Difference between arp proxy and dnat?

Difference between arp proxy and dnat?

[mlist]

Hi

Reading emails in this mailing list and with some google searches, I
understood that to provide public access to servers in a dmz there are
several ways.

1) use of subnetting
2) use of dnat with rules like this:
(iptables -t nat -A PREROUTING --destination w.x.y.z -j DNAT --to
${My_NEW_ADDR})
3) use of proxy arp

I always used DNAT when possible but in one of our office, there is a
Checkpoint Firewall (that I would like to replace with iptable) that use
proxyarp.... because I think Checkpoint can only use proxy arp.
Moreover, reading ASTARO documentation is explained that it can use proxy
arp but it doesn't explain when use it.

What I never understood is the difference between dnat and proxy arp.
Unfortunately I'n not a network guru thus, can someone answer (AS SIMPLE AS
POSSIBLE) to my stupid questions?

a) What is the difference between them?
b) Are there situation in which I could be forced to use one of them?
c) What is the best?
d) Why lot of famous firewall suggest to use arp proxy?


Thanks in advance

Marco
Italy

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 01/10/2004
 

RE: Difference between arp proxy and dnat?

[Daniel Chemko]

> a) What is the difference between them?

With NAT, you change the packet as its travelling through the firewall
so if I want to hit 24.83.292.111 the packet would turn into something
like destination 192.168.3.665. Because of this 'destination address
change' it may break the odd badly designed protocol like FTP. In order
to counter this negative side-effect, netfilter developers have written
modules for 'fixing' these protocols to work in NAT environments.

With ProxyARP, you have two network segments, lets say A and B. They
have the exact same subnet, but now there's a firewall between them. If
hosts from A want to talk to B, the firewall has to -transparently-
service the request to the host in B. This is done by ProxyARP. ProxyARP
basically says, if I know machine C1 is in subnet B, then let people in
A know that the firewall is C1. If C2 is in the A network, then the
firewall must let the B subnet think that the firewall is C2.

In order to properly use ProxyARP in this configuration, you should also
be using ebtables and the Linux bridging software. 

Below is a pretty terse description of how this all works.

             |----[br0]----|
             |             |
[A Net] - [eth0][Firewall][eth1] - [B Net]
 |-254     |-100           |-101    |-1
 |-253                              |-2
                                    |-3

254 -> MAC:FFFF who has 3
MAC:eth0 -> MAC: 254 (I do)
254 -> MAC:eth0 (payload)
101 -> MAC:FFFF who has 3
MAC:3 -> MAC:eth1 (I do)
MAC:eth1 -> MAC:3 (payload)
MAC:3 -> MAC:FFFF who has 254
MAC:eth1 -> MAC:3 (I do)
MAC:3 -> MAC:eth1 (payload)
MAC:eth0 -> MAC:254 (payload)

Once the ARP entries are cached, this path becomes a lot less chatty.


> b) Are there situation in which I could be forced to use one of them?

NAT can be used any time that you are using software that doesn't break
with NAT software. There isn't really a reason not to use it unless the
protocols your using don't work with it.

ProxyARP is more difficult to setup / wrap your head around, and I find
it less clear-cut to use. You will be forced to use it when you want
public IP assigned computers to have internet access. Generally Bridged
solutions are never 'required' unless you have customers that care about
it. Also, it could be a hassle moving the IP's of all those computers to
private IP's if you try moving to NAT.


> c) What is the best?

I prefer NAT, but both have meaningful purposes through.


> d) Why lot of famous firewall suggest to use arp proxy?

Because you are basically guaranteed that a protocol will work, it means
less support costs for them :-) If you have patience, it can be a good
solution. 

RE: Difference between arp proxy and dnat?

[John A. Sullivan III]

On Tue, 2004-10-05 at 12:25, Daniel Chemko wrote:
> > a) What is the difference between them?
> 
<snip>
Daniel gave a very good technical explanation.  There is a little more
than can be explained when it comes to application.  There is also some
confusion about terminology; I'll address that in question d below.

In my experience, proxy arp as understood by Linux (as opposed to how it
is understood by Checkpoint and some router literature), is much less
common than DNAT.  It is used when both sides of the proxy ARP device
are on the same network.

I'm trying to recall why I have used proxy arp in the past (it has been
quite a while).  The idea of using it to control access with ebtables
is, I think, a rather unique innovation.  If I do recall correctly, we
used it to divide very large broadcast domains.  In other words, as
switches became popular and we started pulling out core routers and
flattening networks, we introduced very large networks.  I do recall
sites that used a full class B to create one huge 65535 node network. 
That means that all broadcast traffic from a stations, e.g.,ARP
requests, DHCP discoveries, NetBIOS broadcasts are processed by every
other station.  The broadcast storms could become intolerable.

I believe, in such situations, we broke the network into separate
broadcast domains by not allowing broadcasts from one segment to another
even though they were the same network.  To allow address resolution
between the segments, we had to have the segmenting device proxy the ARP
response.

I think we may have used it on some complex sites where different
devices on the same media had different subnet masks.  Since the devices
with the smaller subnet masks would ARP when the stations with the
larger subnet masks would route, we had to find a way to match to two
for address resolution.  I think we used proxy ARP in such situations
but I'm a bit rusty on that one.

As you can tell, these are pretty out of the  ordinary.
> 
> > b) Are there situation in which I could be forced to use one of them?
> 
<snip>
> 
> You will be forced to use it when you want
> public IP assigned computers to have internet access. <snip>
Unless I misunderstand you, I'm not sure why that would require proxy
ARP unless they were on the same subnet as the public interface of the
gateway.  Even if they are non-RFC1918 addresses, I would still DNAT. 
In fact, even if they were on the same subnet as the gateway public
interface, I would generally use RFC1918 addresses and NAT unless
someone really, really objected - perhaps that is exactly what you are
saying, Daniel, just with slightly different words.
> 
<snip>
> > d) Why lot of famous firewall suggest to use arp proxy?
> 
> Because you are basically guaranteed that a protocol will work, it means
> less support costs for them :-) If you have patience, it can be a good
> solution. 
I think this is more of a semantic issue.  Some literature uses the term
proxy ARP to simply mean that the public interface must respond to ARP
requests for addresses that are not ultimately used by the gateway
itself.  In other words, if the gateway is 1.1.1.1 and you have a device
at 10.1.1.2 on your DMZ that you want to DNAT to 1.1.1.2, then, in
Checkpoint and other literature terminology, you must tell the gateway
to "proxy ARP" for 1.1.1.2.

In Linux terminology, we would say that we are binding a second address
to the interface
ip address add 1.1.1.2/24 dev eth0 brd +
and that this is not true "proxy ARP".

Hope that clarifies rather than confuses! - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

R: Difference between arp proxy and dnat?

[mlist]

Hi Daniel and John.

Before all I thank you for this good explanation because I think it will be
very useful not only for me.
Unfortunately I still have some things not complitely clear about proxy arp
and DNAT. Because I'm not a network guru like you, I kindly ask you to
follow my speech and explain what is wrong in my understanding.

1) Actually I have Checkpoint firewall one (4.1) running on NT.
My firewall is like this:

                         internet
                             |
                             |
                         (2.2.2.9)
192.168.0.x(dmz)---------checkpoint
     |         |             |
  public     public          |
 web srv     ftp srv        lan
192.168.0.5  192.168.0.7   172.16.100.x

I have 16 public ip and, to provide public access to my servers
(192.168.0.x) in dmz, I use Checkpoint proxy arp future (explained through a
step by step guide for dummies people like me in this document:
http://www.giac.org/practical/GSEC/Eugene_Ng_GSEC.pdf)
Supposing I would map 2.2.2.10 to 192.168.0.5 I must:
a) modifify c:\winnt\fw1\4.1\state\local.arp adding entry like this:
IP ADDRESS		MAC ADDRESS OF EXT INTERFACE
2.2.2.10		08-00-20-76-ea-77
this will allow any packets destined for 2.2.2.10 to be "routed" to our
firewall. The router sees that the firewall's MAC address is listening for
packets with ip address of both 2.2.2.10 and 2.2.2.9
b) reinstall the policy
c) Once the ip addresses have successfully been routed to the firewall,
a final change must be made on the firewall itselt. A static route
will need to be added to pass the request onto an internal ip
address. In our example, the static route will be:
route add 2.2.2.10 mask 255.255.255.255 192.168.0.5 -p

2) I have others office with structures like this in which there is an
iptables firewall and I always use DNAT adding public ip to external
interfaces and adding rules like this:
iptables -t nat -A PREROUTING -d 2.2.2.10/24 -j DNAT --to-destination
192.168.0.5

John said:
Some literature uses the term proxy ARP......
In Linux terminology, we would say that we are binding a second address to
the interface ip address add 1.1.1.2/24 dev eth0 brd + and that this is not
true "proxy ARP".

