greg jorgensenAddress Resolution Protocol is a protocol used in the Internet Protocol (IP) suite for mapping an IP address to a physical (MAC) address on the local network.
LAN communications happen at the data link layer using MAC addresses because devices on the same network segment are directly reachable via the physical network medium (like Ethernet or WiFi), which operates using MAC addresses.
As soon as another network or VLAN is introduced routing needs to be used.
The ARP request is sent as a broadcast packet to all devices on the same network segment. The device with the requested IP address will respond with an ARP reply that contains its MAC address.
While ARP requests are typically broadcast, ARP replies are unicast, meaning they are sent directly to the device that made the request. This is because by the time the reply is sent, the sender knows the MAC address of the recipient, so it can send the reply directly to that device.
A gratuitous ARP is a proactive ARP a device sends to announce or update it’s IP to MAC mapping to the entire network.
An ARP packet consists of the following fields:
- Hardware Type: This field identifies the type of hardware used for the local network (like Ethernet, WiFi).
- Protocol Type: This field identifies the protocol used (generally IP).
- Hardware Address Length: The length of the hardware address (MAC Address).
- Protocol Address Length: The length of the protocol address (IP Address).
- Operation: Specifies the operation that the sender is performing: 1 for request, 2 for reply.
- Sender Hardware Address (SHA): The MAC address of the sender.
- Sender Protocol Address (SPA): The IP address of the sender.
- Target Hardware Address (THA): The MAC address of the intended receiver. In an ARP request, this is typically left blank.
- Target Protocol Address (TPA): The IP address of the intended receiver.
ARP operates at the Internet Layer of the TCP/IP model, which corresponds to the Network layer (Layer 3) of the OSI model.
However, ARP is also associated with the Network Interface layer of the TCP/IP model (equivalent to the Data link layer of the OSI model) because it translates IP addresses to MAC addresses, which are used for delivering packets at the Data link layer.
It basically doesn’t fit into the TCP IP model very well.
ARP can be exploited in an ARP spoofing (or ARP poisoning) attack, where an attacker sends falsified ARP messages over a local area network to link the attacker’s MAC address with the IP address of another host, causing network traffic to be sent to the attacker instead of to the intended host.
Static ARP Entries can be used to prevent ARP spoofing,
Dynamic ARP Inspection (DAI) is a security feature on modern switches that can inspect ARP packets and can block invalid ones.
IPSec can encrypt and/or authenticate all traffic at the IP layer.
If an attacker successfully performs an ARP spoofing attack, the ARP cache of the victim's machine will contain the wrong MAC address, which needs to be cleared to mitigate the attack.
Clearing the ARP cache can also be helpful if a device's IP address has changed and other devices on the network still have the old IP-to-MAC mapping in their ARP caches.
Issues with ARP that can be resolved by clearing the cache:
- If a device has been manually assigned an IP address that's already in use on the network, you might see IP conflicts, some devices might have different entries to others.
- Changing a network interface (the server could switch from wired to wireless) could cause issues as the MAC address is tied to a specific network interface.
- High network latency or packet loss could sometimes be due to stale or corrupt ARP cache entries
- Changes to the network layout, such as the introduction of new routers or VLANs, can lead to outdated information in the ARP cache.
However, under normal circumstances adding a net device to the network shouldn’t cause issues with the ARP cache on other devices; if the new device is manually configured with an IP address that is already in use on the network, it may cause problems.
Windows:
arp -a arp -d