Address Resolution Protocol (ARP)

Bridging Layer 3 (Network) and Layer 2 (Data Link) in TCP/IP Networks

📚 Undergraduate Level 🎯 Communication Engineering ⏱️ Study Time: 45 min

1. Introduction to ARP

Definition: ARP (Address Resolution Protocol) is a communication protocol used to map a network layer protocol address (IP address) to a data link layer physical address (MAC address) in a local area network (LAN).

1.1 Why ARP is Necessary

In TCP/IP networking, devices communicate using two different addressing schemes:

Layer Address Type Length Example Characteristics
Layer 3 (Network) IP Address 32 bits (IPv4) 192.168.1.1 Logical, dynamic, routable
Layer 2 (Data Link) MAC Address 48 bits 00:1A:2B:3C:4D:5E Physical, fixed, local

When a device wants to communicate with another device on the same local network, it knows the destination IP address (from higher-layer protocols), but Ethernet frames require the destination MAC address to deliver the packet. ARP resolves this mismatch by providing dynamic mapping between these address types.

1.2 ARP in the OSI Model

ARP operates at the boundary between Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model. It is often described as a Layer 2.5 protocol because it facilitates communication between these layers.

RFC 826 Standard Definition

ARP was originally specified in RFC 826 (1982) by David Plummer. It remains the fundamental protocol for IPv4 address resolution on Ethernet networks.

2. ARP Operation

2.1 Basic ARP Process

The ARP resolution process involves two main phases: the ARP Request (broadcast) and the ARP Reply (unicast).

Step-by-Step Operation:

  1. Cache Check: When Host A wants to send data to Host B, it first checks its ARP cache (a local table storing recent IP-to-MAC mappings).
  2. ARP Request: If the mapping is not found, Host A broadcasts an ARP Request packet to all devices on the local network (destination MAC: FF:FF:FF:FF:FF:FF). The request asks: "Who has IP address X? Please send me your MAC address."
  3. Request Processing: All devices on the network receive the broadcast. Each device checks if the target IP address in the request matches its own IP address.
  4. ARP Reply: Only Host B (the device with the matching IP address) responds with an ARP Reply (unicast) containing its MAC address.
  5. Cache Update: Host A receives the reply, extracts the MAC address, updates its ARP cache, and proceeds to send the original data packet encapsulated in an Ethernet frame.
Key Insight: When a host receives an ARP request for its own IP address, it updates its own ARP cache with the sender's information (IP and MAC) from the request packet, even before sending a reply. This optimizes future communication.

2.2 Communication Scenarios

ARP operates differently depending on whether the destination is local or remote:

Scenario Source Destination ARP Target
Case 1 Host Same network Destination host's MAC
Case 2 Host Different network Default gateway's MAC
Case 3 Router Next hop router Next router's MAC
Case 4 Router Same network as interface Destination host's MAC

3. ARP Packet Format

ARP packets are encapsulated directly in Ethernet frames (EtherType 0x0806). The packet format is designed to be flexible enough to support different network types, though Ethernet and IPv4 are most common.

3.1 Packet Structure

Hardware Type 16 bits Network link type (1 = Ethernet)
Protocol Type 16 bits Protocol address type (0x0800 = IPv4)
Hardware Length 8 bits Length of MAC address (6 bytes for Ethernet)
Protocol Length 8 bits Length of IP address (4 bytes for IPv4)
Operation 16 bits 1 = Request, 2 = Reply
Sender Hardware Address Variable MAC address of sender (e.g., 00:11:22:33:44:55)
Sender Protocol Address Variable IP address of sender (e.g., 192.168.1.1)
Target Hardware Address Variable MAC address of target (00:00:00:00:00:00 in request)
Target Protocol Address Variable IP address of target (the address being resolved)
Important Note: In an ARP Request, the Target Hardware Address field is set to 00:00:00:00:00:00 because this is the information being requested. The Target Protocol Address contains the IP address that needs resolution.

3.2 Ethernet Frame Encapsulation

ARP packets are encapsulated in Ethernet frames with the following characteristics:

4. Types of ARP

Several variations of ARP have been developed to handle specific networking scenarios:

4.1 Proxy ARP

Router Feature Proxy ARP

A router enabled with Proxy ARP responds to ARP requests on behalf of hosts on a different network segment. When Host A (Network 1) sends an ARP request for Host B (Network 2), the router responds with its own MAC address. Host A sends traffic to the router, which then forwards it to Host B.

Use Case: Connecting subnets without configuring default gateways on hosts (legacy networks).

4.2 Gratuitous ARP

Announcement Gratuitous ARP

An ARP reply that is broadcast without a preceding request. It serves two purposes: (1) Updating other hosts' ARP caches with new MAC-to-IP mappings, and (2) Detecting IP address conflicts (if another host responds, there's a duplicate IP).

Trigger Events: IP address change, NIC replacement, system boot.

4.3 Reverse ARP (RARP)

Obsolete Reverse ARP (RARP)

Allows a diskless workstation to obtain its IP address from a RARP server using its known MAC address. The workstation broadcasts its MAC address, and the RARP server responds with the corresponding IP address.

