Address Resolution Protocol

Last updated

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC   826, [1] which is Internet Standard STD 37.

Contents

ARP has been implemented with many combinations of network and data link layer technologies, such as IPv4, Chaosnet, DECnet and Xerox PARC Universal Packet (PUP) using IEEE 802 standards, FDDI, X.25, Frame Relay and Asynchronous Transfer Mode (ATM).

In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).

Operating scope

The Address Resolution Protocol is a request-response protocol. Its messages are directly encapsulated by a link layer protocol. It is communicated within the boundaries of a single subnetwork and is never routed.

Packet structure

The Address Resolution Protocol uses a simple message format containing one address resolution request or response. The packets are carried at the data link layer of the underlying network as raw payload. In the case of Ethernet, a 0x0806 EtherType value is used to identify ARP frames.

The size of the ARP message depends on the link layer and network layer address sizes. The message header specifies the types of network in use at each layer as well as the size of addresses of each. The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts.

The principal packet structure of ARP packets is shown in the following table which illustrates the case of IPv4 networks running on Ethernet. In this scenario, the packet has 48-bit fields for the sender hardware address (SHA) and target hardware address (THA), and 32-bit fields for the corresponding sender and target protocol addresses (SPA and TPA). The ARP packet size in this case is 28 bytes.

Internet Protocol (IPv4) over Ethernet ARP packet
Octet offset01
0Hardware type (HTYPE)
2Protocol type (PTYPE)
4Hardware address length (HLEN)Protocol address length (PLEN)
6Operation (OPER)
8Sender hardware address (SHA) (first 2 bytes)
10(next 2 bytes)
12(last 2 bytes)
14Sender protocol address (SPA) (first 2 bytes)
16(last 2 bytes)
18Target hardware address (THA) (first 2 bytes)
20(next 2 bytes)
22(last 2 bytes)
24Target protocol address (TPA) (first 2 bytes)
26(last 2 bytes)
Hardware type (HTYPE)
This field specifies the network link protocol type. Example: Ethernet is 1. [2]
Protocol type (PTYPE)
This field specifies the internetwork protocol for which the ARP request is intended. For IPv4, this has the value 0x0800. The permitted PTYPE values share a numbering space with those for EtherType. [2] [3]
Hardware length (HLEN)
Length (in octets) of a hardware address. Ethernet address length is 6.
Protocol length (PLEN)
Length (in octets) of internetwork addresses. The internetwork protocol is specified in PTYPE. Example: IPv4 address length is 4.
Operation
Specifies the operation that the sender is performing: 1 for request, 2 for reply.
Sender hardware address (SHA)
Media address of the sender. In an ARP request this field is used to indicate the address of the host sending the request. In an ARP reply this field is used to indicate the address of the host that the request was looking for.
Sender protocol address (SPA)
Internetwork address of the sender.
Target hardware address (THA)
Media address of the intended receiver. In an ARP request this field is ignored. In an ARP reply this field is used to indicate the address of the host that originated the ARP request.
Target protocol address (TPA)
Internetwork address of the intended receiver.

ARP protocol parameter values have been standardized and are maintained by the Internet Assigned Numbers Authority (IANA). [2]

The EtherType for ARP is 0x0806. This appears in the Ethernet frame header when the payload is an ARP packet and is not to be confused with PTYPE, which appears within this encapsulated ARP packet.

Layering

ARP's placement within the Internet protocol suite and the OSI model may be a matter of confusion or even of dispute. RFC   826 places it into the Link Layer and characterizes it as a tool to inquire about the "higher level layer", such as the Internet layer. [4] RFC   1122 also discusses ARP in its link layer section. [5] [6] Richard Stevens places ARP in OSI's data link layer [7] while newer editions associate it with the network layer or introduce an intermediate OSI layer 2.5. [8]

Example

Two computers in an office (Computer 1 and Computer 2) are connected to each other in a local area network by Ethernet cables and network switches, with no intervening gateways or routers. Computer 1 has a packet to send to Computer 2. Through DNS, it determines that Computer 2 has the IP address 192.168.0.55.

To send the message, it also requires Computer 2's MAC address. First, Computer 1 uses a cached ARP table to look up 192.168.0.55 for any existing records of Computer 2's MAC address (00:EB:24:B2:05:AC). If the MAC address is found, it sends an Ethernet frame containing the IP packet onto the link with the destination address 00:EB:24:B2:05:AC. If the cache did not produce a result for 192.168.0.55, Computer 1 has to send a broadcast ARP request message (destination FF:FF:FF:FF:FF:FF MAC address), which is accepted by all computers on the local network, requesting an answer for 192.168.0.55.

