) в MAC-адреса
(адреса канального уровня) в сетях TCP/IP. Т.е. для
отображения IP-адресов в Ethernet адреса.
Wednesday, December 4, 13
Logical Address
• Unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.
• e.g 172.16.254.1
Wednesday, December 4, 13
Logical Address
Wednesday, December 4, 13
Physical Address
• A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment.
Wednesday, December 4, 13
Physical Address
• MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism
Wednesday, December 4, 13
Physical Address
• It may also be known as an Ethernet hardware address (EHA), hardware address or physical address.
Wednesday, December 4, 13
Physical Address
Wednesday, December 4, 13
Physical Address
• This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC
addresses.
Wednesday, December 4, 13
ARP structure
Wednesday, December 4, 13
ARP structure
• The root of the ARP data structures is the struct neigh_table, defined in include/net/neighbour.h Collectively the struct neigh_table and the structures to which it points are the internal realization of the arp cache. Each network layer protocol that uses ARP has an associated neigh_table.
•
Wednesday, December 4, 13
ARP neighbor table
Wednesday, December 4, 13
ARP neighbor table
Wednesday, December 4, 13
IPv4 neighbor tableThe neighbor table for the IPV4 ARP protocol is statically declared as follows:
Wednesday, December 4, 13
IPv4 neighbor tableThe entry_size field is set to 4 more than it "needs to be" because of the way
struct neighbor which is shown on the next page is defined. Its last field,
primary_key[0], is declared as an array of 0 bytes. The extra 4 bytes of the
entry_size ensure that when the stucture is dynamically allocated, space for the
actual size of its primary_key[0] will be included.
The parms section defines some operational timeout triggers. In a standard x86 Linux system the clock ticks once every 10msec and HZ is equal to 100, the number of ticks per second.
4 #ifndef HZ 5 #define HZ 100 6 #endifThus Hz can be considered to mean seconds here.
Wednesday, December 4, 13
IPv4 neighbor tableThis structure defines the contents of a single arp cache element.
Wednesday, December 4, 13
IPv4 neighbor tableFunctions of the structure elements:
Wednesday, December 4, 13
Hardware cacheHardware header cache elements contain the hardware header needed for the 1st hop made by an outgoing packet.
Wednesday, December 4, 13
Hardware cacheThe function structure elements:
Wednesday, December 4, 13
The arp_init( )Defined in net/ipv4/arp.c,Called by inet_init( );
Responsibilities include: Setting up the ARP cache. Registering the ARP packet with kernel. Creating a proc entry /proc/net/arp
Wednesday, December 4, 13
Registering the ARP packet typeAfter setting up the ARP cache, arp_init( ) must register the ARP packet type with the link layer. This is done via a call to dev_add_pack().
1197 dev_add_pack(&arp_packet_type);
The arp_packet_type is statically declared as
Wednesday, December 4, 13
Creating /proc/net/arp entryAfter registering ARP packet type, arp_init() creates a proc entry that displays the contents of ARP cache via arp_get_info() . arp_get_info() displays entries in hash_buckets and phash_buckets.
Wednesday, December 4, 13
Creating /proc/net/arp entry
In the following table, the last three entries are proxies:
Wednesday, December 4, 13
ARP structures summery
Wednesday, December 4, 13
ARP employed
• For two hosts on the same network and one desires to send a packet to the other on different networks and must use a gateway/router
• For a router that needs to forward a packet for one host through another router from one host to the destination host on the same network
Wednesday, December 4, 13
ARP employed
ATALKS
B1
hello
Wednesday, December 4, 13
ARP employed
ATALKS
B1
hello
Wednesday, December 4, 13
ARP employed
ATALKS
B1
Wednesday, December 4, 13
ARP employed
ATALKS
B1
Wednesday, December 4, 13
ARP employed
ATALKS
B1
Wednesday, December 4, 13
ARP employed
ATALKS
B1
Wednesday, December 4, 13
ARP employed
Wednesday, December 4, 13
ARP employed
Wednesday, December 4, 13
ARP employed
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B2
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP employed
ATALKS
B3
Wednesday, December 4, 13
ARP Message format
28 #define ETH_HW_ADDR_LEN 6 29 #define IP_ADDR_LEN 4 30 #define ARP_FRAME_TYPE 0x0806 31 #define ETHER_HW_TYPE 1 32 #define IP_PROTO_TYPE 0x0800 33 #define OP_ARP_REQUEST 2 34 35 #define DEFAULT_DEVICE "eth0" 36 #define WIFI_DEVICE “en1”
Wednesday, December 4, 13
ARP Message format
Wednesday, December 4, 13
ARP problems
1.No Authentification2. Mobile computer3. DoS attack 4. MiTM attack 5. In some LAN’s like local Talk, the PHY ADD
changes, every time the computer is turned on.
Wednesday, December 4, 13
ARP problems
1.No Authentication
ARP provides no way to verify that the responding device is really who it says it isStateless protocol.Updating ARP Cache table
Wednesday, December 4, 13
ARP problems
2.Mobile computer
In mobile computing, where network device do change their physical location(offices), static arp is painful. You have to register the Hardware address each time, a new device is introduced.
Wednesday, December 4, 13
ARP problems
3.DoS attack
ARP is susceptible to Denial of services attack.Hacker can easily associate an operationally significant IP address to a false MAC address
Wednesday, December 4, 13
ARP problems4.MiTM attack
Wednesday, December 4, 13
ARP problems4.MiTM attack
Wednesday, December 4, 13
ARP problems4.MiTM attack
Wednesday, December 4, 13
Proposed solutions
Wednesday, December 4, 13
Что я буду делать Вообще !
Wednesday, December 4, 13
Что я буду делать Вообще !
Wednesday, December 4, 13
To Be Continue ...!
Спасибо !
Wednesday, December 4, 13
mARP
Proposing a modified ARP
Wednesday, December 4, 13