Configuring ARP for use across Data Diodes

Address Resolution Protocol (ARP) is a protocol used to ascertain the hardware address or Media Access Control (MAC) address from an IP address. Typically a sending station knows the destination IP that they wish to send to but does not the MAC address.  Before communication between the 2 hosts can occur an ARP request is sent to discover the destination MAC address.  The ARP request is directed to the destination IP address using a MAC broadcast address FF:FF:FF:FF:FF:FF.  All devices on the subnet receive this broadcast but only the destination with the correct IP address will respond. The response is a unicast message back to the sender containing the MAC address to use for subsequent communication.

Each host builds an ARP cache, a table of IP addresses and their corresponding MAC address. The ARP cache helps the sending device build the datagram and is consulted when destination MAC information is required. If no entry exists for the desired destination IP address then this will trigger an ARP request.

In a network that employs a data diode a unidirectional link is created. The nature of this link ensures that no return traffic is possible.  This means that should a sending host need to use the services of ARP to glean a MAC address, the broadcast could be sent but no response would be received as the diode would prevent this. Ultimately ARP is of no use in this scenario and another method of building the ARP cache is required.


Data Diode ARP setup







The solution is to furnish the sending device's ARP cache with a static ARP entry.  For Windows hosts this can be done in 1 of 2 ways.

1 - To add a transient ARP entry (the entry will be removed on a power cycle)

From the command line

Syntax   -     arp   -s    des_ip_addr     mac_addr

Example   -     arp -s 00-14-85-01-4A-57

2 - To add a permanent ARP entry

From the command line

Syntax   -     netsh -c interface ipv4 add neighbors “Network Card Name” “IP Address” “MAC Address” store=persistent

Example   -     netsh -c interface ipv4 add neighbors “Local Area Connection” “” “00-14-85-01-4A-57” store=persistent

The command 'arp -a' can be used to display the contents of the ARP cache.  To verify that traffic is being forwarded through the diode to the desired destination a simple ping test can be performed.  Clearly these pings will not get a response but on the targeted device the following command can be issued :-

netstat -s -p icmp

This will display ICMP statistics and for each successful receipt of a Ping the counter will increment by 1.