Status: Replaced by BOOTP and DHCP (more flexible).

4.4 Inverse ARP (InARP)

Frame Relay/ATM Inverse ARP

Used in Frame Relay and ATM networks to map Layer 2 virtual circuit identifiers (DLCIs) to Layer 3 IP addresses. Unlike standard ARP (IP→MAC), InARP discovers the IP address associated with a known DLCI.

Type Direction Trigger Modern Usage
Standard ARP IP → MAC Cache miss Universal (IPv4)
Proxy ARP IP → MAC (Router) Inter-subnet request Legacy/Specialized
Gratuitous ARP Announcement Configuration change Common (HSRP, VRRP)
Reverse ARP MAC → IP Diskless boot Obsolete (replaced by DHCP)
Inverse ARP DLCI → IP VC establishment Frame Relay (declining)

5. ARP Cache Management

5.1 ARP Cache Function

To minimize broadcast traffic, operating systems maintain an ARP cache (or ARP table) containing recently resolved IP-to-MAC mappings. Before sending an ARP request, the system checks this cache.

5.2 Cache States (Linux Implementation)

Modern operating systems implement sophisticated ARP cache management with multiple states:

NONE
No entry
INCOMPLETE
Request sent
REACHABLE
Confirmed
STALE
Timeout

5.3 Cache Timeout

ARP cache entries are temporary to accommodate network changes (NIC replacements, IP reassignments). Typical timeout values:

5.4 Viewing ARP Cache

# Windows - View ARP cache
C:\> arp -a
# Linux/Unix - View ARP table
$ ip neigh show
$ cat /proc/net/arp
# macOS
$ arp -a
Exam Tip: The arp -a command displays the ARP cache showing Internet Address, Physical Address (MAC), and Type (dynamic/static). Dynamic entries are learned through ARP; static entries are manually configured.

6. ARP Security Issues

6.1 ARP Spoofing (Cache Poisoning)

Critical Vulnerability: ARP is a stateless protocol with no authentication mechanism. Any device can send ARP replies, even without a request, and hosts will accept and update their caches.

Attack Mechanism:

  1. Attacker sends forged ARP replies to Host A, claiming that Host B's IP address maps to the attacker's MAC address.
  2. Host A updates its ARP cache with the false mapping.
  3. Traffic from Host A to Host B is sent to the attacker instead.
  4. Attacker can intercept (Man-in-the-Middle), modify, or drop traffic.

6.2 Mitigation Techniques

Technique Description Implementation
Static ARP Entries Manually configure IP-MAC mappings arp -s ip_address mac_address
Dynamic ARP Inspection (DAI) Switch validates ARP packets against DHCP snooping database Enterprise switches (Cisco, etc.)
ARP Spoofing Detection Monitor for multiple MACs claiming same IP Security tools (arpwatch, XArp)
Private VLANs Isolate hosts to prevent direct communication Switch configuration

6.3 IPv6 and NDP

IPv6 does not use ARP. Instead, it uses the Neighbor Discovery Protocol (NDP), which is part of ICMPv6. NDP provides similar functionality but includes security features like Cryptographically Generated Addresses (CGA) and SeND (Secure Neighbor Discovery).

7. Key Takeaways

  • ARP resolves IP addresses (Layer 3) to MAC addresses (Layer 2) for local network communication.
  • ARP uses broadcast requests (FF:FF:FF:FF:FF:FF) and unicast replies.
  • The ARP cache stores recent mappings to reduce network broadcast traffic.
  • Proxy ARP enables routers to respond on behalf of remote hosts.
  • Gratuitous ARP updates caches without a request (used for HA protocols).
  • ARP is stateless and unauthenticated, making it vulnerable to spoofing attacks.
  • Dynamic ARP Inspection (DAI) and static entries help mitigate ARP poisoning.

Study Checklist

Quick Knowledge Check

What is the destination MAC address in an ARP Request packet?
A) The MAC address of the target host
B) 00:00:00:00:00:00
C) The MAC address of the default gateway
D) FF:FF:FF:FF:FF:FF (Broadcast)

ARP requests must be broadcast because the sender does not yet know the target's MAC address. All devices on the local segment process the request.

References & Further Reading

  1. Coursera. "What Is Address Resolution Protocol?" Coursera Articles, 2025.
  2. IPXO. "Address Resolution Protocol: A Beginner's Guide." IPXO Blog, 2024.
  3. GeeksforGeeks. "How Address Resolution Protocol (ARP) Works?" GeeksforGeeks, 2024.
  4. Okta. "Address Resolution Protocol (ARP): What It Is and How It Works." Okta Identity 101, 2024.
  5. Manwani, Silky. "ARP Cache Poisoning Detection and Prevention." San Jose State University, 2003.
  6. Fortinet. "What Is ARP (Address Resolution Protocol)?" Fortinet CyberGlossary.
  7. NYU WIRELESS. "Address Resolution Protocol (ARP)." WITest Lab, 2023.
  8. Tutorialspoint. "Address Resolution Protocol (ARP)." Data Communication and Computer Network.
  9. Study CCNA. "ARP (Address Resolution Protocol) Explained." Study-CCNA.com, 2022.

RFC Documents: