oracular (8) arpon.8.gz

Provided by: arpon_3.0-ng+dfsg1-5build2_amd64 bug

NAME

       ArpON - ARP handler inspection

IMPORTANT NOTICE

       Since ArpON 3.0-ng (next generation), ArpON has been rewritten from scratch, therefore all
       the  old  versions  of  ArpON  (lower  of  3.0-ng)  are  deprecated.  Please  upgrade  all
       installations  of  ArpON and read carefully the documentation specified below and this man
       page of ArpON.

SYNOPSIS

       arpon [OPTIONS] [SARPIDARPIHARPI]

DESCRIPTION

       ArpON (ARP handler inspection) is a Host-based solution that  make  the  ARP  standardized
       protocol  secure  in  order  to  avoid the Man In The Middle (MITM) attack through the ARP
       spoofing, ARP cache poisoning or ARP poison routing attack.

       This is possible using three kinds of anti ARP spoofing techniques:

       1) SARPI (Static ARP Inspection) for the statically configured networks without DHCP;
       2) DARPI (Dynamic ARP Inspection) for the dynamically configured networks with DHCP;
       3) HARPI (Hybrid ARP Inspection) for the statically and  dynamically  configured  networks
       with DHCP.

       The  goal  of  ArpON  is  therefore  to provide a secure and efficient network daemon that
       provides the SARPI, DARPI and HARPI anti ARP  spoofing  technique,  thus  making  the  ARP
       standardized protocol secure from any foreign intrusion.

       ArpON sets of policies in the ARP cache for all the static and or dynamic entries matching
       the specified network interface (or that matching the several specified network interfaces
       if  run  concurrently  several daemons of ArpON for different network interfaces), through
       the run of SARPI, DARPI or HARPI anti ARP spoofing technique.

       ArpON have to be run with the root privileges. ArpON have to be configured using  command-
       line  options  and  a configuration file. ArpON reloads the configuration of the specified
       network interface and rereads its configuration file when  it  receives  a  hangup  signal
       (SIGHUP)  by  executing  itself with the name and options it was started with. ArpON exits
       correctly when it receives an interrupt signal (SIGINT) or a termination signal (SIGTERM).

IMPORTANT NOTE

       The ArpON daemon sets two fundamental kernel network parameters via the  sysctl  interface
       on the specified network interface:

       1)  The  arp_ignore kernel parameter of the specified network interface is always set to 8
       by ArpON. This is done to disable, in the specified network  interface  of  the  Operating
       System,  the sending of the ARP replies in response to received ARP requests for all local
       addresses (the ARP replies on the specified network  interface,  will  be  sent  by  ArpON
       instead of the Operating System).

       2)  The  arp_accept kernel parameter of the specified network interface is always set to 0
       by ArpON. This is done to disable, in the specified network  interface  of  the  Operating
       System,  the  creating of the new IP entries in the ARP cache triggered by the unsolicited
       and gratuitous ARP requests and replies (the IP entries in the ARP cache on the  specified
       network  interface,  will  be  created or updated by ArpON as static or dynamic IP entries
       instead of the Operating System).

       The ArpON daemon restores the previously values read from the  arp_ignore  and  arp_accept
       kernel  parameters of the specified network interface when it receives an interrupt signal
       (SIGINT) or a termination  signal  (SIGTERM).  Remember  to  restore  the  values  of  the
       arp_ignore  and  arp_accept  kernel  parameters  of  the  specified network interface (the
       default values are 0 for both), if  you  have  terminated  the  ArpON  daemon  with  other
       signals, e.g. kill signal (SIGKILL).

OPTIONS SUMMARY

       The available options are:

       GENERAL OPTIONS

       -d (--daemon)
              Daemonize the ArpON.

       -i (--interface) <interface>
              Use the specified network interface.