Now....and finally....^_^
Are corrected the following affirmations? If not PLEASE CORRECT them with a
brief explanation
a) Proxy arp is a technique used by most firewall producers and its
functionality is similar to that explained above (Checkpoint)
b) To map public ip address to private ip address, with LINUX you can use
DNAT or PROXY ARP while others commercial products, generally offers only
proxy arp (except those based on linux, like Astaro security linux).
Technically speaking DNAT and PROXY arp aren't the same, but, in order to
provide mapping (public to private) the result is the same.
c) With Linux you can use both, but, technically speaking, LINUX PROXY
IMPLEMENTATION is not equal to that of others producers and, as john
explained, this is not true "proxy ARP"

Only a final question to john:
John...in your answer you said that proxy arp is used when both sides of the
proxy ARP device are on the same network. Daniel explained instead that you
can use proxy arp for example if you have softwares that doesn't work with
nat; thus i suppose that sides of the proxy ARP devices can be on different
networks.
Do you agree with Daniel? Thus...is correct the point "b" of my
affirmations?

I apoligize for the length of this email but I dream to definitively
understand this concept that, in last year, I never understood even though I
read tons of documents.

Thanks
Marco
Italy



-----Messaggio originale-----
Da: John A. Sullivan III [mailto:john.sullivan@nexusmgmt.com] 
Inviato: martedì 5 ottobre 2004 18.53
A: Daniel Chemko; mlist@libero.it; netfilter@lists.netfilter.org
Oggetto: RE: Difference between arp proxy and dnat?

On Tue, 2004-10-05 at 12:25, Daniel Chemko wrote:
> > a) What is the difference between them?
> 
<snip>
Daniel gave a very good technical explanation.  There is a little more than
can be explained when it comes to application.  There is also some confusion
about terminology; I'll address that in question d below.

In my experience, proxy arp as understood by Linux (as opposed to how it is
understood by Checkpoint and some router literature), is much less common
than DNAT.  It is used when both sides of the proxy ARP device are on the
same network.

I'm trying to recall why I have used proxy arp in the past (it has been
quite a while).  The idea of using it to control access with ebtables is, I
think, a rather unique innovation.  If I do recall correctly, we used it to
divide very large broadcast domains.  In other words, as switches became
popular and we started pulling out core routers and flattening networks, we
introduced very large networks.  I do recall sites that used a full class B
to create one huge 65535 node network. 
That means that all broadcast traffic from a stations, e.g.,ARP requests,
DHCP discoveries, NetBIOS broadcasts are processed by every other station.
The broadcast storms could become intolerable.

I believe, in such situations, we broke the network into separate broadcast
domains by not allowing broadcasts from one segment to another even though
they were the same network.  To allow address resolution between the
segments, we had to have the segmenting device proxy the ARP response.

I think we may have used it on some complex sites where different devices on
the same media had different subnet masks.  Since the devices with the
smaller subnet masks would ARP when the stations with the larger subnet
masks would route, we had to find a way to match to two for address
resolution.  I think we used proxy ARP in such situations but I'm a bit
rusty on that one.

As you can tell, these are pretty out of the  ordinary.
> 
> > b) Are there situation in which I could be forced to use one of them?
> 
<snip>
> 
> You will be forced to use it when you want public IP assigned 
> computers to have internet access. <snip>
Unless I misunderstand you, I'm not sure why that would require proxy ARP
unless they were on the same subnet as the public interface of the gateway.
Even if they are non-RFC1918 addresses, I would still DNAT. 
In fact, even if they were on the same subnet as the gateway public
interface, I would generally use RFC1918 addresses and NAT unless someone
really, really objected - perhaps that is exactly what you are saying,
Daniel, just with slightly different words.
> 
<snip>
> > d) Why lot of famous firewall suggest to use arp proxy?
> 
> Because you are basically guaranteed that a protocol will work, it 
> means less support costs for them :-) If you have patience, it can be 
> a good solution.
I think this is more of a semantic issue.  Some literature uses the term
proxy ARP to simply mean that the public interface must respond to ARP
requests for addresses that are not ultimately used by the gateway itself.
In other words, if the gateway is 1.1.1.1 and you have a device at 10.1.1.2
on your DMZ that you want to DNAT to 1.1.1.2, then, in Checkpoint and other
literature terminology, you must tell the gateway to "proxy ARP" for
1.1.1.2.

In Linux terminology, we would say that we are binding a second address to
the interface ip address add 1.1.1.2/24 dev eth0 brd + and that this is not
true "proxy ARP".

Hope that clarifies rather than confuses! - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 01/10/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 01/10/2004
 

RE: Difference between arp proxy and dnat?

[Daniel Chemko]

> 1) Actually I have Checkpoint firewall one (4.1) running on NT.
> My firewall is like this:
<snip>

I can't say much about the checkpoint way of doing things, but it seems
'somewhat' right. Are you trying to add to the checkpoint firewall, or
are you're going to replace the checkpoint with Linux?

