• Choose a category
• All
• Classic-Fiction

In this situation, the router can notify the sender of its problem with an ICMP redirect packet. In effect, a redirect says, “You should not be sending packets for host xxx to me; you should send them to host yyy instead.” The ICMP protocol allows redirects to be sent for both individual host addresses and entire networks. However, many implementations generate only host redirects.

Upon receiving a redirect, a naive sender updates its routing table so that future packets bound for that destination will take the more direct path. In the early days of multicasting, a few systems generated ICMP routing redirects in response to multicast packets. Modern systems do not have this problem.

The standard ICMP scenario contains no authentication step. Your router receives a redirect that claims to be from another, well-respected router and directs you to send traffic elsewhere. Should you listen? Paying attention to redirects actually creates something of a security problem. Redirects are generally ignored by Linux and BSD-based kernels and by Cisco routers. It’s not a good idea to let untrusted hosts modify your routing tables.

13.6 ARP: THE ADDRESS RESOLUTION PROTOCOL

Even though IP packets are usually thought of in terms of IP addresses, hardware addresses must be used to actually transport data across a network’s link layer.12

ARP, the Address Resolution Protocol, discovers the hardware address associated with a particular IP address. It can be used on any kind of network that supports broadcasting but is most commonly described in terms of Ethernet.

If host A wants to send a packet to host B on the same Ethernet, it uses ARP to discover B’s hardware address. When B is not on the same network as A, host A uses ARP to find the hardware address of the next-hop router to which a packet destined for B should be sent. Since ARP uses broadcast packets, which cannot cross networks,13

it can only be used to find the hardware addresses of machines connected directly to the sending host’s local network.

Every machine maintains a table in memory called the ARP cache, which contains the results of recent ARP queries. Under normal circumstances, many of the addresses a host needs are discovered soon after booting, so ARP does not account for a lot of network traffic.

ARP functions by broadcasting14

a packet of the form, “Does anyone know the hardware address for 128.138.116.4?” The machine being searched for recognizes its own IP address and sends back a reply, “Yes, that’s the IP address assigned to one of my network interfaces, and the corresponding Ethernet address is 8:0:20:0:fb:6a.”

The original query includes the IP and Ethernet addresses of the requestor so that the machine being sought can reply without issuing an ARP query of its own. Thus, the two machines learn each other’s ARP mappings with only one exchange of packets. Other machines that overhear the requestor’s initial broadcast can record its address mapping, too. This passive inspection of ARP traffic is sometimes called snooping.

Most systems include a command called arp that examines and manipulates the kernel’s ARP cache. arp is typically used to add or delete an entry; it can also flush the table or show it. On most systems, arp -a displays the contents of the arp cache—with a different format on each system, of course ...

Here are examples of arp -a output from Solaris and Red Hat:

solaris% /usr/sbin/arp -a

Net to Media Table

Device IP Address Mask Flags Phys Addr

-------- ------------- ------------------- ------ ---------------------

hme0 titania 255.255.255.255 00:50:da:6b:b5:90

hme0 earth 255.255.255.255 00:50:da:12:4e:e5

hme0 pluto 255.255.255.255 00:50:da:12:4e:19

redhat% /sbin/arp -a

xor.com (192.108.21.1) at 08:00:20:77:5E:A0 [ether] on eth0

earth.xor.com (192.108.21.180) at 00:50:DA:12:4E:E5 [ether] on eth0

lollipop.xor.com (192.108.21.48) at 08:00:20:79:4F:49 [ether] on eth0

The arp command is generally useful only for debugging and