Jaa


ARP Changes in Server 2008/Vista:

Introduction:

    ARP is used to perform Duplicate Address Detection by sending an ARP request in which the Target Protocol Address is set to the IP address for which duplication is being detected. In other words, to detect whether other nodes on the subnet are using the same network address, a node sends an ARP request for its own IP address. For example when a node is assigned an IP address, let’s say 174.23.56.89 it sends an ARP request with the Target Protocol Address set to 174.23.56.89.

    If a node sends an ARP request for its own IP address and no ARP reply frames are received, the IP address is unique on the subnet and is not a duplicate. If a node sends an ARP Request for its own IP address And receives an ARP reply, the IP address is duplicate.

    So when you add an IP address using the AddIPAddress API, an ARP request will be sent out  to the subnet . Starting from Windows Vista and Server 2008, the Source Protocol Address is set to 0.0.0.0 and it is by design. The simple reason behind this change is because, the previous version of ARP request had both the Source and destination address set, which resulted in receivers adding an entry for the conflicting IP address in their ARP Caches with the MAC address of the node sending the request. To fix this, the source machine which sent the ARP request for duplicate address detection has to do an additional broadcast ARP request with the MAC address of the machine which has sent an reply back to source saying that there is an IP address conflict. To prevent this additional broad cast, the source protocol address is always set to 0.0.0.0.

   There are two key benefits to this design change in vista:

a) The initial ARP request just has the Target Protocol Address set to the address for which uniqueness is being verified. The Source Protocol Address is set to 0.0.0.0. This new ARP request message does not update the ARP caches of neighbor Nodes and therefore does not have to be corrected with an additional ARP broadcast Request if a duplication is detected.

   b) If ARP receives an ARP request with both the Source Protocol Address and Target Protocol Address set to an existing entry in the neighbor cache (as sent by previous

      version of windows), ARP does not update the entry with the offending node’s MAC address.

  There is an additional complexity involved when the offending node is Vista or Server 2008 and the defending node is Pre Vista OS and vice versa. If the offending node is running Windows Server 2008 or Windows Vista, the following ARP exchanges will occur:

a) A broadcast ARP Request sent by the offending node. [SPA with 0.0.0.0]

b) A Unicast ARP reply sent by the defending node.[ A Unicast reply indicates that there is a duplicate address]

If the offending mode runs a previous version of Windows, the ARP exchange will occur as follows:

a) A broadcast ARP request sent by the offending node. [SPA and TPA are equal to the IP address]

b) A unicast ARP reply (previous version of windows) or a broadcast ARP reply[Windows Server 2008 or vista] sent by the defending node.

c) A broad cast ARP request sent by the offending node with the MAC address of the defending node.

CASE STUDY:

Let’s study the above explanation with an example:

clip_image002

Let’s consider the above subnet which has  a set of machines with Different OS’s loaded. Let’s consider the Vista Box [192.168.0.1] as your Primary Server and whenever it fails, we will assign The IP address to the BackUp PC. I have a drawn a red line in the picture that identifies the Back Up PC.

Initially the Vista Primary Box holds the IP address 192.168.0.1 which has a Physical Machine address of EA-EB. If you look at the above diagram,  the ARP cache for Server 2008[192.168.0.2],Server 2003 A[192.168.0.3], Windows XP[192.168.0.4] has entry for the Primary Vista Box’s IP address and it’s Physical address. Note carefully, that Server 2003 B [192.168.0.5] ARP Cache is *Empty*.

Now we will consider a scenario, where the Primary Vista Box Fails and we assign the IP address to the BackUp PC using AddIpAddress API. We need to carefully consider the sequence of steps that will happen:

a) Let’s assume the BackUp PC is running Vista. So when you add the IP address, initially a ARP broadcast request will be sent out to the subnet from the BackUp PC as follows:

SHA : FF-GH   SPA : 0.0.0.0  THA : 00.00.00.00.00 TPA: 192.168.0.1

  Where

SHA = Source Hardware Address.

SPA = Source protocol Address.

THA = Target Hardware Address.

TPA = Target Protocol Address

b) Here the Backup PC will not get any ARP Reply, since there is no duplicate address used and all box’s has unique IP addresses. Now the Back Up PC loads successfully and comes up.

c) But if you look at the ARP caches on all the boxes, none of them will be updated. The simple reason being , in step a) the SPA was 0.0.0.0 starting from vista which prevents Entries getting added into ARP caches of the neighbors.

d) Now we are going to send an ARP to Server 2003 A [192.168.0.3] using SendARP API. The ARP request will be broadcasted from BackUp PC as follows:

SHA : FF-GH   SPA : 192.168.0.1  THA : 00.00.00.00.00 TPA: 192.168.0.3

  Where

SHA = Source Hardware Address.

SPA = Source protocol Address.

THA = Target Hardware Address.

TPA = Target Protocol Address

e) The sent ARP broadcast from Back Up PC will reach all the nodes in the subnet. Now the Above diagram changes like below:

clip_image004

f) The ARP Cache for Server 2003 A and Windows XP got updated, but Server 2003 B and Server 2008 did not got updated. First we will look on why Server 2003 B did not get updated. For Server 2003 B to get updated, it must *already* have an entry in the ARP cache similar to Server 2003 A and XP. If its ARP cache is empty, Server 2003 B will just silently discard the incoming ARP request sent by the SendARP API from backup PC.

Server 2008 & Vista Behavior for Updating the ARP Cache:

Unlike Previous versions of windows, ARP in Windows Server 2008 and Windows Vista does not update a neighbor cache entry with a different MAC address when it receives An ARP request with the SPA field that matches a neighbor cache entry’s IP address. If a node on a subnet changes its MAC address, the corresponding entry in the neighbor Cache of its neighbors is not changed until there is a new exchange of broadcast ARP request and unicast ARP reply messages.

For example, to Update Server 2008 ARP cache, the BackUp PC must send a ARP Request using SendARP API as follows:

SHA : FF-GH   SPA : 192.168.0.1  THA : 00.00.00.00.00 TPA: 192.168.0.2

  Where

SHA = Source Hardware Address.

SPA = Source protocol Address.

THA = Target Hardware Address.

TPA = Target Protocol Address

Then the ARP Cache in Server 2008 will get updated to the new BackUp’s PC’s Mac Address.

Balajee P

Windows SDK – Base Kernel/Networking.

References:

- Windows Server® 2008 TCP/IP Protocols and Services – Joseph Davies. [ https://www.microsoft.com/learning/en/us/book.aspx?ID=11630&locale=en-us ]