Skip to main content

What is Address Resolution Protocol (ARP)?

ARP (Address Resolution Protocol) is a network layer communication protocol defined in RFC826. It's used to dynamically map an internet protocol (IP) to a hardware or MAC address. If a primary host wants to communicate with another destination host, it sends out a broadcast request to the entire network. The MAC address of the destination host, which matches the request, is returned to the primary host as a response to the request.

A host broadcasts a request for the MAC address associated with the IP address of the destination when it needs to deliver an IP datagram as an Ethernet frame to another host whose MAC address it ignores. When a request is received on the subnet, each host checks to see if the IP address in the request is tied to one of its network interfaces. If this is the case, the host with the matching IP address delivers a unicast response to the sender of the <IP address, MAC address> pair request. To reduce the number of requests sent across the network, each host keeps an ARP cache of <IP, MAC> pairings based on the responses it receives.

ARP is a stateless protocol, which means that a reply can be sent even if the corresponding request was never sent. When a host receives a response, it replaces the relevant record in the cache with the <IP, MAC> pair contained in the response. While a cache item should only be changed if the mapping is already in place, certain operating systems cache responses in any situation to improve efficiency.

What Does ARP Do?

When the subnet receives a packet from higher layers, it examines the destination machine's IP address. If the sender machine and the destination machine are on the same local network, the packet can be transmitted directly to the target machine; otherwise, the IP packet must be routed through a router. The subnet needs to know the destination machine's MAC address to send the packet straight to it. ARP is used by the TCP/IP suite's network layer to do this. ARP is found in the TCP/IP suite's Network layer's bottom half. A host is recognized in this tier by its 32-bit IP address. The TCP/IP suite's Medium Access Control (MAC) layer, on the other hand, uses a different addressing scheme. A 48-bit MAC address identifies an interface in the MAC layer. ARP is a protocol that allows hosts to dynamically map a machine's 32-bit IP address to its 48-bit MAC address (on the local network) in a memory area known as the ARP cache. If a host wants to locate the MAC address of a target node on the local network, it sends out an ARP request with its IP and MAC address in the SPA (source protocol address) and SHA (source hardware address) fields. The IP address of the target destination node is set in the TPA (target protocol address) parameter. If the THA (target hardware address) is set to a dummy value of 00:00:00:00:00:00, the target MAC address is unknown.

The IP-MAC address mapping of the sender (SPA and SHA) will be learned by nodes receiving the ARP request and added to their respective ARP caches. The TPA value in the ARP request will be checked by each receiving node to see if it matches its IP address. It will respond with an ARP reply message if this is the case.

The ARP protocol can send two types of ARP messages. ARP Request is one, and ARP Reply is the other;

ARP Request: When a host sends an ARP request, it includes its IP and MAC addresses, kind of ARP message, and destination IP address in the ARP Request frame. The ARP request is then sent out to all hosts on the same LAN as the transmitting host. The target MAC address field is left empty to be filled in by the host with the target IP address.

ARP Reply: When a host receives an ARP request with its IP as the target IP, it fills in the target MAC address field with its MAC address and the operation field with the ARP reply's opcode. This packet is sent straight to the asking machine; this is known as unicast. When the requesting machine receives an ARP reply, it changes its ARP cache with the requested MAC address.

What is Address Resolution Protocol Used for?

ARP (Address Resolution Protocol) is a connection-oriented protocol used by the internet protocol to link IP addresses to MAC addresses, which is saved in each client's ARP cache. To make this procedure easier, network engineers devised a set of rules known as protocols for computer message exchange. These protocols keep the network's linked devices connected and able to work quickly and without problems.

What is the Purpose of the Address Resolution Protocol?

Every packet in a subnet must be delivered to a local network interface. The subnet gateway receives those whose destination IP addresses are outside the local network (as indicated by the subnet mask). Packets that are meant for the internal subnet are delivered directly. The IP address must be mapped onto a MAC address, whether the target address is local or gateway. ARP resolution uses a simple broadcast request followed by a unicast answer to execute a distributed lookup. The request is sent to the local broadcast address by the querying host. Only a host assigned to the requested address shall respond with its local hardware address, according to the protocol.

How Does ARP Work?

The ARP is one of the most simple but crucial LAN communication methods. The ARP is used to determine a host's MAC address from its IP address. This is accomplished by broadcasting an ARP request packet throughout the network. In an ARP reply packet, the concerned host now responds with its MAC address (unicast). A host may broadcast its own MAC address in a special Gratuitous ARP packet under particular circumstances. Every host keeps an ARP cache, which stores any address mappings acquired from the network (dynamic entries) or defined by the administrator (static entries). The dynamic entries expire after a set amount of time, which differs between operating systems. When an entry reaches its expiration date, it is removed from the cache, and if the host wishes to interact with the same peer, another ARP request is sent. The static entries do not expire.

