Guide to address resolution protocol (ARP)

The address resolution protocol is fundamental for basic local network communication. Without it, devices wouldn't be able to find each other on the same network, leading to network paralysis. Still, despite its importance, the protocol is not without its vulnerabilities.

In this guide, we’ll detail not only the risks the protocol poses but also steps you can take to address these risks and ensure your network steers clear of bad actors and communication potholes alike.

What is address resolution protocol (ARP)?

The address resolution protocol (ARP) is a crucial layer 2 (data link) communication protocol of the OSI model used within local area networks (LANs) to bridge the gap between IP addresses and MAC addresses.

IP addresses are layer 3 (network) logical addresses used for communication between devices on a network. MAC addresses are layer 2 physical addresses that uniquely identify individual network devices on a local network. Unlike IP addresses, which may change, MAC addresses are fixed.

The primary function of ARP is to determine the MAC address associated with a given IP address. ARP operates exclusively within a single broadcast domain (i.e., LAN); it does not traverse routers, as routers operate at layer 3 and use IP addresses for routing.

ARP is used by all kinds of network devices, including:

• Computers. All computers with network interfaces use ARP.
• Routers. Routers use ARP to determine the MAC addresses of devices on local networks.
• Switches. While switches primarily use MAC address tables to forward traffic, they also use ARP to learn the MAC addresses of connected devices.
• Printers. Network printers use ARP to communicate on the local network.
• Network interface cards (NICs). Every device with a NIC utilizes ARP.

What is address resolution protocol (ARP)?

The address resolution protocol (ARP) is a crucial layer 2 (data link) communication protocol of the OSI model used within local area networks (LANs) to bridge the gap between IP addresses and MAC addresses.

IP addresses are layer 3 (network) logical addresses used for communication between devices on a network. MAC addresses are layer 2 physical addresses that uniquely identify individual network devices on a local network. Unlike IP addresses, which may change, MAC addresses are fixed.

The primary function of ARP is to determine the MAC address associated with a given IP address. ARP operates exclusively within a single broadcast domain (i.e., LAN); it does not traverse routers, as routers operate at layer 3 and use IP addresses for routing.

ARP is used by all kinds of network devices, including:

• Computers. All computers with network interfaces use ARP.
• Routers. Routers use ARP to determine the MAC addresses of devices on local networks.
• Switches. While switches primarily use MAC address tables to forward traffic, they also use ARP to learn the MAC addresses of connected devices.
• Printers. Network printers use ARP to communicate on the local network.
• Network interface cards (NICs). Every device with a NIC utilizes ARP.

A brief history of ARP

In the early days of networking, before the widespread adoption of IP, networks often relied solely on physical addresses. However, as networks grew and interconnected, they needed a more flexible, scalable addressing scheme.

IP was developed to provide this logical addressing, enabling devices to communicate across different network segments. However, existing LAN technologies like Ethernet relied on MAC addresses. This necessitated a protocol to translate between these two address types—thus, ARP was born.

The development of ARP networking was crucial to the internet's growth, as it enabled IP to function seamlessly over Ethernet, the dominant LAN technology.

Why ARP is important in networking

ARP is critically important in networking for several key reasons, all stemming from its role as the bridge between logical IP addresses and physical MAC addresses within a local network:

• ARP enables local network communication. Devices on a local network need to communicate with one another. ARP translates IP addresses to MAC addresses, enabling devices to find and communicate with each other on the same LAN.
• ARP is essential for basic network services. Many common network services, such as file sharing, printing, and local server access, rely on ARP. These services depend on devices being able to locate each other on the local network, which ARP makes possible.
• ARP is the foundation for higher-layer protocols. Higher-layer protocols, like TCP and UDP, rely on IP for network communication. ARP provides the necessary link between IP and the underlying Ethernet infrastructure, allowing these protocols to function correctly.
• ARP enables network troubleshooting. ARP tables and ARP traffic can provide valuable insights into network connectivity problems. Network administrators often use ARP to diagnose issues such as IP address conflicts, MAC address spoofing, and network outages.
• ARP reduces broadcast traffic (post-resolution). While the initial ARP request is a broadcast, subsequent communication uses unicast transmissions (one-to-one communication) thanks to the ARP cache. This reduces the overall broadcast traffic on the network, which is crucial for network efficiency.
• ARP is required for network device operation. Network devices such as switches, and routers, rely on ARP to function correctly.

How does ARP work?

ARP's primary role is to translate (resolve) logical IP addresses into physical MAC addresses within a LAN. This translation is critical because while IP addresses guide data packets across networks, MAC addresses are necessary for delivering those packets to specific devices on the same local network.

Here’s how the network address resolution process works:

• A network device seeks transmission. A device on a LAN wants to send data to another device on the same LAN. The sending device knows the destination device's IP address but needs its MAC address to create the Ethernet frame for transmission.
• The sending device broadcasts an ARP request. The sending device checks its ARP cache (a table of IP-to-MAC address mappings) to see if it already knows the destination's MAC address. If the MAC address is not in the ARP cache, the sending device broadcasts an ARP request. This request essentially asks, "Who has this IP address," and includes the destination IP address.
• The destination device provides an ARP response. All devices on the LAN receive the ARP request. Only the device with the matching IP address (destination device) responds with an ARP response. This response contains its MAC address and is transmitted directly (unicast) to the sending device.
• The sending device updates its ARP cache. The sending device receives the ARP response and stores the IP-to-MAC address mapping in its ARP cache. Subsequent communication with the destination device will use the cached MAC address, avoiding the need for another ARP request.

ARP request and ARP response

Given the importance of ARP requests and responses in the network address resolution process, let’s explore these concepts further.

• What is the purpose of an ARP request? As you may have gleaned from the explanation above, an ARP request's purpose is to discover the MAC address linked to a specific IP address on a local network. Its packets broadcast a query to all devices to discover the owner of a specific IP address. Prompted by this query, the owner responds with its MAC address, enabling direct communication.
• What is the purpose of an ARP response? An ARP response provides the requested MAC address, completing the IP-to-MAC mapping. Its packets, communicated via unicast, contain its MAC and IP, enabling the sending device to establish direct communication. This response populates the sender's ARP cache, optimizing future communication.

Now consider an example of the resolution process to solidify how ARP works. Imagine a network with two computers: Computer Alpha (IP address: 192.168.1.10) and Computer Bravo (IP address: 192.168.1.20).

Alpha wants to send information to Bravo, so Alpha checks its ARP cache but finds no entry for 192.168.1.20. Alpha then broadcasts an ARP request essentially saying, "Who has IP address 192.168.1.20? I need your MAC address to send you some information."

Bravo receives the ARP request, recognizes its own IP address, and sends an ARP response to Alpha containing the requested MAC address (00:1A:2B:3C:4D:5E).  

Alpha receives the response and adds the IP-to-MAC address mapping (192.168.1.20 with 00:1A:2B:3C:4D:5E) to its ARP cache for future reference.

Alpha can now send information to Bravo using the retrieved MAC address. Moreover, in the future, Alpha can send information to Bravo without the added steps of the ARP request and response.

4 Types of ARP

There are four types of ARP that differ in their resolution directions and purposes but share the core function of mapping networking addresses. 

• Gratuitous ARP
• Proxy ARP
• Reverse ARP
• Inverse ARP

1. Gratuitous ARP

Gratuitous ARP (GARP) is a specific type of ARP broadcast where a device announces its own IP-to-MAC address mapping, even without an explicit request. Instead of asking "Who has this IP," a GARP packet essentially announces to the entire LAN, "These are my IP and MAC addresses."

By broadcasting its IP-to-MAC mapping, a device effectively "claims" its IP address. If another device on the network has the same IP, that device will detect the conflict and often log an error. This is a basic but effective way to detect IP conflicts on a local network.

One use case for GARP is in network redundancy. When a primary router fails, a backup router takes over its IP address. The backup router sends a GARP to notify all devices on the network of the change, ensuring seamless failover. This ensures that the devices on the network update their ARP tables quickly and do not try to send traffic to the failed router.

2. Proxy ARP

Proxy ARP is a technique where a device, usually a router, answers ARP requests on behalf of another device. This allows devices on different network segments to communicate as if they were on the same segment without the need for proper routing.

Proxy ARP can be used in:

• Legacy systems that are not able to be configured with proper routing.
• Mobile IP implementations to help mobile nodes communicate with correspondent nodes.
• Some load balancing scenarios to distribute traffic across multiple servers.

3. Reverse ARP (RARP)

Reverse ARP (RARP) is a largely obsolete protocol—replaced by more flexible, feature-rich protocols such as the dynamic host configuration protocol (DHCP)—that allows a device to discover its IP address by broadcasting its MAC address.

RARP’s primary purpose was to enable diskless devices, like early thin clients or certain network printers, to obtain their IP addresses during boot-up. These devices, which lacked persistent storage, couldn’t store their IP configurations.

4. Inverse ARP (InARP)

Inverse ARP (InARP) is a protocol used to obtain the layer 3 (network) address associated with a layer 2 (data link) address, which is the opposite of the standard ARP. InARP is primarily used in connection-oriented wide area network technologies like Frame Relay and ATM.

InARP enables a device to discover the IP address of a remote device based on its data link connection identifier (DLCI) in Frame Relay or its virtual circuit identifier (VCI) in ATM networks. It operates by sending an InARP request containing the known layer 2 address (DLCI or VCI) to the network. The network, or a remote device, responds with the corresponding layer 3 address (IP address).

Security Issues with ARP

ARP's fundamental design lacks security mechanisms, making it vulnerable to various attacks such as:

• No authentication. ARP doesn't verify the source of ARP messages, allowing anyone to send forged responses.
• Passive nature. ARP operates without active security checks, making it susceptible to exploitation without immediate detection.
• Cache poisoning. Attackers can inject false IP-to-MAC mappings (ARP spoofing) into ARP caches, redirecting traffic.
• Man-in-the-middle attacks. Attackers intercept and manipulate network traffic with IP spoofing, ARP spoofing, and other techniques, typically posing as legitimate devices.
• Data theft. By redirecting traffic through malicious devices, attackers can capture sensitive information transmitted over the network.

How to prevent ARP attacks

Preventing ARP attacks requires a multi-layered approach, combining network configuration and monitoring. Relevant options you can explore include:

• Static ARP entries. Manually configure IP-to-MAC mappings on critical devices to prevent dynamic ARP cache poisoning.
• Dynamic ARP inspection (DAI). Program switches to inspect ARP packets, dropping invalid ones to prevent spoofed ARP responses from corrupting ARP caches.
• Port security. Limit the number of MAC addresses allowed per switch port, reducing the attack surface for ARP spoofing.
• Network monitoring tools. Implement tools that detect anomalous ARP traffic patterns, alerting administrators to potential ARP spoofing attacks.