When I send a UDP packet with wrong source MAC address but with right source IP address, assuming a reply is sent, will I get the reply because I have right source IP address, or I will not get the reply because I have wrong source MAC address?
Packet with wrong source MAC address
macprotocol-theoryudp
Related Solutions
The RFC doesn't address your second scenario. The reason for this is that Host C sending to Host A may not be on the same network as Host A. Host A having an ARP cache entry in that case doesn't make sense since Host A will never look for Host C in its ARP cache. Host A will always know Host C is not on its network, so it will always look for its own gateway's entry in its ARP cache when it wants to send to Host C.
There may be implementations that do what you what you describe, but it is not addressed by the standard, and it would seem to waste ARP cache memory.
When in doubt, the RFC which creates the protocol usually has the answer. RFC 826, An Ethernet Address Resolution Protocol has a description of what happens when a host receives an ARP request, including the rationale for why it is done the way it is. It says that you, "Swap hardware and protocol fields, putting the local hardware and protocol addresses in the sender fields." Some may interpret this to mean that you only change the sender fields, while other may think that swap means swap. This is how you get conflicting information and implementation of these protocols. Often a succeeding RFC will come out to explain which direction is the correct one. In this case, ARP is really a layer-2 communication, so the destination IP address isn't really the issue in a reply because the reply is back to the requesting layer MAC address, and it is not passed back up the stack to layer-3.
By the way, it doesn't matter if both devices are in the same subnet since a PC should never ARP for an IP address not in its subnet; it will send an ARP for the configured gateway IP address, instead of a destination IP address not in its subnet.
Packet Reception:
When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following. Negative conditionals indicate an end of processing and a discarding of the packet.
?Do I have the hardware type in ar$hrd? Yes: (almost definitely) [optionally check the hardware length ar$hln] ?Do I speak the protocol in ar$pro? Yes: [optionally check the protocol length ar$pln] Merge_flag := false If the pair <protocol type, sender protocol address> is already in my translation table, update the sender hardware address field of the entry with the new information in the packet and set Merge_flag to true. ?Am I the target protocol address? Yes: If Merge_flag is false, add the triplet <protocol type, sender protocol address, sender hardware address> to the translation table. ?Is the opcode ares_op$REQUEST? (NOW look at the opcode!!) Yes: Swap hardware and protocol fields, putting the local hardware and protocol addresses in the sender fields. Set the ar$op field to ares_op$REPLY Send the packet to the (new) target hardware address on the same hardware on which the request was received.Notice that the <protocol type, sender protocol address, sender hardware address> triplet is merged into the table before the opcode is looked at. This is on the assumption that communcation is bidirectional; if A has some reason to talk to B, then B will probably have some reason to talk to A. Notice also that if an entry already exists for the <protocol type, sender protocol address> pair, then the new hardware address supersedes the old one. Related Issues gives some motivation for this.
Generalization: The ar$hrd and ar$hln fields allow this protocol and packet format to be used for non-10Mbit Ethernets. For the 10Mbit Ethernet <ar$hrd, ar$hln> takes on the value <1, 6>. For other hardware networks, the ar$pro field may no longer correspond to the Ethernet type field, but it should be associated with the protocol whose address resolution is being sought.
Why is it done this way??
Periodic broadcasting is definitely not desired. Imagine 100 workstations on a single Ethernet, each broadcasting address resolution information once per 10 minutes (as one possible set of parameters). This is one packet every 6 seconds. This is almost reasonable, but what use is it? The workstations aren't generally going to be talking to each other (and therefore have 100 useless entries in a table); they will be mainly talking to a mainframe, file server or bridge, but only to a small number of other workstations (for interactive conversations, for example). The protocol described in this paper distributes information as it is needed, and only once (probably) per boot of a machine.
This format does not allow for more than one resolution to be done in the same packet. This is for simplicity. If things were multiplexed the packet format would be considerably harder to digest, and much of the information could be gratuitous. Think of a bridge that talks four protocols telling a workstation all four protocol addresses, three of which the workstation will probably never use.
This format allows the packet buffer to be reused if a reply is generated; a reply has the same length as a request, and several of the fields are the same.
The value of the hardware field (ar$hrd) is taken from a list for this purpose. Currently the only defined value is for the 10Mbit Ethernet (ares_hrd$Ethernet = 1). There has been talk of using this protocol for Packet Radio Networks as well, and this will require another value as will other future hardware mediums that wish to use this protocol.
For the 10Mbit Ethernet, the value in the protocol field (ar$pro) is taken from the set ether_type$. This is a natural reuse of the assigned protocol types. Combining this with the opcode (ar$op) would effectively halve the number of protocols that can be resolved under this protocol and would make a monitor/debugger more complex (see Network Monitoring and Debugging below). It is hoped that we will never see 32768 protocols, but Murphy made some laws which don't allow us to make this assumption.
In theory, the length fields (ar$hln and ar$pln) are redundant, since the length of a protocol address should be determined by the hardware type (found in ar$hrd) and the protocol type (found in ar$pro). It is included for optional consistency checking, and for network monitoring and debugging (see below).
The opcode is to determine if this is a request (which may cause a reply) or a reply to a previous request. 16 bits for this is overkill, but a flag (field) is needed.
The sender hardware address and sender protocol address are absolutely necessary. It is these fields that get put in a translation table.
The target protocol address is necessary in the request form of the packet so that a machine can determine whether or not to enter the sender information in a table or to send a reply. It is not necessarily needed in the reply form if one assumes a reply is only provoked by a request. It is included for completeness, network monitoring, and to simplify the suggested processing algorithm described above (which does not look at the opcode until AFTER putting the sender information in a table).
The target hardware address is included for completeness and network monitoring. It has no meaning in the request form, since it is this number that the machine is requesting. Its meaning in the reply form is the address of the machine making the request. In some implementations (which do not get to look at the 14.byte ethernet header, for example) this may save some register shuffling or stack space by sending this field to the hardware driver as the hardware destination address of the packet.
There are no padding bytes between addresses. The packet data should be viewed as a byte stream in which only 3 byte pairs are defined to be words (ar$hrd, ar$pro and ar$op) which are sent most significant byte first (Ethernet/PDP-10 byte style).
Best Answer
Consider the following network, with correct addressing, masks and the obvious routes.
Case 1: Local
A sends packet to X with correct IP source address but incorrect source MAC address
Result: frame arrives at switch, which updates its CAM table, then frame arrives at X, which updates its ARP table, hands UDP packet upstairs in its stack, which generates a reply. Reply to A's IP address will get wrapped in the wrong ether address for the poisoned ARP cache. The switch will normally send the reply towards the original sender, but potentially if the incorrect ethernet address is that of another host J, that host will receive the frame and do whatever it likes with it. If no host actually has that ether address, J might still be able to snoop the frame, depending on the details of the switches. What happens next depends on the upper protocol, whether A notices it hasn't had a reply and starts resending, etc.
Case 2: Remote
B sends packet to X with correct IP source address but incorrect source MAC address
B sends frame through the switch, which updates its CAM table, to R, which might conceivably reject it. More likely it updates its ARP cache for B, and forwards the packet to X.
X receives and formulates reply, which will be directed to R because B is not local. R receives the packet, see it's for a local network, and wraps in ether with the poisoned ether address from its cache. Just like the local case, depending on the details of the switch, K could be the destination, or able to snoop the frame.
Notes
I've described the ordinary situation with common operating systems, switches, and routers; these are designed to minimise the management required, at the cost of being open to certain kinds of problem.
You'll see that in the local and remote cases, the thing that goes wrong is that an ARP cache is updated with incorrect information, and switches' CAM tables. The usual reason for this kind of frame with incorrect ether source address is an intended ARP cache poisoning attack, and very occasionally innocent misconfiguration of something.
Many operating systems therefore allow settings to lock ARP cache entries, to prevent J and K stealing the mail of their neighbours A and B. Routers and switches also have facilities for preventing such things.