Arp

Introduction

Address Resolution Protocol (ARP) is a critical network protocol operating at the data link layer. It maps network layer IP addresses to link layer MAC addresses, enabling communication between devices in a local area network (LAN). ARP facilitates data delivery within Ethernet and other IEEE 802 networks by resolving device hardware addresses.

"Without ARP, IP packets could not reach their destination on a LAN since MAC addresses would remain unknown." -- W. Stallings

Definition and Purpose

What is ARP?

Protocol: Address Resolution Protocol. Layer: Data Link (Layer 2) interaction with Network Layer (Layer 3). Purpose: Resolve IPv4 addresses to MAC addresses for frame delivery.

Role in Network Communication

Enables IP packet transmission over Ethernet by finding destination MAC. Essential for intra-network traffic. Supports protocols like IPv4 where hardware addressing is necessary.

Scope of Operation

Limited to broadcast domain or subnet. ARP requests are broadcast; replies are unicast. Does not cross routers without proxy ARP.

Operation Mechanism

Triggering ARP

Initiated when a device wants to send an IP packet but lacks corresponding MAC address in ARP cache.

Request Process

Sender broadcasts ARP request packet containing target IP address. All hosts receive request but only target replies.

Reply Process

Target responds with ARP reply giving its MAC address. Sender updates ARP cache for future use.

Cache Utilization

Subsequent packets use cached MAC addresses, reducing network traffic and latency.

ARP Message Format

Packet Structure

Consists of fixed 28-byte header with fields specifying protocol and hardware types, lengths, operation code, and addresses.

Key Fields

Hardware Type (HTYPE): Ethernet = 1. Protocol Type (PTYPE): IPv4 = 0x0800. Hardware Size (HLEN): 6 bytes. Protocol Size (PLEN): 4 bytes. Operation: 1=request, 2=reply.

Address Fields

Sender Hardware Address (SHA), Sender Protocol Address (SPA), Target Hardware Address (THA), Target Protocol Address (TPA).

ARP Request and Reply

Request Message

Broadcast frame with target IP address unknown. MAC address field set to all zeroes. Destination MAC: Broadcast (FF:FF:FF:FF:FF:FF).

Reply Message

Unicast frame to sender. Contains target’s MAC address. Enables sender to update ARP cache.

Packet Flow

Sender broadcasts request → target receives and sends reply → sender updates mapping → communication proceeds.

// ARP Request Algorithmif (IP_to_MAC not in ARP_cache) { broadcast ARP_request(target_IP); wait for ARP_reply; if (reply received) { update ARP_cache(target_IP, target_MAC); } else { report unreachable; }} 

ARP Cache and Timers

Cache Purpose

Stores recent IP-to-MAC mappings. Reduces broadcast traffic. Improves performance.

Entry Timeout

Entries expire after fixed duration (commonly 2-10 minutes). Expiry triggers new ARP request.

Cache Management

Dynamic entries added/removed automatically. Static entries configured manually for persistent mappings.

Cache Poisoning Risk

Malicious updates can corrupt cache, leading to misrouting or man-in-the-middle attacks.

Types of ARP

Proxy ARP

Responds to ARP requests on behalf of another host. Enables communication across different subnets without routing.

Gratuitous ARP

Host broadcasts ARP request for its own IP to update neighbors’ cache or detect IP conflicts.

Inverse ARP (InARP)

Used in Frame Relay and ATM to resolve hardware address to known protocol address.

Reverse ARP (RARP)

Older protocol to obtain IP address from known MAC address. Superseded by DHCP.

Security Considerations

ARP Spoofing

Attackers send fake ARP replies to poison cache, intercept traffic, or cause denial of service.

Mitigation Techniques

Static ARP entries, packet filtering, dynamic ARP inspection (DAI), encryption of sensitive data.

Impact on Network

Potential for man-in-the-middle attacks, session hijacking, and data interception.

ARP in Different Networking Environments

Ethernet LANs

Standard ARP operates efficiently. Broadcast domain limited to switch or hub segment.

Wireless Networks

ARP functions similarly but may be affected by wireless broadcast limitations and security protocols.

Virtual LANs (VLANs)

ARP requests limited to VLAN broadcast domains. Inter-VLAN requires routing or proxy ARP.

IPv6 Networks

ARP replaced by Neighbor Discovery Protocol (NDP) for IPv6 address resolution.

Limitations and Issues

Broadcast Overhead

Request broadcast floods network. High device count increases ARP traffic.

Latency

Initial ARP request introduces delay before packet transmission.

Security Vulnerabilities

Cache poisoning, spoofing attacks exploit ARP weaknesses.

Non-scalability

Not suitable for very large or segmented networks without additional mechanisms.

Protocol Implementation

Operating System Support

Implemented in all major OSes (Windows, Linux, macOS). Managed by network stack.

API and Tools

Commands: arp, ip neigh, arp -a. Used for viewing and managing ARP cache.

Packet Capture and Analysis

Tools like Wireshark decode ARP packets for troubleshooting and monitoring.

// Sample ARP Cache Entry FormatIP Address MAC Address Type192.168.1.1 00:1A:2B:3C:4D:5E Dynamic192.168.1.254 00:1F:2E:3D:4C:5B Static 

Comparison with Other Protocols

ARP vs RARP

ARP resolves IP to MAC; RARP resolved MAC to IP (obsolete).

ARP vs NDP

ARP for IPv4; NDP for IPv6. NDP uses ICMPv6 messages and multicast instead of broadcast.

ARP vs DHCP

DHCP assigns IP addresses. ARP resolves addresses for communication after IP allocation.

References

• W. Stallings, Data and Computer Communications, 10th ed., Pearson, 2013, pp. 208-212.
• J. Postel, "RFC 826 - Ethernet Address Resolution Protocol," IETF, 1982, pp. 1-7.
• D. Comer, Internetworking with TCP/IP, Volume 1, 6th ed., Pearson, 2013, pp. 347-352.
• R. Perlman, Interconnections: Bridges, Routers, Switches, and Internetworking Protocols, 2nd ed., Addison-Wesley, 2000, pp. 93-98.
• G. Malkin, "RFC 1122 - Requirements for Internet Hosts - Communication Layers," IETF, 1989, pp. 85-90.