Bridging Layer 3 (Network) and Layer 2 (Data Link) in TCP/IP Networks
In TCP/IP networking, devices communicate using two different addressing schemes:
| Layer | Address Type | Length | Example | Characteristics |
|---|---|---|---|---|
| Layer 3 (Network) | IP Address | 32 bits (IPv4) | 192.168.1.1 | Logical, dynamic, routable |
| Layer 2 (Data Link) | MAC Address | 48 bits | 00:1A:2B:3C:4D:5E | Physical, fixed, local |
When a device wants to communicate with another device on the same local network, it knows the destination IP address (from higher-layer protocols), but Ethernet frames require the destination MAC address to deliver the packet. ARP resolves this mismatch by providing dynamic mapping between these address types. [^6^]
ARP operates at the boundary between Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model. It is often described as a Layer 2.5 protocol because it facilitates communication between these layers. [^3^]
ARP was originally specified in RFC 826 (1982) by David Plummer. It remains the fundamental protocol for IPv4 address resolution on Ethernet networks. [^8^]
The ARP resolution process involves two main phases: the ARP Request (broadcast) and the ARP Reply (unicast). [^2^]
ARP operates differently depending on whether the destination is local or remote: [^3^]
| Scenario | Source | Destination | ARP Target |
|---|---|---|---|
| Case 1 | Host | Same network | Destination host's MAC |
| Case 2 | Host | Different network | Default gateway's MAC |
| Case 3 | Router | Next hop router | Next router's MAC |
| Case 4 | Router | Same network as interface | Destination host's MAC |
ARP packets are encapsulated directly in Ethernet frames (EtherType 0x0806). The packet format is designed to be flexible enough to support different network types, though Ethernet and IPv4 are most common. [^8^]
ARP packets are encapsulated in Ethernet frames with the following characteristics:
Several variations of ARP have been developed to handle specific networking scenarios: [^1^] [^2^]
A router enabled with Proxy ARP responds to ARP requests on behalf of hosts on a different network segment. When Host A (Network 1) sends an ARP request for Host B (Network 2), the router responds with its own MAC address. Host A sends traffic to the router, which then forwards it to Host B. [^2^]
Use Case: Connecting subnets without configuring default gateways on hosts (legacy networks).
An ARP reply that is broadcast without a preceding request. It serves two purposes: (1) Updating other hosts' ARP caches with new MAC-to-IP mappings, and (2) Detecting IP address conflicts (if another host responds, there's a duplicate IP). [^3^]
Trigger Events: IP address change, NIC replacement, system boot.
Allows a diskless workstation to obtain its IP address from a RARP server using its known MAC address. The workstation broadcasts its MAC address, and the RARP server responds with the corresponding IP address. [^3^]
Status: Replaced by BOOTP and DHCP (more flexible).
Used in Frame Relay and ATM networks to map Layer 2 virtual circuit identifiers (DLCIs) to Layer 3 IP addresses. Unlike standard ARP (IP→MAC), InARP discovers the IP address associated with a known DLCI. [^2^]
| Type | Direction | Trigger | Modern Usage |
|---|---|---|---|
| Standard ARP | IP → MAC | Cache miss | Universal (IPv4) |
| Proxy ARP | IP → MAC (Router) | Inter-subnet request | Legacy/Specialized |
| Gratuitous ARP | Announcement | Configuration change | Common (HSRP, VRRP) |
| Reverse ARP | MAC → IP | Diskless boot | Obsolete (replaced by DHCP) |
| Inverse ARP | DLCI → IP | VC establishment | Frame Relay (declining) |
To minimize broadcast traffic, operating systems maintain an ARP cache (or ARP table) containing recently resolved IP-to-MAC mappings. Before sending an ARP request, the system checks this cache. [^6^]
Modern operating systems implement sophisticated ARP cache management with multiple states: [^7^]
ARP cache entries are temporary to accommodate network changes (NIC replacements, IP reassignments). Typical timeout values: [^6^]
arp -a command displays the ARP cache showing Internet Address, Physical Address (MAC), and Type (dynamic/static). Dynamic entries are learned through ARP; static entries are manually configured.
Attack Mechanism:
| Technique | Description | Implementation |
|---|---|---|
| Static ARP Entries | Manually configure IP-MAC mappings | arp -s ip_address mac_address |
| Dynamic ARP Inspection (DAI) | Switch validates ARP packets against DHCP snooping database | Enterprise switches (Cisco, etc.) |
| ARP Spoofing Detection | Monitor for multiple MACs claiming same IP | Security tools (arpwatch, XArp) |
| Private VLANs | Isolate hosts to prevent direct communication | Switch configuration |
IPv6 does not use ARP. Instead, it uses the Neighbor Discovery Protocol (NDP), which is part of ICMPv6. NDP provides similar functionality but includes security features like Cryptographically Generated Addresses (CGA) and SeND (Secure Neighbor Discovery). [^4^]
arp -a and ip neigh outputARP requests must be broadcast because the sender does not yet know the target's MAC address. All devices on the local segment process the request.
RFC Documents: