Address Resolution Protocol (ARP)

ARP (Address Resolution Protocol) is a resolution protocol that plays a fundamental role in IPv4 networks by determining the MAC address of a device when its IP address is known. Communication in IP networks requires more than just the IP address; the physical layer must also know the destination device’s MAC address to route data correctly. ARP establishes this IP–MAC mapping and acts as a bridge between the Network Layer (Layer 3) and the Data Link Layer (Layer 2) of OSI model.

Definition and History

ARP was first defined in 1982 through RFC 826. This protocol is used in IPv4 networks to resolve physical addresses necessary for devices to communicate within local networks. Its counterpart in IPv6 is the Neighbor Discovery Protocol (NDP), which fulfills the functions provided by ARP.

Working Principle

ARP Process Steps

1. The source device wishes to send data to a destination IP address.
2. If no MAC address corresponding to the destination IP exists in its ARP table, the device broadcasts an ARP Request packet.
3. All devices on the network receive this request; only the device with the matching IP address responds with an ARP Reply.
4. The source device records the MAC address from the response in its own ARP table.
5. Data transmission begins.

This process enables data to be sent to a destination whose MAC address is unknown. ARP tables are stored temporarily in device memory and refreshed at regular intervals.

Types of ARP

ARP protocols can be classified into the following variants:

1. Standard ARP: The classic ARP process used to find the MAC address corresponding to a given IP address.
2. Proxy ARP: A router responds as if it were the MAC address of another device, enabling communication between different subnets. This method is commonly used in default gateway configurations.
3. Gratuitous ARP: A device announces its own IP and MAC address on the network without being prompted. It is typically used to detect IP address conflicts, update ARP tables, or in failover systems.
4. Inverse ARP (InARP): The reverse of standard ARP; it queries for the IP address corresponding to a known MAC address. It is commonly used in WAN technologies such as Frame Relay.

Relationship Between ARP, DHCP, and DNS

ARP and DHCP

• DHCP automatically assigns IP addresses and other configuration parameters to clients.
• DHCP identifies clients using their MAC addresses.
• The DHCP Discover message sent by a client contains its MAC address.
• After obtaining an IP address, the client must use ARP to learn the MAC addresses of other devices on the network in order to communicate with them.

ARP and DNS

• DNS translates a domain name into an IP address (for example: google.com → 142.250.185.14).
• However, to send data to that IP address, the MAC address is required.
• The device sends an ARP request for the IP address obtained from DNS and retrieves the corresponding MAC address to initiate communication.

Security Vulnerabilities

ARP lacks authentication mechanisms, making it vulnerable to various attacks:

• ARP Spoofing / ARP Poisoning: An attacker sends falsified ARP replies to corrupt the routing tables of devices, causing traffic to be redirected through the attacker’s machine.
• Creates the foundation for Man-in-the-Middle attacks.

To protect against these attacks, methods such as static ARP tables, Dynamic ARP Inspection (DAI), and port security are recommended.

Application Areas

• All devices in IPv4 networks (computers, printers, servers, routers, switches) maintain ARP tables.
• Switches, which perform forwarding based on MAC addresses, experience performance impacts influenced by ARP table contents.
• Firewalls can use ARP records to enforce security policies targeting specific devices.