ARP works by transmitting 'ARP request' packets. "Anyone who has IP address x?" an ARP request enquires. If that's the case, please return your MAC to me." Even on a switched network, these packets are broadcast to all machines on the LAN.

ARP request and ARP reply sample

Figure 1. ARP request and ARP reply sample

An example of ARP request and ARP reply in an ARP is as follows:

  1. Host IP1 wants to send a packet to IP3, but IP1 only knows the IP address of IP3.

  2. Host IP1 broadcasts ARP Request with IP address of IP3 as shown in Figure 1.

  3. All hosts on the local network receive the ARP Request which is broadcast.

  4. Host IP3 replies with its MAC address by unicast of ARP Reply as shown in Figure 1 and update its ARP cache with MAC of MAC3.

  5. Host IP1 adds the MAC address of MAC3 to its ARP cache.

  6. Now host IP1 can deliver packets directly to IP3.

What Are the Types of ARP?

There are four types of ARP:

  1. Reverse ARP

  2. Proxy ARP

  3. Gratuitous ARP

  4. Inverse ARP.

1. Reverse ARP

The operations of ARP and Reverse ARP (RARP) are distinct. ARP presupposes that every host understands how to map its hardware address to its protocol address(es). A small cache is used to store information about other hosts. There is no differentiation between clients and servers; all hosts have the same status. RARP, on the other hand, necessitates the maintenance of a database of mappings from hardware addresses to protocol addresses and the response to requests from client hosts by one or more server hosts.

Server hosts are required by RARP to maintain big databases. Maintaining such a database in the kernel of a host's operating system is undesirable, and in some situations impossible. As a result, most implementations will need to interface with a program outside of the kernel in some way.

It's crucial to have a simple solution with minimal influence on the existing host software. Designing a protocol that needed changes to every host's software, whether or not they wanted to participate, would be a mistake.

2. Proxy ARP

To make a small network of devices visible on another subnet, use proxy ARP with subnetting. This makes all machines on the local network (from now on known as network 0) appear to be connected to the main network.

Only packets from network 1 to network 0 are routed through the Proxy ARP. The usual IP routing functionality is used to get packets back in the other direction.

When hosts are on distinct physical networks and you don't want to utilize subnet masking, proxy ARP comes in handy. ARP broadcasts are not propagated across hosts on separate physical networks, therefore if the destination is on a different subnet, hosts will not receive a response to their ARP request. The hosts can communicate with each other transparently through the switch if the switch is configured to function as an ARP proxy. Proxy ARP allows hosts on a subnet to communicate with hosts on other subnets without the need for routing or a default gateway.

3. Gratuitous ARP

A message sent by a host seeking the MAC address for its IP address is known as a gratuitous ARP. It's sent by a host looking to see if there's another host on the LAN with the same IP address, or by a host declaring that its MAC address has changed, allowing other hosts to update their caches.

Gratuitous ARP is a unique ARP answer that does not respond to an ARP request. A reply without an ARP request is known as a gratuitous ARP reply. For a Gratuitous ARP, no response is expected. The following are the characteristics of a gratuitous ARP packet. Both the source and destination IP addresses are set to the IP address of the machine that is issuing the Gratuitous ARP packet.

Network devices create unnecessary ARP packets for a variety of reasons, some of which are given below. To find IPv4 addresses that are the same. When computers receive a response to a gratuitous ARP request, they can detect an IPv4 address conflict in the network. After an IPv4 or MAC address change, update the ARP table.

4. Inverse ARP (IARP)

Frame Relay station can use the Inverse Address Resolution Protocol (IARP) to find out the protocol address of a station that is connected to the virtual circuit. It's faster and more versatile than sending ARP messages to every VC(Virtual Circuit) for every address the system needs to resolve. Basic IARP works similarly to ARP, with the distinction that it does not broadcast requests. This is because the destination station's hardware address is already known. When an interface that supports IARP is turned on, it should start the IARP protocol and format IARP requests for each active PVC(Permanent Virtual Circuit) that supports IARP. TA requesting station does this by simply entering its source hardware, source protocol addresses, and the known target hardware address into a request. The target protocol address field is then zero-filled. Finally, the packet will be encapsulated for the specified network and sent straight to the target station.

What is the Functional Difference Between ARP, DHCP, and DNS?

The link-layer protocols, Dynamic Host Configuration Protocol (DHCP), and ARP are required for LAN operation. DHCP is a protocol that makes it easier to connect to a network. DHCP automates the assignment of TCP/IP stack setup parameters, such as the default gateway, subnet mask, and IP addresses, when a host connects to the network. The ARP protocol is used to resolve the MAC address of a networked device whose IP address is known.

DNS is a repository of data that converts domain names into IP addresses. The IP address is used by the TCP/IP suite to route packets, but the hostname is more human-readable. A hierarchical namespace is utilized as the DN space since DNs must be globally unique; this is constructed in the form of a tree structure, with the root at the top. Although the root label is an empty string, each node in the tree has a label, which is a string of characters. DN, on the other hand, is a series of labels separated by dots that run from the node to the root.

DHCP stands for 'Dynamic Host Configuration Protocol,' and it is a method of getting TCP/IP networking settings from a central server for networked computers. DHCP allows computers to request manual or dynamic IP addresses for hosts when they connect to the network. The DHCP service assigns IP addresses, subnet masks, gateways, and other IP networking characteristics automatically. IP addresses are not assigned to hosts permanently; instead, they are leased for a set period. A machine should seek a lease renewal from the DHCP server shortly before the lease expires. Otherwise, the IP address will be blocked. The address is returned to the range for reuse if the host is switched off or disconnected from the network. The DHCP server does not ensure that the IP address will be assigned to the client; nevertheless, the server will normally hold the address until the client has properly requested it.

To forward the DHCP discover broadcast packet from a rebooted client's machine, a DHCP relay agent is required. The relay agent sends it as a unicast transmission to the DHCP server (which may be on another network). The IP address of the DHCP server is normally kept by the relay agent. As a result, the relay agent's job is to pass packets between servers and clients. This allows the DHCP server to handle subnets where no server is available, eliminating the requirement for a server per subnet. A DHCP server uses the idea of leasing to keep track of the term of IP address assignment.

DNS servers are a collection of computers that share the DN space. The domain, which is a subtree of the DN space and is also known as the zone, is used to divide DN space. The name of the domain corresponds to the name of the subtree's top node.

DNS was created as a client-server system. A responder receives the DN from the browser and delivers a mapped request query to the DNS server in the client-side application of DNS.

In simple words, a web server is identified by its IP address by a web browser. By sending a DNS query that includes the DN, the browser obtains the server's IP address from a DNS server. The DNS server responds with the server IP, and the browser program responds with an HTTPS request using this server IP as the destination IP. HTTPS encrypts HTTP communication between clients and servers for added security. By spoofing these DNS signals and replacing the server IP with the attacker's IP, attackers can take advantage of the insecure DNS communication. As the destination server, the web browser delivers an HTTPS message to the attacker's IP address. The attack is undetectable if the attacker uses a website to respond to the client's request. DNS spoofing or phishing are terms used to describe such attacks.

What is the Importance of ARP in Networking?

The MAC address of the target machine is required by the host device to transfer a message from one machine to another in the same or different network(s). As a result, if the destination's MAC address is not found in the source's ARP cache, a mapping between the IP address and the MAC address must be formed. ARP is used for this purpose.

As a result, ARP is a critical component of the network layer and a stateless protocol. Users must determine how many hosts they can have in their subnet because they do not want to end up with a subnet that is either too small to handle all of the IP addresses they require or too large and inefficient.

What is ARP Spoofing Attack?

An attacker could use ARP spoofing to intercept data packets on a LAN, manipulate the flow, or stop it entirely. The attack is frequently used as a springboard for other types of attacks, such as denial of service, man-in-the-middle, and session hijacking. The attack is limited to local network segments and can only be employed on networks that use the ARP. The MAC address refers to the network card.

In principle, the MAC address is a globally unique and immutable address stored on the network card. The network protocol requires MAC addresses so that a computer may study the ARP request, check if it is currently assigned the appropriate IP, and respond with an ARP reply providing its MAC address. Operating systems store a cache of ARP replies to reduce the number of ARP packets broadcast. When a host receives an ARP reply, it will update the IP-MAC association in its ARP cache.

During transmission between the nodes, ARP is polluted. In this case, the attacker can change the data as well as disrupt the data transition. To get an ARP Response, the computer does not need to send out an ARP Request. As a result, if a faked answer were to occur, the computer's cache would be updated as usual.

ARP is a stateless protocol. Even if they did not send an explicit ARP request for it, hosts will cache any ARP answers delivered to them. On most operating systems, even if a previous unexpired dynamic ARP entry exists in the ARP cache, it will be overwritten by a newer ARP reply packet. Because they lack a way to verify their peers, all hosts simply store the ARP responses they get. This is the underlying issue that leads to ARP spoofing.

Arp Spoofing Attack

Figure 2. Arp Spoofing Attack

The process of fabricating ARP packets to imitate another host on the network is known as ARP spoofing. In the most basic kind of ARP spoofing, the attacker sends the target fake ARP answers regularly. The duration between spoofed responses is substantially less than the ARP cache entry timeout period for the victim host's operating system. The target host should never make an ARP request for the host whose address the attacker is spoofing as a result of this.