Arp Advanced Settings Summary - D-Link DFL-260E User Manual

3.4.5. ARP Advanced Settings
Summary
It is possible for a host on a connected network to send an ARP reply to NetDefendOS even though
a corresponding ARP request was not issued. This is known as an unsolicited ARP reply.
According to the ARP specification, the recipient should accept these types of ARP replies.
However, because this could be a malicious attempt to hijack a connection, NetDefendOS will by
default drop and log unsolicited ARP replies.
This behavior can be changed by modifying the advanced setting Unsolicited ARP Replies.
ARP Requests
The ARP specification states that a host should update its ARP Cache with data from ARP requests
received from other hosts. However, as this procedure can facilitate hijacking of local connections,
NetDefendOS will normally not allow this.
To make the behavior compliant with the RFC 826 specification, the administrator can modify the
setting ARP Requests. Even if this is set to Drop (meaning that the packet is discarded without
being stored), NetDefendOS will reply to it provided that other rules approve the request.
Changes to the ARP Cache
A received ARP reply or ARP request can possibly alter an existing entry in the ARP cache.
Allowing this to take place may allow hijacking of local connections. However, not allowing this
may cause problems if, for example, a network adapter is replaced since NetDefendOS will not
accept the new address until the previous ARP cache entry has timed out.
The advanced setting Static ARP Changes can modify this behavior. The default behavior is that
NetDefendOS will allow changes to take place, but all such changes will be logged.
A similar issue occurs when information in ARP replies or ARP requests could collide with static
entries in the ARP cache. This should not be allowed to happen and changing the setting Static
ARP Changes allows the administrator to specify whether or not such situations are logged.
Sender IP 0.0.0.0
NetDefendOS can be configured for handling ARP queries that have a sender IP of 0.0.0.0. Such
sender IPs are never valid as responses, but network units that have not yet learned of their IP
address sometimes ask ARP questions with an "unspecified" sender IP. Normally, these ARP replies
are dropped and logged, but the behavior can be changed by modifying the setting ARP Query No
Sender.
Matching Ethernet Addresses
By default, NetDefendOS will require that the sender address at Ethernet level should comply with
the Ethernet address reported in the ARP data. If this is not the case, the reply will be dropped and
logged. The behavior can be changed by modifying the setting ARP Match Ethernet Sender.

3.4.5. ARP Advanced Settings Summary

The following advanced settings are available with ARP:
ARP Match Ethernet Sender
Determines if NetDefendOS will require the sender address at Ethernet level to comply with the
hardware address reported in the ARP data.
Default: DropLog
117
Chapter 3. Fundamentals