| Internet protocol suite |
|---|
| Application layer |
| Transport layer |
| Internet layer |
| Link layer |
TheAddress Resolution Protocol (ARP) is acommunication protocol for discovering thelink layer address, such as aMAC address, associated with aninternet layer address, typically anIPv4 address. The protocol, part of theInternet protocol suite, was defined in 1982 byRFC 826, which isInternet Standard STD 37.
ARP enables a host to send, for example, an IPv4 packet to another node in the local network by providing a protocol to get the MAC address associated with an IP address. The host broadcasts a request containing the target node's IP address, and the node with that IP address replies with its MAC address.
ARP has been implemented with many combinations of network and data link layer technologies, such asIPv4,Chaosnet,DECnet and XeroxPARC Universal Packet (PUP) usingIEEE 802 standards,FDDI,X.25,Frame Relay andAsynchronous Transfer Mode (ATM).
InInternet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by theNeighbor Discovery Protocol (NDP).
The Address Resolution Protocol is arequest–response protocol. Its messages are directly encapsulated by a link layer protocol. It is communicated within the boundaries of a singlesubnetwork and is neverrouted.
The Address Resolution Protocol uses a simple message format containing one address resolution request or response. The packets are carried at thedata link layer of the underlying network as raw payload. In the case of Ethernet, a0x0806EtherType value is used to identify ARP frames.
The size of the ARP message depends on the link layer and network layer address sizes. The messageheader specifies the types of network in use at each layer as well as the size of addresses of each. The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts.
The principal packet structure of ARP packets is shown in the following table which illustrates the case of IPv4 networks running on Ethernet. In this scenario, the packet has 48-bit fields for the sender hardware address (SHA) and target hardware address (THA), and 32-bit fields for the corresponding sender and target protocol addresses (SPA and TPA). The ARP packet size in this case is 28 bytes.
| Offset | Octet | 0 | 1 | 2 | 3 | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Octet | Bit | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| 0 | 0 | Hardware Type (1) | Protocol Type (0x0800) | ||||||||||||||||||||||||||||||
| 4 | 32 | Hardware Length (6) | Protocol Length (4) | Operation | |||||||||||||||||||||||||||||
| 8 | 64 | Sender Hardware Address | |||||||||||||||||||||||||||||||
| 12 | 96 | Sender Protocol Address↴ | |||||||||||||||||||||||||||||||
| 16 | 128 | ↪Sender Protocol Address (cont.) | Target Hardware Address | ||||||||||||||||||||||||||||||
| 20 | 160 | ||||||||||||||||||||||||||||||||
| 24 | 192 | Target Protocol Address | |||||||||||||||||||||||||||||||
ARP parameter values have been standardized and are maintained by theInternet Assigned Numbers Authority (IANA).[1]
TheEtherType for ARP is0x0806. This appears in the Ethernet frame header when the payload is an ARP packet and is not to be confused with PTYPE, which appears within this encapsulated ARP packet.
ARP's placement within theInternet protocol suite and theOSI model may be a matter of confusion or even of dispute.RFC 826 places it into thelink layer and characterizes it as a tool to inquire about the "higher level layer", such as the Internet layer.[3]RFC 1122 also discusses ARP in its link layer section.[4]Richard Stevens places ARP in OSI's data link layer[5] while newer editions associate it with the network layer or introduce an intermediate OSI layer 2.5.[6]
Two computers,A andB, are connected to the samelocal area network with no interveninggateway orrouter.A has a packet to send to IP address192.168.0.55 which happens to be the address ofB.
Before sending the packet toB,A broadcasts an ARP request message – addressed with the broadcast MAC addressFF:FF:FF:FF:FF:FF and requesting response from the node with IP address192.168.0.55. All nodes of the network receive the message, but onlyB replies since it has the requested IP address.B responds with an ARP response message containing its MAC addresses whichA receives.A sends the data packet on the link addressed withB's MAC address.
Typically, a network node maintains alookup cache that associates IP and MAC addressees. In this example, ifA had the lookup cached, then it would not need to broadcast the ARP request. Also, whenB received the request, it could cache the lookup toA so that ifB needs to send a packet toA later, it does not need to use ARP to lookup its MAC address. Finally, whenA receives the ARP response, it can cache the lookup for future messages addressed to the same IP address.[7]
AnARP probe in IPv4 is an ARP request constructed with the SHA of the probing host, an SPA of all 0s, a THA of all 0s, and a TPA set to the IPv4 address being probed for. If some host on the network regards the IPv4 address (in the TPA) as its own, it will reply to the probe (via the SHA of the probing host) thus informing the probing host of the address conflict. If instead there is no host which regards the IPv4 address as its own, then there will be no reply. When several such probes have been sent, with slight delays, and none receive replies, it can reasonably be expected that no conflict exists. As the original probe packet contains neither a valid SHA/SPA nor a valid THA/TPA pair, there is no risk of any host using the packet to update its cache with problematic data. Before beginning to use an IPv4 address (whether received from manual configuration, DHCP, or some other means), a host implementing this specification must test to see if the address is already in use, by broadcasting ARP probe packets.[8][9]
ARP may also be used as a simple announcement protocol. This is useful for updating other hosts' mappings of a hardware address when the sender's IP address or MAC address changes. Such an announcement, also called agratuitous ARP (GARP) message, is usually broadcast as anARP request containing the SPA in the target field (TPA=SPA), with THA set to zero. An alternative way is to broadcast anARP reply with the sender's SHA and SPA duplicated in the target fields (TPA=SPA, THA=SHA).
TheARP request andARP reply announcements are both standards-based methods,[10]: §4.6 but theARP request method is preferred.[11]: §3 Some devices may be configured for the use of either of these two types of announcements.[12]
An ARP announcement is not intended to solicit a reply; instead, it updates any cached entries in the ARP tables of other hosts that receive the packet. The operation code in the announcement may be either request or reply; the ARP standard specifies that the opcode is only processed after the ARP table has been updated from the address fields.[13][10]: §4.6 [14]: §4.4.1
Many operating systems issue an ARP announcement during startup. This helps to resolve problems that would otherwise occur if, for example, anetwork card was recently changed (changing the IP-address-to-MAC-address mapping) and other hosts still have the old mapping in their ARP caches.
ARP announcements are also used by some network interfaces to provide load balancing for incoming traffic. In ateam of network cards, it is used to announce a different MAC address within the team that should receive incoming packets.
ARP announcements can be used in theZeroconf protocol to allow automatic assignment of alink-local address to an interface where no other IP address configuration is available. The announcements are used to ensure an address chosen by a host is not in use by other hosts on the network link.[15]
This function can be dangerous from a cybersecurity viewpoint since an attacker can obtain information about the other hosts of its subnet to save in their ARP cache (ARP spoofing) an entry where the attacker MAC is associated, for instance, to the IP of thedefault gateway, thus allowing them tointercept all the traffic to external networks.
ARP mediation refers to the process of resolving layer-2 addresses through avirtual private wire service (VPWS) when different resolution protocols are used on the connected circuits, e.g.,Ethernet on one end andFrame Relay on the other. InIPv4, eachprovider edge (PE) device discovers the IP address of the locally attachedcustomer edge (CE) device and distributes that IP address to the corresponding remote PE device. Then each PE device responds to local ARP requests using the IP address of the remote CE device and the hardware address of the local PE device. InIPv6, each PE device discovers the IP address of both local and remote CE devices and then intercepts localNeighbor Discovery (ND) andInverse Neighbor Discovery (IND) packets and forwards them to the remote PE device.[16]
Inverse Address Resolution Protocol (Inverse ARP orInARP) is used to obtainnetwork layer addresses (for example,IP addresses) of other nodes fromdata link layer (Layer 2) addresses. Since ARP translates layer-3 addresses to layer-2 addresses, InARP may be described as its inverse. In addition, InARP is implemented as a protocol extension to ARP: it uses the same packet format as ARP, but different operation codes.
InARP is primarily used inFrame Relay (DLCI) and ATM networks, in which layer-2 addresses ofvirtual circuits are sometimes obtained from layer-2 signaling, and the corresponding layer-3 addresses must be available before those virtual circuits can be used.[17]
TheReverse Address Resolution Protocol (Reverse ARP or RARP), like InARP, translates layer-2 addresses to layer-3 addresses. However, in InARP the requesting station queries the layer-3 address of another node, whereas RARP is used to obtain the layer-3 address of the requesting station itself for address configuration purposes. RARP is obsolete; it was replaced byBOOTP, which was later superseded by theDynamic Host Configuration Protocol (DHCP).[18]
Because ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address. An ARPproxy is a system that answers the ARP request on behalf of another system for which it will forward traffic, normally as a part of the network's design, such as for a dialup internet service. By contrast, in ARPspoofing the answering system, orspoofer, replies to a request for another system's address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform aman-in-the-middle ordenial-of-service attack on other users on the network. Various software exists to both detect and perform ARP spoofing attacks, though ARP itself does not provide any methods of protection from such attacks.[19]
Computers may maintain lists of known addresses, rather than using an active protocol. In this method, each computer maintains a database of the mapping ofLayer 3 addresses (e.g.,IP addresses) toLayer 2 addresses (e.g.,EthernetMAC addresses). This data is maintained primarily by interpreting ARP packets from the local network link. Thus, it is often called theARP cache. Since at least the 1980s,[20] networked computers have a utility calledarp for interrogating or manipulating this database.[21][22][23]
Historically, other methods were used to maintain the mapping between addresses, such as static configuration files,[24] or centrally maintained lists.
Embedded systems such as networked cameras[25] and networked power distribution devices,[26] which lack a user interface, can use so-calledARP stuffing to make an initial network connection, although this is a misnomer, as ARP is not involved.
ARP stuffing is accomplished as follows:
Such devices typically have a method to disable this process once the device is operating normally, as the capability can make it vulnerable to attack.
Why Are ARP Announcements Performed Using ARP Request Packets and Not ARP Reply Packets?
[...] garpReply enabled [...] generates ARP packets that [...] are of OPCODE type REPLY, rather than REQUEST.
