ARP Study Guide - Address Resolution Protocol

1. Introduction to ARP

Definition: ARP (Address Resolution Protocol) is a Layer 2 (Data Link Layer) communication protocol used to map a network layer address (IP address) to a data link layer address (MAC address) within a local area network [^2^].

The Address Mapping Problem

In computer networks, devices are identified at different layers using different addressing schemes:

Network Layer (Layer 3): Uses logical IP addresses (e.g., 192.168.1.1) for end-to-end communication
Data Link Layer (Layer 2): Uses physical MAC addresses (e.g., 00:1A:2B:3C:4D:5E) for local network delivery

When a device wants to communicate with another device on the same local network, it knows the destination IP address but needs the destination MAC address to construct the Ethernet frame. This is where ARP becomes essential [^57^].

Key Point: ARP operates exclusively within a single broadcast domain (LAN). It does not traverse routers, as routers operate at Layer 3 and use IP addresses for routing between networks [^2^].

Why Dynamic Mapping?

Static mapping (maintaining a fixed table of IP-to-MAC mappings) has limitations because:

A machine could change its NIC, resulting in a new physical address
Some LANs (like LocalTalk) change physical addresses every boot
Mobile computers move between physical networks, changing their physical address

ARP provides dynamic mapping, allowing devices to discover addresses on-demand [^57^].

2. ARP Operation & Interactive Simulator

How ARP Works

The ARP resolution process involves four main steps [^56^][^59^]:

Cache Check: The sender checks its ARP cache for an existing IP-to-MAC mapping
ARP Request: If not found, the sender broadcasts an ARP request asking "Who has this IP address?"
ARP Response: The target device recognizes its IP and responds with a unicast ARP reply containing its MAC address
Cache Update: The sender updates its ARP cache and proceeds with communication

🎮 Interactive ARP Operation Simulator

💻

Host A
IP: 192.168.1.10
MAC: AA:BB:CC:11:22:33

☁️

LAN Switch

🖥️

Host B
IP: 192.168.1.20
MAC: DD:EE:FF:44:55:66

📢 ARP Request
"Who has 192.168.1.20?"

📬 ARP Reply
"I am 192.168.1.20"

>> Simulation ready. Click "Start Simulation" to begin...

Step-by-Step Breakdown

3. ARP Packet Format

ARP packets are encapsulated directly in Ethernet frames (EtherType 0x0806). The packet structure is consistent across different hardware types [^57^]:

ARP Packet Structure (28 bytes)

Hardware Type

2 bytes

Type of physical network (1 = Ethernet)

Protocol Type

2 bytes

Type of logical address (0x0800 = IPv4)

HLEN

1 byte

Length of hardware address (6 for Ethernet MAC)

PLEN

1 byte

Length of protocol address (4 for IPv4)

Operation

2 bytes

1 = ARP Request, 2 = ARP Reply

Sender HA

6 bytes

MAC address of sender

Sender IP

4 bytes

IP address of sender

Target HA

6 bytes

MAC address of target (empty in request)

Target IP

4 bytes

IP address of target

Note: In an ARP Request, the Target Hardware Address field is typically set to 00:00:00:00:00:00 or ignored, as this is the information being requested.

Ethernet Frame Encapsulation

+-------------------+-------------------+-------------------+-------------------+
|  Destination MAC  |    Source MAC     |    EtherType      |    ARP Packet     |
|   (6 bytes)       |    (6 bytes)      |   (0x0806)        |    (28 bytes)     |
+-------------------+-------------------+-------------------+-------------------+

For ARP Request:
- Destination MAC: FF:FF:FF:FF:FF:FF (Broadcast)
- Source MAC: Sender's MAC address

For ARP Reply:
- Destination MAC: Requester's MAC address (Unicast)
- Source MAC: Responder's MAC address

4. Types of ARP

Proxy ARP

A router enabled with Proxy ARP responds to ARP requests on behalf of hosts on different networks [^54^][^56^].

Use Case: When a host believes it is on the same network as the destination (due to misconfigured subnet mask), but actually needs to route through a gateway.

Operation:

Host A sends ARP request for Host B (on different subnet)
Router intercepts the request
Router responds with its own MAC address
Host A sends traffic to router, which forwards to Host B

Security Note: Proxy ARP can be exploited for man-in-the-middle attacks if not properly secured.

Gratuitous ARP

An ARP reply that is broadcast without being triggered by an ARP request [^54^].

Purposes:

Update ARP caches of other devices when a MAC address changes
Detect IP address conflicts (if a reply is received, the IP is already in use)
Announce presence after a network interface comes up
Update MAC address tables in switches

Characteristics:

Sender IP = Target IP (both set to the host's IP)
Broadcast to all devices (FF:FF:FF:FF:FF:FF)
No response expected (unless IP conflict detected)

Reverse ARP (RARP)

RARP performs the opposite function of ARP: it maps a MAC address to an IP address [^54^].

Deprecated: RARP has been largely replaced by BOOTP and DHCP, which provide more robust configuration capabilities.

Operation:

Diskless workstation boots up with only MAC address known
Workstation broadcasts RARP request with its MAC address
RARP server (must be on same network) looks up MAC-to-IP mapping
Server responds with IP address

Limitations:

Requires RARP server on every network segment
No subnet mask or default gateway information provided
Does not support dynamic allocation

Inverse ARP (InARP)

Used in Frame Relay and ATM networks to discover the IP address associated with a known virtual circuit identifier [^54^].

Context: InARP is used when a device knows the Data Link Connection Identifier (DLCI) of a remote router but does not know its IP address.

Difference from RARP:

RARP: MAC → IP mapping
InARP: DLCI (Data Link identifier) → IP mapping

InARP allows Frame Relay stations to discover the protocol addresses of other stations connected to the same network.

Comparison Summary

Type	Direction	Trigger	Primary Use
Standard ARP	IP → MAC	Cache miss	Local network communication
Proxy ARP	IP → MAC (Router responds)	Cross-network request	Subnet routing transparency
Gratuitous ARP	Announcement	Self-triggered	Cache updates, IP conflict detection
Reverse ARP	MAC → IP	Boot-up	Diskless workstation configuration
Inverse ARP	DLCI → IP	Virtual circuit setup	Frame Relay/ATM address resolution

5. ARP Cache Management

The ARP cache (or ARP table) stores recent IP-to-MAC address mappings to reduce network broadcast traffic [^2^][^56^].

Cache Entry Types

Type	Source	Lifetime	Characteristics
Dynamic	Learned from ARP replies	Typically 2-20 minutes	Aged out automatically; most common
Static	Manually configured	Permanent (until reboot)	Security risk if not managed; bypasses ARP

Cache Timeout Mechanisms

Timeout Removal: Entries are removed after a specified period (varies by OS)
Reference Counting: Frequently used entries may be kept longer
Forced Update: New ARP replies update existing entries immediately

Important: ARP cache size is typically small. When full, oldest entries are removed to make space for new mappings [^56^].

Sample ARP Cache Table

Internet Address	Physical Address	Type	Interface	Age (min)
192.168.1.1	00:50:56:c0:00:08	dynamic	eth0	4
192.168.1.5	00:0c:29:3e:5a:7b	dynamic	eth0	12
192.168.1.10	00:1a:2b:3c:4d:5e	static	eth0	permanent

6. ARP Security: Spoofing & Mitigation

🚨 ARP Cache Poisoning (ARP Spoofing)

ARP was designed for efficiency, not security. It lacks authentication mechanisms, making it vulnerable to spoofing attacks [^53^][^6^].

Attack Mechanism:

Attacker sends forged ARP responses to network devices
Falsely claims attacker's MAC is associated with victim's IP (or gateway IP)
Victim updates ARP cache with malicious mapping
Traffic is redirected through attacker's machine (Man-in-the-Middle)

Attack Scenarios [^55^]:

Unsolicited Response: Attacker sends ARP reply without any request
Multiple Responses: Attacker wins race condition against legitimate response
Broadcast Poisoning: Gratuitous ARP to poison entire network

🛡️ Mitigation Techniques

1. Static ARP Entries

Manually configure critical IP-to-MAC mappings (gateway, servers) to prevent spoofing [^53^]:

arp -s 192.168.1.1 00:11:22:33:44:55

2. Dynamic ARP Inspection (DAI)

Switch security feature that validates ARP packets [^53^][^58^]:

Intercepts ARP packets on untrusted ports
Validates IP-MAC bindings against DHCP snooping database
Drops invalid ARP packets

3. DHCP Snooping

Builds trusted binding database for DAI validation:

Trusts only specific DHCP server ports
Tracks IP-MAC-Port mappings
Prevents rogue DHCP servers

4. ARP Spoofing Detection Tools

arpwatch: Monitors ARP traffic and logs changes
ArpON: Portable handler for ARP security
XArp: Advanced ARP spoofing detection
Wireshark: Packet analysis for ARP anomalies

5. Network Segmentation

Divide network into smaller VLANs to limit broadcast domain and attack scope [^53^].

6. Encryption

Use VPNs and encryption protocols (HTTPS, SSH) to protect data even if ARP is compromised [^53^].

Best Practice: Combine DAI with IP Source Guard and DHCP snooping for comprehensive Layer 2 security.

7. Practical ARP Commands

Windows Commands

arp -a

Display all ARP cache entries

arp -d

Delete all ARP cache entries

arp -s ip mac

Add static ARP entry (requires elevation)

arp -d ip

Delete specific ARP entry

Linux/Unix Commands

arp -a

Show all entries in BSD style

arp -n

Show entries without DNS resolution

ip neigh

Modern Linux command (iproute2) to show neighbor table

ip neigh flush all

Clear all ARP cache entries

arping -I eth0 -c 3 ip

Send ARP request to specific IP

Cisco IOS Commands

show arp

Display ARP cache [^5^]

show ip arp

Display IP ARP entries only

clear arp-cache

Clear dynamic ARP entries

arp ip mac arpa

Configure static ARP entry

Exam Tip: Remember that show arp displays all ARP entries including other protocols (AppleTalk, etc.), while show ip arp filters for IP only [^5^].

8. Knowledge Check Quiz

Q1: At which OSI layer does ARP operate?

A) Network Layer (Layer 3)

B) Data Link Layer (Layer 2)

C) Transport Layer (Layer 4)

D) Physical Layer (Layer 1)

Q2: What is the destination MAC address in an ARP Request?

A) The target host's MAC address

B) FF:FF:FF:FF:FF:FF (Broadcast)

C) 00:00:00:00:00:00

D) The gateway's MAC address

Q3: Which type of ARP is used to detect IP address conflicts?

A) Proxy ARP

B) Reverse ARP

C) Gratuitous ARP

D) Inverse ARP

Q4: What is the primary vulnerability of the ARP protocol?

A) It uses weak encryption

B) It lacks authentication mechanisms

C) It broadcasts passwords in plaintext

D) It requires manual configuration

Q5: Which switch feature validates ARP packets against DHCP bindings?

A) Port Security

B) Dynamic ARP Inspection (DAI)

C) VLAN Trunking

D) Spanning Tree Protocol

Summary

ARP is a fundamental protocol enabling communication within local area networks by resolving IP addresses to MAC addresses. Key takeaways for communication engineering students:

ARP operates at Layer 2, bridging Layer 3 (IP) and Layer 2 (MAC) addressing
Uses broadcast requests and unicast replies for dynamic address resolution
Maintains a cache to optimize performance and reduce broadcast traffic
Includes variants like Proxy ARP, Gratuitous ARP, RARP, and Inverse ARP for specific scenarios
Vulnerable to spoofing attacks due to lack of authentication; requires DAI and other security measures
Essential for understanding network troubleshooting and security

Further Study: Explore how IPv6 replaces ARP with the Neighbor Discovery Protocol (NDP), which provides similar functionality with improved security through ICMPv6.