Computer 2 responds with an ARP response message containing its MAC and IP addresses. As part of fielding the request, Computer 2 may insert an entry for Computer 1 into its ARP table for future use.

Computer 1 receives and caches the response information in its ARP table and can now send the packet. [9]

ARP probe

An ARP probe in IPv4 is an ARP request constructed with the SHA of the probing host, an SPA of all 0s, a THA of all 0s, and a TPA set to the IPv4 address being probed for. If some host on the network regards the IPv4 address (in the TPA) as its own, it will reply to the probe (via the SHA of the probing host) thus informing the probing host of the address conflict. If instead there is no host which regards the IPv4 address as its own, then there will be no reply. When several such probes have been sent, with slight delays, and none receive replies, it can reasonably be expected that no conflict exists. As the original probe packet contains neither a valid SHA/SPA nor a valid THA/TPA pair, there is no risk of any host using the packet to update its cache with problematic data. Before beginning to use an IPv4 address (whether received from manual configuration, DHCP, or some other means), a host implementing this specification must test to see if the address is already in use, by broadcasting ARP probe packets. [10] [11]

ARP announcements

ARP may also be used as a simple announcement protocol. This is useful for updating other hosts' mappings of a hardware address when the sender's IP address or MAC address changes. Such an announcement, also called a gratuitous ARP (GARP) message, is usually broadcast as an ARP request containing the SPA in the target field (TPA=SPA), with THA set to zero. An alternative way is to broadcast an ARP reply with the sender's SHA and SPA duplicated in the target fields (TPA=SPA, THA=SHA).

The ARP request and ARP reply announcements are both standards-based methods, [12] [13] but the ARP request method is preferred. [14] Some devices may be configured for the use of either of these two types of announcements. [15]

An ARP announcement is not intended to solicit a reply; instead, it updates any cached entries in the ARP tables of other hosts that receive the packet. The operation code in the announcement may be either request or reply; the ARP standard specifies that the opcode is only processed after the ARP table has been updated from the address fields. [16] [17] [18]

Many operating systems issue an ARP announcement during startup. This helps to resolve problems which would otherwise occur if, for example, a network card was recently changed (changing the IP-address-to-MAC-address mapping) and other hosts still have the old mapping in their ARP caches.

ARP announcements are also used by some network interfaces to provide load balancing for incoming traffic. In a team of network cards, it is used to announce a different MAC address within the team that should receive incoming packets.

ARP announcements can be used in the Zeroconf protocol to allow automatic assignment of a link-local address to an interface where no other IP address configuration is available. The announcements are used to ensure an address chosen by a host is not in use by other hosts on the network link. [19]

This function can be dangerous from a cybersecurity viewpoint since an attacker can obtain information about the other hosts of its subnet to save in their ARP cache (ARP spoofing) an entry where the attacker MAC is associated, for instance, to the IP of the default gateway, thus allowing them to intercept all the traffic to external networks.

ARP mediation

ARP mediation refers to the process of resolving Layer-2 addresses through a virtual private wire service (VPWS) when different resolution protocols are used on the connected circuits, e.g., Ethernet on one end and Frame Relay on the other. In IPv4, each provider edge (PE) device discovers the IP address of the locally attached customer edge (CE) device and distributes that IP address to the corresponding remote PE device. Then each PE device responds to local ARP requests using the IP address of the remote CE device and the hardware address of the local PE device. In IPv6, each PE device discovers the IP address of both local and remote CE devices and then intercepts local Neighbor Discovery (ND) and Inverse Neighbor Discovery (IND) packets and forwards them to the remote PE device. [20]

Inverse ARP and Reverse ARP

Inverse Address Resolution Protocol (Inverse ARP or InARP) is used to obtain network layer addresses (for example, IP addresses) of other nodes from data link layer (Layer 2) addresses. Since ARP translates layer-3 addresses to layer-2 addresses, InARP may be described as its inverse. In addition, InARP is implemented as a protocol extension to ARP: it uses the same packet format as ARP, but different operation codes.

InARP is primarily used in Frame Relay (DLCI) and ATM networks, in which layer-2 addresses of virtual circuits are sometimes obtained from layer-2 signaling, and the corresponding layer-3 addresses must be available before those virtual circuits can be used. [21]

The Reverse Address Resolution Protocol (Reverse ARP or RARP), like InARP, translates layer-2 addresses to layer-3 addresses. However, in InARP the requesting station queries the layer-3 address of another node, whereas RARP is used to obtain the layer-3 address of the requesting station itself for address configuration purposes. RARP is obsolete; it was replaced by BOOTP, which was later superseded by the Dynamic Host Configuration Protocol (DHCP). [22]

ARP spoofing and proxy ARP

A successful ARP spoofing attack allows an attacker to perform a man-in-the-middle attack. ARP Spoofing.svg
A successful ARP spoofing attack allows an attacker to perform a man-in-the-middle attack.