> 2) I have others office with structures like this in which there is an
> iptables firewall and I always use DNAT adding public ip to external
> interfaces and adding rules like this:
> iptables -t nat -A PREROUTING -d 2.2.2.10/24 -j DNAT --to-destination
> 192.168.0.5

# Loose the /24 since that means all traffic from 2.2.2.0 -> 2.2.2.255
are redirected to host 192.168.0.5 which is probably wrong. Ex.
iptables -t nat -A PREROUTING -d 2.2.2.7 -j DNAT --to-destination
192.168.0.7
iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination
192.168.0.5

> Now....and finally....^_^
> Are corrected the following affirmations? If not PLEASE CORRECT them
> with a brief explanation
> a) Proxy arp is a technique used by most firewall producers and its
> functionality is similar to that explained above (Checkpoint)

Think of ProxyARP as an add banner. It tells people who you are. If you
don't want adoring fans to mob you, you tell people to talk to your
talent agent. You are a machine hiding behind the firewall. The talent
agent is the firewall. It manages the relationship between you and those
that want to talk to you.

When you bind to an address by using 'ip addr add ${MYADDR} dev ${MYIF}'
or 'ifconfig ${MYIF} ${MYADDR} up' you are telling everyone in ${MYIF}'s
subnet that you are ${MYADDR}. ProxyARP does the exact same thing, but
instead of 'being' that interface, it just pretends to be ${MYADDR}.
Internally, Netfilter will look at the inbound packets and throw them
away because you haven't really 'bound' that address to your interface,
your just pretending.

The trick is, when you hit the IN->PREROUTING->nat stage of reading the
packet, you match a rule that says that destination ${MYADDR} really has
to go to xyz. Because the destination address is now 'valid' it doesn't
get dropped. When you 'bind' the IP address to the interface, everything
applies, but when a packet arrives that hasn't been DNAT'ed away, it
will be routed to the INPUT chain.

Comercial products typically use ProxyARP because the local networking
stacks on these devices never need to handle packets for that connection
locally. Plus binding to an interface carries a very small cpu/memory
penalty vs. ProxyARP.


Ex. Same firewall, one using IP's bound to the interface, one using
ProxyARP instead

itpables -t nat -A PREROUTING --destination ${MYADDR1} -p tcp --dport 80
-j DNAT --to ${MY_INSIDE_SERVER}
itpables -t nat -A PREROUTING --destination ${MYADDR2} -p tcp -j DNAT
--to ${MY_INSIDE_SERVER}

IP Addresses Bound to Interface

Inbound connection to MYADDR1:80 will get DNAT to MY_INSIDE_SERVER:80
Inbound connection to MYADDR1:21 will get routed to the INPUT chain of
the firewall
Inbound connection to MYADDR2:80 will get DNAT to MY_INSIDE_SERVER:80
Inbound connection to MYADDR2:21 will get DNAT to MY_INSIDE_SERVER:21

IP Addresses ProxyARP'ed to Interface

Inbound connection to MYADDR1:80 will get DNAT to MY_INSIDE_SERVER:80
Inbound connection to MYADDR1:21 will get dropped on the floor by
Linux's anti-spoofing code
Inbound connection to MYADDR2:80 will get DNAT to MY_INSIDE_SERVER:80
Inbound connection to MYADDR2:21 will get DNAT to MY_INSIDE_SERVER:21



> b) To map public ip address to private ip address, with LINUX you can
> use DNAT or PROXY ARP while others commercial products, generally
> offers only proxy arp (except those based on linux, like Astaro
> security linux). Technically speaking DNAT and PROXY arp aren't the
> same, but, in order to provide mapping (public to private) the result
> is the same.

ProxyARP doesn't map anything to anything. ProxyARP tells the world that
I'm address ${MYADDR}. DNAT receives packets destined for ${MYADDR} and
forwards it to server ${MY_INTERNAL_SERVER}

ProxyARP is on the same level as binding an IP address to a network
interface.


> c) With Linux you can use both, but, technically speaking, LINUX PROXY
> IMPLEMENTATION is not equal to that of others producers and, as john
> explained, this is not true "proxy ARP"

ProxyARP is a very primitive concept and everyone does it more or less
the same way. The difference is in the 'terminology' of the technology.
If I want to capture a subnet 2.2.2.0/24 from the internet and bring it
inside, I could setup proxyARP's for them all, or I could bind all the
IP addresses to the network interface. Either approach, you have to use
DNAT in conjunction. I prefer binding because its an easy way of doing
it. At times you ARE forced to use ProxyARP over binding to the
interface, but that is only when you are using Network bridging. If you
haven't done this before, I'd advise not trying to learn until you get
the rest of this.