Is there any static ARP concept for static IP network?

hello,
I know that we can setup network with static IP if we dont want to set
it with dynamic ip's. But is there any utility or command to
store/giver static ARP concept?
If it is how to do it on RedHat linux 9? If i set that then still arp
resolution occur in network or not?

(E-Mail Removed) wrote:
> hello,
> I know that we can setup network with static IP if we dont want to set
> it with dynamic ip's. But is there any utility or command to
> store/giver static ARP concept?
> If it is how to do it on RedHat linux 9? If i set that then still arp
> resolution occur in network or not?
>

The IP address assignment method does not change the need
for ARP to resolve IP addresses to MAC addresses.

There is a possibility to force-feed the address resolutions
to the ARP handlers. See man arp.

Why would you need to avoid ARP?

--

Tauno Voipio
tauno voipio (at) iki fi

(E-Mail Removed) wrote:
> hello,
> I know that we can setup network with static IP if we dont want to
set
> it with dynamic ip's. But is there any utility or command to
> store/giver static ARP concept?

$ man arp
[q]
Arp manipulates the kernel's ARP cache in various ways. The primary
options are clearing an address mapping entry and ***manually setting
up
one.***
[eq] emphasis added

See the -s and the -f options.

Be careful and make _very_ sure you want to do this. It is sometimes
useful to take on the burden of manually setting/maintaining arp tables
for security reasons. Ie., helps guard against arp cache poisoning.

It is also an excellent way to break connectivity

> If it is how to do it on RedHat linux 9? If i set that then still arp
> resolution occur in network or not?

As with the other resolution mechanisms, local (static) entries are
checked first. If no entry exists, then resolution continues on the
network.

hth,
prg
email above disabled

Tauno Voipio wrote:
> (E-Mail Removed) wrote:
> > hello,
> > I know that we can setup network with static IP if we dont want to
set
> > it with dynamic ip's. But is there any utility or command to
> > store/giver static ARP concept?
> > If it is how to do it on RedHat linux 9? If i set that then still
arp
> > resolution occur in network or not?
> >
>
> The IP address assignment method does not change the need
> for ARP to resolve IP addresses to MAC addresses.
>
> There is a possibility to force-feed the address resolutions
> to the ARP handlers. See man arp.
>
> Why would you need to avoid ARP?
First i read that static ARP used to remove ARP poisoning
attack and second as i know already how to set static IPs in network. i
want to learn now how to set static arp.
In this case i think the major disadvantage is setting manual
IP-MAC listing if i have large network. Is there any disadvantage of
static ARP?
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi

I think, the best way to deal with ARP flooding or ARP poisoning is to
put ur netmask(subnetting) to low as possible... i.e. 255.255.255.0 is
better than 255.255.0.0....as it reduces the arp broadcast range
considerably.... use the subnet to best suit your needs.

On Wed, 18 May 2005 10:09:32 -0700, linux.lover2004 wrote:
> Tauno Voipio wrote:
>> (E-Mail Removed) wrote:

>> > I know that we can setup network with static IP if we dont want to
> > set it with dynamic ip's. But is there any utility or command to
>> > store/giver static ARP concept?

(As others mensioned):

man arp
man ethers

>> > If it is how to do it on RedHat linux 9?

Use "nmap" to ping sweep your subnet, and:

arp |awk '/:/{print $3, $1}' >>/etc/ethers
chmod 600 /etc/ethers

Then in /etc/rc.d/rc.local stick like:

# Load the static ARP table
if [ -r /etc/ethers ]; then
if ! /sbin/arp -f ; then
echo "Error: /sbin/arp -f" >&2
fi
else
echo "Error: cannot read /etc/ethers" >&2
fi

>> > If i set that then still arp resolution occur in network or not?

Not if you do that an _all_ machines (including routers/switches.)

>> The IP address assignment method does not change the need
>> for ARP to resolve IP addresses to MAC addresses.

True. Only the resolution is done locally then.

>> There is a possibility to force-feed the address resolutions
>> to the ARP handlers. See man arp.
>>
>> Why would you need to avoid ARP?

> First i read that static ARP used to remove ARP poisoning attack

Yes. But it's a lot harder to maintain such a network. Unless it's not too
big of a network (and/or your good with scripting (and documenting.))

Probably though, where you read that, they where talking about the
arp-tables off a layer 2 switch. Rather then workstations/servers ...

> and second as i know already how to set static IPs in network. i
> want to learn now how to set static arp.

Make the subnets for all segments so that broadcast domains are like a
C-class network (i.e.: netmasks of 255.255.255.0) first.

This has the added benefid of being able to name them via
/etc/networks (or DNS) also.

> In this case i think the major disadvantage is setting manual IP-MAC
> listing if i have large network. Is there any disadvantage of static
> ARP?

Well: "setting manual IP-MAC listing" and "static ARP" are basically the
same thing worded differently ...

The only /advantage/ would be security AFAICT - Note though: someone,
with phisical access to the RJ45 jack, can still spoof thier own (laptop)
MAC/IP adresses to that of the known (mapped/allowed) NIC. Provideing them
with local root access whist being connected to your network.

Since some often used protocols (such as NFS) rely on client users to
_not_ have root locally, this can still be a problem.

Althogh, in such a setup you might have better luck traceing back to, and
pin-pointing, any cluprits if you log prepperly (should they try some
usernames unknown by your servers, scan about thier subnet, or whatever.)

HTH.

--
-Menno.

On Thu, 19 May 2005 07:42:30 +0000, Menno Duursma wrote:
> On Wed, 18 May 2005 10:09:32 -0700, linux.lover2004 wrote:

>> First i read that static ARP used to remove ARP poisoning attack
>
> Yes. But it's a lot harder to maintain such a network. Unless it's not too
> big of a network (and/or your good with scripting (and documenting.))

I'd just like to add you probably don't want to be messing around with
this when remotely connected, unless you have serial-console access ...
Or some periodic reset script (run from like "cron", "at", "watch", like.)

Netfilter allows one to "firewall" on MAC adress as well, the following is
like a server example, (use FORWARD on routers ofcource) ie:

# Load needed module
/sbin/modprobe ipt_mac

# Set default policy
/usr/sbin/iptables -P INPUT DROP

# Allow connections from Media Access Controllers we know about only
for MAC in `grep -v -e "^#" -e "^$" /etc/ethers |cut -d' ' -f1`; do
/usr/sbin/iptables -A INPUT -m mac --mac-source "$MAC" -j ACCEPT
done

--
-Menno.