Lec11_Address Resolution.pptx

Full Transcript

LEC11: ADDRESS RESOLUTION 1 MAC and IP: Destination on Same Network There are two primary addresses assigned to a device on an Ethernet LAN: Layer 2 physical address (the MAC address) – Used for NIC to NIC communications on the same Ethernet network. Layer 3 logical address (the IP address) – Used to send the packet from the source device to the destination device. The destination IP address may be on the same IP network as the source, or it may be on a remote network. Layer 2 addresses are used to deliver frames from one NIC to another NIC on the same network. If a destination IP address is on the same network, the destination MAC address will be that of the destination device. 2 MAC and IP: Destination on Remote Network When the destination IP address is on a remote network, the destination MAC address is that of the default gateway (that is, the router interface). Routers examine the destination IPv4 address to determine the best path for forwarding the IPv4 packet. When a router receives the Ethernet frame, it de-encapsulates the Layer 2 information. Using the destination IPv4 address, it determines the next hop device and then encapsulates the IPv4 packet in a new data link frame for the outgoing interface. How are the IP addresses of the IP packets in a data flow associated with the MAC addresses on each link along the path to the destination? ARP (Address Resolution Protocol ) is used by IPv4 to associate the IPv4 address of a device with the MAC address of the device NIC. ICMPv6 (Internet Control Message Protocol for IPv6) is used by IPv6 to associate the IPv6 address of a device with the MAC address of the device NIC. 3 ARP: ARP Overview  If your network is using the IPv4 communications protocol, Address Resolution Protocol (ARP) is what you need in order to map IPv4 addresses to MAC addresses. Every IP device on an Ethernet network has a unique Ethernet MAC address. When a device sends an Ethernet Layer 2 frame, it contains these two addresses: Destination MAC address: The Ethernet MAC address of the destination device on the same local network segment. If the destination host is on another network, then the destination address in the frame would be the address of the default gateway (that is, router) Source MAC address: The MAC address of the Ethernet NIC on the source host  To send a packet to another host on the same local IPv4 network, a host must know the IPv4 address and the MAC address of the destination device. Device destination IPv4 addresses are either known or resolved by device name. However, MAC addresses must be discovered. 4 ARP: ARP Overview A device uses ARP to determine the destination MAC address of a local device when it knows its IPv4 address. ARP provides two basic functions: Resolving IPv4 addresses to MAC addresses Maintaining an ARP table of IPv4 to MAC address mappings When a packet is sent to the data link layer to be encapsulated into an Ethernet frame, the device refers to a table in its memory to find the MAC address that is mapped to the IPv4 address. This table, which is stored temporarily in RAM, is called the ARP table or the ARP cache. 5 ARP: ARP Functions To send a frame, a device will search its ARP table for a destination IPv4 address and a corresponding MAC address. If the packet’s destination IPv4 address is on the same network, the device will search the ARP table for the destination IPv4 address. If the destination IPv4 address is on a different network, the device will search the ARP table for the IPv4 address of the default gateway. If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC address in the frame. If there is no ARP table entry is found, then the device sends an ARP request. Each entry, or row, of the ARP table binds an IPv4 address with a MAC address. We call the relationship between the two values a map. The map simply enables you to locate an IPv4 address in the table and discover the corresponding MAC address. The ARP table temporarily saves (caches) the mapping for the devices on the LAN. 6 ARP: Removing Entries from an ARP Table Entries in the ARP table are not permanent and are removed when an ARP cache timer expires after a specified period of time. The duration of the ARP cache timer differs depending on the operating system (for example, newer Windows operating systems store ARP table entries for 15 to 45 seconds) ARP table entries can also be removed manually by the administrator. 7 ARP: ARP Tables on Networking Devices The show ip arp command displays the ARP table on a Cisco router. The arp –a command displays the ARP table on a Windows 10 PC. R1# show ip arp Protocol Address Internet 192.168.10.1 Age (min) - Hardware Addr a0e0.af0d.e140 Type ARPA Interface GigabitEthernet0/0/0 C:\Users\PC> arp -a Interface: 192.168.1.124 --- 0x10 Internet Address Physical Address 192.168.1.1 c8-d7-19-cc-a0-86 192.168.1.101 08-3e-0c-f5-f7-77 Type dynamic dynamic 8 ARP Issues – ARP Broadcasting and ARP Spoofing ARP: ARP requests are received and processed by every device on the local network. Excessive ARP broadcasts can cause some reduction in performance. ARP replies can be spoofed by a threat actor to perform an ARP poisoning attack. This is a technique used by a threat actor to reply to an ARP request for an IPv4 address belonging to another device, such as the default gateway. The threat actor sends an ARP reply with its own MAC address. The receiver of the ARP reply adds the wrong MAC address to its ARP table and sends these packets to the threat actor. Enterprise-level switches include mitigation techniques such as dynamic ARP inspection (DAI) to protect against ARP attacks. 9 IPv6 Neighbor Discovery: IPv6 Neighbor Discovery Messages If your network is using the IPv6 communications protocol, the Neighbor Discovery protocol (ND) is what matches IPv6 addresses to MAC addresses. IPv6 Neighbor Discovery (ND) protocol provides: Address resolution Router discovery Redirection services for IPv6 using ICMPv6(Internet Control Message Protocol for IPv6) ICMPv6 ND uses five ICMPv6 messages to perform these services: Neighbor Solicitation messages, Neighbor Advertisement messages, Router Solicitation messages, Router Advertisement messages, and Redirect message. ICMPv6 Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages are used for device-to-device messaging such as address resolution. Devices include both host computers and routers. ICMTPv6 Router Solicitation (RS) and Router Advertisement (RA) messages are used for messaging between devices and routers for router discovery. ICMPv6 redirect messages are used by routers for better next-hop selection. 10 IPv6 Neighbor Discovery: IPv6 Neighbor Discovery – Address Resolution IPv6 devices use IPv6 ND to determine the MAC address of a device that has a known IPv6 address. ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages are used for MAC address resolution. This is similar to ARP requests and ARP replies used by ARP for IPv4. ICMPv6 Neighbor Solicitation messages are sent using special Ethernet and IPv6 multicast addresses. For example, say that PC1 wants to ping PC2 at IPv6 address 2001:db8:acad::11. To determine the MAC address for the known IPv6 address, PC1 sends an ICMPv6 Neighbor Solicitation message 11 THANKS! Best Regards!