Because ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address. An ARP proxy is a system that answers the ARP request on behalf of another system for which it will forward traffic, normally as a part of the network's design, such as for a dialup internet service. By contrast, in ARP spoofing the answering system, or spoofer, replies to a request for another system's address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other users on the network. Various software exists to both detect and perform ARP spoofing attacks, though ARP itself does not provide any methods of protection from such attacks. [23]

Alternatives

IPv6 uses the Neighbor Discovery Protocol and its extensions such as Secure Neighbor Discovery, rather than ARP.

Computers can maintain lists of known addresses, rather than using an active protocol. In this model, each computer maintains a database of the mapping of Layer 3 addresses (e.g., IP addresses) to Layer 2 addresses (e.g., Ethernet MAC addresses). This data is maintained primarily by interpreting ARP packets from the local network link. Thus, it is often called the ARP cache . Since at least the 1980s, [24] networked computers have a utility called arp for interrogating or manipulating this database. [25] [26] [27]

Historically, other methods were used to maintain the mapping between addresses, such as static configuration files, [28] or centrally maintained lists.

ARP stuffing

Embedded systems such as networked cameras [29] and networked power distribution devices, [30] which lack a user interface, can use so-called ARP stuffing to make an initial network connection, although this is a misnomer, as ARP is not involved.

ARP stuffing is accomplished as follows:

  1. The user's computer has an IP address stuffed manually into its address table (normally with the arp command with the MAC address taken from a label on the device)
  2. The computer sends special packets to the device, typically a ping packet with a non-default size.
  3. The device then adopts this IP address
  4. The user then communicates with it by telnet or web protocols to complete the configuration.

Such devices typically have a method to disable this process once the device is operating normally, as the capability can make it vulnerable to attack.

Standards documents

See also

Related Research Articles

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

<span class="mw-page-title-main">Internet Protocol version 4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

<span class="mw-page-title-main">IPv6</span> Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

In computer networking, the maximum transmission unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction. The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g., Ethernet frame.

A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer, such as Ethernet multicast, and at the internet layer for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.

Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution Protocol (ARP) queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the destination. The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a tunnel.

The Reverse Address Resolution Protocol (RARP) is an obsolete computer communication protocol used by a client computer to request its Internet Protocol (IPv4) address from a computer network, when all it has available is its link layer or hardware address, such as a MAC address. The client broadcasts the request and does not need prior knowledge of the network topology or the identities of servers capable of fulfilling its request.

In the seven-layer OSI model of computer networking, the network layer is layer 3. The network layer is responsible for packet forwarding including routing through intermediate routers.

The Bootstrap Protocol (BOOTP) is a computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. The BOOTP was originally defined in RFC 951 published in 1985.

Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers. Without zeroconf, a network administrator must set up network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.

<span class="mw-page-title-main">ARP spoofing</span> Cyberattack which associates the attackers MAC address with the IP address of another host

In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

A broadcast address is a network address used to transmit to all devices connected to a multiple-access communications network. A message sent to a broadcast address may be received by all network-attached hosts.

In computer networking, localhost is a hostname that refers to the current computer used to access it. The name localhost is reserved for loopback purposes. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses any local network interface hardware.

The Neighbor Discovery Protocol (NDP), or simply Neighbor Discovery (ND), is a protocol of the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the link layer of the Internet model, and is responsible for gathering various information required for network communication, including the configuration of local connections and the domain name servers and gateways.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. It is the IP-specific form of multicast and is used for streaming media and other network applications. It uses specially reserved multicast address blocks in IPv4 and IPv6.

A network host is a computer or other device connected to a computer network. A host may work as a server offering information resources, services, and applications to users or other hosts on the network. Hosts are assigned at least one network address.

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet Protocol Version 4 (IPv4). However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session. As an extension to the standard path MTU discovery, a technique called Packetization Layer Path MTU Discovery works without support from ICMP.

In computer networking, a link-local address is a unicast network address that is valid only for communications within the subnetwork that the host is connected to. Link-local addresses are most often assigned automatically with a process known as stateless address autoconfiguration (SLAAC) or link-local address autoconfiguration, also known as automatic private IP addressing (APIPA) or auto-IP.

In computer networking, the link layer is the lowest layer in the Internet protocol suite, the networking architecture of the Internet. The link layer is the group of methods and communications protocols confined to the link that a host is physically connected to. The link is the physical and logical network component used to interconnect hosts or nodes in the network and a link protocol is a suite of methods and standards that operate only between adjacent network nodes of a network segment.

References

  1. David C. Plummer (November 1982). "RFC 826, An Ethernet Address Resolution Protocol -- or -- Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware". Internet Engineering Task Force, Network Working Group.
  2. 1 2 3 "Address Resolution Protocol (ARP) Parameters". www.iana.org. Retrieved 2018-10-16.
  3. RFC   5342
  4. David C. Plummer (November 1982). An Ethernet Address Resolution Protocol. Network Working Group. doi: 10.17487/RFC0826 . STD 37. RFC 826.Internet Standard 37. sec. Network monitoring and debugging. Updated by RFC  5227 and 5494.
  5. R. Braden, ed. (October 1989). Requirements for Internet Hosts -- Communication Layers. Network Working Group. doi: 10.17487/RFC1122 . STD 3. RFC 1122.Internet Standard 3. Updated by RFC  1349, 4379, 5884, 6093, 6298, 6633, 6864, 8029 and 9293.
  6. RFC   1122
  7. W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, Addison Wesley, 1994, ISBN 0-201-63346-9.
  8. W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, Addison Wesley, 2011, ISBN 0-321-33631-3, page 14
  9. Chappell, Laura A.; Tittel, Ed (2007). Guide to TCP/IP (Third ed.). Thomson Course Technology. pp. 115–116. ISBN   9781418837556.
  10. Cheshire, S. (July 2008). IPv4 Address Conflict Detection. Internet Engineering Task Force. doi: 10.17487/RFC5227 . RFC 5227.
  11. Harmoush, Ed. "ARP Probe and ARP Announcement". Practical Networking. PracticalNetworking .net. Retrieved 3 August 2022.
  12. Perkins, C. (November 2010). "RFC 5944 - IP Mobility Support for IPv4, Revised". Internet Engineering Task Force. A gratuitous ARP MAY use either an ARP Request or an ARP Reply packet. [...] any node receiving any ARP packet (Request or Reply) MUST update its local ARP cache with the Sender Protocol and Hardware Addresses in the ARP packet [...]
  13. Perkins, C. (October 1996). "RFC 2002 - IP Mobility Support". Internet Engineering Task Force.
  14. Cheshire, S. (July 2008). "RFC 5227 - IPv4 Address Conflict Detection". Internet Engineering Task Force. Why Are ARP Announcements Performed Using ARP Request Packets and Not ARP Reply Packets?
  15. "FAQ: The Firewall Does not Update the Address Resolution Protocol Table". Citrix. 2015-01-16. [...] garpReply enabled [...] generates ARP packets that [...] are of OPCODE type REPLY, rather than REQUEST.
  16. "Gratuitous ARP in DHCP vs. IPv4 ACD Draft". Archived from the original on October 12, 2007.
  17. Perkins, Charles E. (October 1996). "RFC 2002 Section 4.6".
  18. Droms, Ralph (March 1997). "RFC 2131 DHCP – Last lines of Section 4.4.1".
  19. RFC   3927
  20. Shah, H.; et al. (June 2012). Address Resolution Protocol (ARP) Mediation for IP Interworking of Layer 2 VPNs. Internet Engineering Task Force. doi: 10.17487/RFC6575 . RFC 6575.
  21. T. Bradley; C. Brown; A. Malis (September 1998). Inverse Address Resolution Protocol. Network Working Group. doi: 10.17487/RFC2390 . RFC 2390.Draft Standard. Obsoletes RFC  1293.
  22. R. Finlayson; T. Mann; J. Mogul; M. Theimer (June 1984). A Reverse Address Resolution Protocol. Network Working Group. doi: 10.17487/RFC0903 . STD 38. RFC 903.Internet Standard 38.
  23. Steve Gibson (2005-12-11). "ARP Cache Poisoning". GRC.
  24. University of California, Berkeley. "BSD manual page for arp(8C) command" . Retrieved 2011-09-28.
  25. Canonical. "Ubuntu manual page for arp(8) command". Archived from the original on 2012-03-16. Retrieved 2011-09-28.
  26. Apple Computer. "Mac OS X manual page for arp(8) command" . Retrieved 2011-09-28.
  27. Microsoft. "Windows help for arp command" . Retrieved 2011-09-28.
  28. Sun Microsystems. "SunOS manual page for ethers(5) file" . Retrieved 2011-09-28.
  29. Axis Communication. "Axis P13 Network Camera Series Installation Guide" (PDF). Retrieved 2011-09-28.
  30. American Power Corporation. "Switched Rack Power Distribution Unit Installation and Quick Start Manual" (PDF). Archived from the original (PDF) on 2011-11-25. Retrieved 2011-09-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.