How Address Resolution Protocol (ARP) works?

Most computer programs/applications use logical addresses (IP Addresses) to send/receive messages. However, the actual communication happens over the Physical Address (MAC Address) that is from layer 2 of the OSI model. So our mission is to get the destination MAC Address which helps in communicating with other devices. This is where ARP comes into the picture, its functionality is to translate IP addresses to Physical Addresses.

ARP

Address Resolution Protocol (ARP)

The acronym ARP stands for Address Resolution Protocol which is one of the most important protocols of the Network layer in the OSI model. It is responsible to find the hardware address of a host from a known IP address. There are three basic ARP terms.

Note: ARP finds the hardware address, also known as the Media Access Control (MAC) address, of a host from its known IP address. 

Address Resolution Protocol

Important Terms Associated with ARP

• Reverse ARP
• Proxy ARP
• Inverse ARP

Reverse ARP

Reverse Address Resolution Protocol is a protocol that is used in local area networks (LAN) by client machines for requesting IP Adress (IPv4) from Router’s ARP Table. Whenever a new machine comes, which requires an IP Address for its use. In that case, the machine sends a RARP broadcast packet containing MAC Address in the sender and receiver hardware field.

Proxy ARP

Proxy Address Resolution Protocol work to enable devices that are separated into network segments connected through the router in the same IP to resolve IP Address to MAC Address. Proxy ARP is enabled so that the ‘proxy router’ resides with its MAC address in a local network as it is the desired router to which broadcast is addressed. In case, when the sender receives the MAC Address of the Proxy Router, it is going to send the datagram to Proxy Router, which will be sent to the destination device.

Inverse ARP

Inverse Address Resolution Protocol uses MAC Address to find the IP Address, it can be simply illustrated as Inverse ARP is just the inverse of ARP. In ATM (Asynchronous Transfer Mode) Networks, Inverse ARP is used by default. Inverse ARP helps in finding Layer-3 Addresses from Layer-2 Addresses.

How ARP Works?

Imagine a device that wants to communicate with others over the internet. What does ARP do? It broadcast a packet to all the devices of the source network. The devices of the network peel the header of the data link layer from the Protocol Data Unit (PDU) called frame and transfer the packet to the network layer (layer 3 of OSI) where the network ID of the packet is validated with the destination IP’s network ID of the packet and if it’s equal then it responds to the source with the MAC address of the destination, else the packet reaches the gateway of the network and broadcasts packet to the devices it is connected with and validates their network ID. The above process continues till the second last network device in the path reaches the destination where it gets validated and ARP, in turn, responds with the destination MAC address.

1. ARP Cache: After resolving the MAC address, the ARP sends it to the source where it is stored in a table for future reference. The subsequent communications can use the MAC address from the table.
2. ARP Cache Timeout: It indicates the time for which the MAC address in the ARP cache can reside.
3. ARP request: This is nothing but broadcasting a packet over the network to validate whether we came across the destination MAC address or not. 
   1. The physical address of the sender.
   2. The IP address of the sender.
   3. The physical address of the receiver is FF:FF:FF:FF:FF: FF or 1’s.
   4. The IP address of the receiver.
4. ARP response/reply: It is the MAC address response that the source receives from the destination which aids in further communication of the data. 

• CASE-1: 
  • The sender is a host and wants to send a packet to another host on the same network.
  • Use ARP to find another host’s physical address.
• CASE-2: 
  • The sender is a host and wants to send a packet to another host on another network.
  • The sender looks at its routing table.
  • Find the IP address of the next hop (router) for this destination.
  • Find the IP address of the next hop (router) for this destination.
• CASE-3: 
  • The sender is a router and received a datagram destined for a host on another network.
  • The router checks its routing table.
  • Find the IP address of the next router.
  • Use ARP to find the next router’s physical address. 
• CASE-4: 
  • The sender is a router that has received a datagram destined for a host in the same network.
  • Use ARP to find this host’s physical address. 

Note: An ARP request is broadcast, and an ARP response is a Unicast. 

Test Yourself

Internet Schema 1

Connect two PC, say A and B with a cross cable. Now you can see the working of ARP by typing these commands: 

1. A > arp -a

There will be no entry at the table because they never communicated with each other. 

Blank Entry Table ARP

2. A > ping 192.168.1.2

IP address of destination is 192.168.1.2
Reply comes from destination but one
packet is lost because of ARP processing.

Packet Loss ARP

Now, entries of the ARP table can be seen by typing the command. This is what the ARP table looks like: 

ARP Table

ARP Spoofing and ARP Cache Poisoning

ARP Spoofing is a type of falseness of a device in order to link the attacker’s MAC Address with the IP Address of the computer or server by broadcasting false ARP messages by the hacker. Upon successful establishment of the link, it is used for transferring data to the hacker’s computer. It is simply called Spoofing. ARP can cause a greater impact on enterprises. ARP Spoofing attacks can facilitate other attacks like:

• Man-in-the-Middle Attack
• Denial of Service Attack
• Session Hijacking

Local Area Network that uses ARP is not safe in the case of ARP Spoofing, this is simply called as ARP Cache Poisoning.