       SARPI 'STATIC ARP INSPECTION' OPTION

       SARPI  anti ARP spoofing technique manages and sets the policies in the ARP cache only for
       all the static entries matching the specified network interface, in order to avoid the Man
       In  The  Middle  (MITM) attack through the ARP spoofing, ARP cache poisoning or ARP poison
       routing. Therefore SARPI is an optimal choice  in  those  statically  configured  networks
       without DHCP. SARPI sets these policies:

       1)  CLEAN:  SARPI  cleans  from  the ARP cache only all the entries matching the specified
       network interface, that are present or not present in the configuration file;
       2) UPDATE: SARPI updates in the ARP  cache  only  all  the  static  entries  matching  the
       specified network interface, that are present in the configuration file;
       3)  REFRESH:  SARPI  refreshes in the ARP cache only a static entry matching the specified
       network interface, that is present in the configuration file;
       4) ALLOW: SARPI sets up in the ARP cache only  a  dynamic  entry  matching  the  specified
       network interface, that is not present in the configuration file.

       Therefore  SARPI  requires  a  specified  network  interface  and the specification in the
       configuration file of the ARP cache only for all the static entries matching the specified
       network interface.

       -S (--sarpi)
              Run SARPI anti ARP spoofing technique.

       DARPI 'DYNAMIC ARP INSPECTION' OPTION

       DARPI  anti ARP spoofing technique manages and sets the policies in the ARP cache only for
       all the dynamic entries matching the specified network interface, in order  to  avoid  the
       Man  In  The  Middle  (MITM)  attack  through the ARP spoofing, ARP cache poisoning or ARP
       poison routing. Therefore DARPI is an  optimal  choice  in  those  dynamically  configured
       networks with DHCP. DARPI sets these policies:

       1)  CLEAN:  DARPI  cleans  from  the ARP cache only all the entries matching the specified
       network interface;
       2) ALLOW: DARPI sets up in the ARP cache only  a  dynamic  entry  matching  the  specified
       network interface;
       3)  DENY:  DARPI  cleans up from the ARP cache only a dynamic entry matching the specified
       network interface.

       Therefore DARPI requires a  specified  network  interface  and  it  doesn't  requires  any
       specification  in the configuration file of the ARP cache only for all the dynamic entries
       matching the specified network interface.

       -D (--darpi)
              Run DARPI anti ARP spoofing technique.

       HARPI 'HYBRID ARP INSPECTION' OPTION

       HARPI anti ARP spoofing technique manages and sets the policies in the ARP cache for  both
       all  the  static and dynamic entries matching the specified network interface, in order to
       avoid the Man In The Middle (MITM) attack through the ARP spoofing, ARP cache poisoning or
       ARP  poison  routing.  Therefore  HARPI  is  an  optimal  choice  in  those statically and
       dynamically configured networks with DHCP. HARPI sets and combines these policies  of  the
       SARPI and DARPI:

       1)  CLEAN:  HARPI  cleans  from  the ARP cache only all the entries matching the specified
       network interface, that are present or not present in the configuration file;
       2) UPDATE: HARPI updates in the ARP  cache  only  all  the  static  entries  matching  the
       specified network interface, that are present in the configuration file;
       3)  REFRESH:  HARPI  refreshes in the ARP cache only a static entry matching the specified
       network interface, that is present in the configuration file;
       4) ALLOW: HARPI sets up in the ARP cache only  a  dynamic  entry  matching  the  specified
       network interface, that is not present in the configuration file;
       5)  DENY:  HARPI  cleans up from the ARP cache only a dynamic entry matching the specified
       network interface, that is not present in the configuration file.

       Therefore  HARPI  requires  a  specified  network  interface,  the  specification  in  the
       configuration file of the ARP cache only for all the static entries matching the specified
       network interface; instead it doesn't requires any specification in the configuration file
       of  the  ARP  cache  only  for  all  the  dynamic  entries  matching the specified network
       interface.

       -H (--harpi)
              Run HARPI anti ARP spoofing technique.

       STANDARD OPTIONS

       -v (--version)
              Print the version and exit.

       -h (--help)
              Print the help screen and exit.

FILES

       The available files are:

       /etc/arpon.conf
              The configuration file contains the configuration data of ArpON and it is used when
              run  the  SARPI  or HARPI anti ARP spoofing technique, for the specification in the
              ARP cache only for all the static entries matching the specified network  interface
              (or  that  matching  the  several  specified network interfaces if run concurrently
              several daemons of ArpON for different network interfaces).  This  file  should  be
              writable  by  root  only  but  it  is recommended (though not necessary) that it be
              world-readable.

       /var/log/arpon.log
              The log file contains the log data of ArpON. If there are several daemons of  ArpON
              running  concurrently  for different network interfaces, this contains the log data
              of all the daemons of ArpON. This file should be readable only by  root,  and  need
              not be readable by anyone else.

       /var/run/arpon.pid
              The  pid  file  contains  the  process ID of ArpON. If there are several daemons of
              ArpON running concurrently for different  network  interfaces,  this  contains  the
              process  ID  of the one started last. The content of this file is not sensitive; it
              can be world-readable.

EXAMPLES

       These examples shows how to use all three kinds of anti ARP spoofing techniques.

       In the same host, we have three network interfaces with different subnet  classes  and  we
       would  set  the  ARP cache for all the static and dynamic entries matching the eth0, wlan0
       and eth1 network interfaces. This scenario requires the run concurrently of three  daemons
       of ArpON:

       SARPI 'STATIC ARP INSPECTION' EXAMPLE

       The  eth0  network  interface has the 192.168.1.2/24 IP address. We have only three static
       entries of the ARP cache:

       1) 192.168.1.1 at 58:ac:78:10:b9:77;
       2) 192.168.1.3 at d4:be:d9:fe:8b:45;
       3) 192.168.1.4 at 90:94:e4:bb:1c:10.

       and we have no dynamic entries of the ARP cache. This is the ideal case where we  have  to
       use  the SARPI anti ARP spoofing technique, therefore specify in the configuration file of
       the ARP cache only all the static entries matching the eth0 network interface:

              $ sudo nano /etc/arpon.conf

       Therefore:

              #
              # ArpON configuration file.
              #
              # See the arpon(8) man page for details.
              #

              #
              # Static entries matching the eth0 network interface:
              #
              # First static entry:
              192.168.1.1     58:ac:78:10:b9:77
              # Second static entry:
              192.168.1.3     d4:be:d9:fe:8b:45
              # Third static entry:
              192.168.1.4     90:94:e4:bb:1c:10

       Daemonize the ArpON and run  SARPI  anti  ARP  spoofing  technique  on  the  eth0  network
       interface:

              $ sudo arpon -d -i eth0 -S

       Read the log file:

              $ sudo tail -f /var/log/arpon.log

       Read the pid file:

              $ cat /var/run/arpon.pid

       DARPI 'DYNAMIC ARP INSPECTION' EXAMPLE

       The wlan0 network interface has the 172.16.1.2/24 IP address. We have no static entries of
       the ARP cache, and we have only dynamic entries of the ARP cache. This is the  ideal  case
       where  we have to use the DARPI anti ARP spoofing technique, therefore daemonize the ArpON
       and run DARPI anti ARP spoofing technique on the wlan0 network interface:

              $ sudo arpon -d -i wlan0 -D

       Read the log file:

              $ sudo tail -f /var/log/arpon.log

       Read the pid file:

              $ cat /var/run/arpon.pid

       HARPI 'HYBRID ARP INSPECTION' EXAMPLE

       The eth1 network interface has the 10.0.1.2/16 IP address. We have only two static entries
       of the ARP cache:

       1) 10.0.1.1 at 58:ac:78:88:1a:bb;
       2) 10.0.10.1 at 90:94:e4:7e:f4:59.

       and  we  have  the  rest of entries as dynamic entries of the ARP cache. This is the ideal
       case where we have to use the HARPI anti ARP spoofing technique, therefore specify in  the
       configuration  file of the ARP cache only all the static entries matching the eth1 network
       interface:

              $ sudo nano /etc/arpon.conf

       Therefore:

              #
              # ArpON configuration file.
              #
              # See the arpon(8) man page for details.
              #

              #
              # Static entries matching the eth0 network interface:
              #
              # First static entry:
              192.168.1.1     58:ac:78:10:b9:77
              # Second static entry:
              192.168.1.3     d4:be:d9:fe:8b:45
              # Third static entry:
              192.168.1.4     90:94:e4:bb:1c:10

              #
              # Static entries matching the eth1 network interface:
              #
              # First static entry:
              10.0.1.1        58:ac:78:88:1a:bb
              # Second static entry:
              10.0.10.1       90:94:e4:7e:f4:59

       Daemonize the ArpON and run  HARPI  anti  ARP  spoofing  technique  on  the  eth1  network
       interface:

              $ sudo arpon -d -i eth1 -H

       Read the log file:

              $ sudo tail -f /var/log/arpon.log

       Read the pid file:

              $ cat /var/run/arpon.pid

DOCUMENTATION

       Please see also the documentation file:

              /usr/share/doc/arpon/index.html

       It contains the retrieving tutorial; the building tutorial; the installation tutorial; the
       user tutorial with many examples and scenarios; the development tutorial with the Activity
       diagrams of the SARPI, DARPI and HARPI anti ARP spoofing technique and with modular source
       code well commented; the bug report tutorial that takes you step-by-step  through  all  of
       the features of ArpON.

DEVELOPMENT AND BUGS

       Please send questions, desirable enhancements, patch, source code contributions, problems,
       bugs, etc... to author or via the Bug tracking system, as specified in  the  documentation
       file specified above and in the official website:

              http://arpon.sourceforge.net

AUTHOR

       ArpON was written by Andrea Di Pasquale aka "spikey" <spikey.it@gmail.com>.

       Copyright (C) 2008-2016 Andrea Di Pasquale <spikey.it@gmail.com>
       All rights reserved.

       Redistribution  and  use  in  source  and  binary forms, with or without modification, are
       permitted provided that the following conditions are met:

       1. Redistributions of source code must retain the above copyright  notice,  this  list  of
       conditions and the following disclaimer.

       2.  Redistributions in binary form must reproduce the above copyright notice, this list of
       conditions and the following  disclaimer  in  the  documentation  and/or  other  materials
       provided with the distribution.

       THIS  SOFTWARE  IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
       INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
       PARTICULAR  PURPOSE  ARE  DISCLAIMED.   IN  NO  EVENT SHALL THE AUTHOR OR HIS RELATIVES BE
       LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL  DAMAGES
       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF MIND,
       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER  CAUSED  AND  ON  ANY  THEORY  OF
       LIABILITY,  WHETHER  IN  CONTRACT,  STRICT  LIABILITY,  OR  TORT  (INCLUDING NEGLIGENCE OR
       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,  EVEN  IF  ADVISED  OF  THE
       POSSIBILITY OF SUCH DAMAGE.

NOTES

       The  ArpON daemon is completely compatible with the ARP standardized protocol as described
       in these official RFC documents:

       1. RFC 826:
              http://tools.ietf.org/html/rfc826

       2. RFC 2131:
              http://tools.ietf.org/html/rfc2131

       3. RFC 3927:
              http://tools.ietf.org/html/rfc3927

       4. RFC 5227:
              http://tools.ietf.org/html/rfc5227

       The ArpON daemon sets  the  arp_ignore  and  the  arp_accept  fundamental  kernel  network
       parameters via the sysctl interface as described in this official kernel document:

       1. IP sysctl:
              http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt