ARP 当发送的 IP 在每个数据包中都是错误的
ARP when sent IP is wrong in every packet
我今天在操作系统考试中遇到了一个问题。
给定一个过程,"forges" 每个发送的数据包中的 IP 地址(给出错误的 IP 地址),ARP 是否正常工作?
我坚持认为它不会,因为数据包不知道 return "ack"。
很想听听您的意见。
我认为它会知道 return ack 到哪里,因为发件人发送了他的 MAC 地址,这很重要。但我认为它不会工作,因为接收方将根据他从发送方获得的 MAC&IP 更改他的 ARP table。 (这是一个微不足道的优化)。
I maintain that it doesn't, since the packet wouldn't know where to return the "ack".
它return发送到发件人的 MAC 地址,而不是 IP 地址。
来自RFC 826:
When an address resolution packet is received, the receiving Ethernet
module gives the packet to the Address Resolution module which goes
through an algorithm similar to the following. Negative conditionals
indicate an end of processing and a discarding of the packet.
?Do I have the hardware type in ar$hrd?
Yes: (almost definitely)
[optionally check the hardware length ar$hln]
?Do I speak the protocol in ar$pro?
Yes:
[optionally check the protocol length ar$pln]
Merge_flag := false
If the pair <protocol type, sender protocol address> is
already in my translation table, update the sender
hardware address field of the entry with the new
information in the packet and set Merge_flag to true.
?Am I the target protocol address?
Yes:
If Merge_flag is false, add the triplet <protocol type,
sender protocol address, sender hardware address> to
the translation table.
?Is the opcode ares_op$REQUEST? (NOW look at the opcode!!)
Yes:
Swap hardware and protocol fields, putting the local
hardware and protocol addresses in the sender fields.
Set the ar$op field to ares_op$REPLY
Send the packet to the (new) target hardware address on
the same hardware on which the request was received.
这是什么意思?
ARP 是 return 使用 MAC 寻址的,尽管 IP 地址也可以包含在数据包的发送方协议地址 (SPA) 字段中。这意味着虽然发件人 IP 地址 (SPA) 被欺骗,但您的问题中没有提及被欺骗的发件人硬件地址 (SHA)。
这意味着发件人将收到ARP回复并且ARP将起作用(从发送机器的角度来看)。但是,由于 ARP 数据包包含欺骗性 SPA,目标机器(可能还有网络上的其他设备)会将发件人关联为具有该 IP 地址,从而实现成功的 ARP poisoning 攻击:
e.g. Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache.
我今天在操作系统考试中遇到了一个问题。 给定一个过程,"forges" 每个发送的数据包中的 IP 地址(给出错误的 IP 地址),ARP 是否正常工作?
我坚持认为它不会,因为数据包不知道 return "ack"。
很想听听您的意见。
我认为它会知道 return ack 到哪里,因为发件人发送了他的 MAC 地址,这很重要。但我认为它不会工作,因为接收方将根据他从发送方获得的 MAC&IP 更改他的 ARP table。 (这是一个微不足道的优化)。
I maintain that it doesn't, since the packet wouldn't know where to return the "ack".
它return发送到发件人的 MAC 地址,而不是 IP 地址。
来自RFC 826:
When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following. Negative conditionals indicate an end of processing and a discarding of the packet.
?Do I have the hardware type in ar$hrd?
Yes: (almost definitely)
[optionally check the hardware length ar$hln]
?Do I speak the protocol in ar$pro?
Yes:
[optionally check the protocol length ar$pln]
Merge_flag := false
If the pair <protocol type, sender protocol address> is
already in my translation table, update the sender
hardware address field of the entry with the new
information in the packet and set Merge_flag to true.
?Am I the target protocol address?
Yes:
If Merge_flag is false, add the triplet <protocol type,
sender protocol address, sender hardware address> to
the translation table.
?Is the opcode ares_op$REQUEST? (NOW look at the opcode!!)
Yes:
Swap hardware and protocol fields, putting the local
hardware and protocol addresses in the sender fields.
Set the ar$op field to ares_op$REPLY
Send the packet to the (new) target hardware address on
the same hardware on which the request was received.
这是什么意思?
ARP 是 return 使用 MAC 寻址的,尽管 IP 地址也可以包含在数据包的发送方协议地址 (SPA) 字段中。这意味着虽然发件人 IP 地址 (SPA) 被欺骗,但您的问题中没有提及被欺骗的发件人硬件地址 (SHA)。
这意味着发件人将收到ARP回复并且ARP将起作用(从发送机器的角度来看)。但是,由于 ARP 数据包包含欺骗性 SPA,目标机器(可能还有网络上的其他设备)会将发件人关联为具有该 IP 地址,从而实现成功的 ARP poisoning 攻击:
e.g. Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache.