What is ARP in Networking?

Quick definition: ARP is a layer 2 network protocol that maps IP addresses to the physical MAC addresses of devices on a network. It is essential for communication within a local network, but security issues around vulnerabilities like ARP spoofing must be addressed to maintain network security.

The internet is a big, complex place. So many technologies and protocols are constantly firing off to move data across the globe. One of these essential protocols, ARP, is critical to transport packets from source to destination and back. In this article, we’ll delve into what ARP is, how it serves our networks, and some security concerns to keep in mind.

What is ARP?

ARP (Address Resolution Protocol) maps IP addresses to the MAC addresses of devices on your network. All network-connected devices have an IP address, either assigned dynamically or set statically. IP addresses are essential to routing packets, just like receiving mail at your street address. 

However, data transmission on a local network relies on MAC addresses. These are the unique, hard-coded addresses every ethernet and WiFi adapter gets at the factory.

ARP bridges the gap between IP addresses and MAC addresses. ARP helps devices look up the MAC address of a given IP address, ensuring packets have a physical destination in the real world. We’ll continue to clarify this as we move on to how ARP works.

How Does ARP Work?

ARP works by a process called ARP resolution, which is exactly what it sounds like: helping a device resolve a MAC address from a given IP. This works by a two-step process of ARP request and ARP reply.

Keep in mind that ARP is only relevant before packets are routed. For example, suppose you need to connect to another computer on your local network within the same subnet. In that case, ARP comes into play because the traffic isn’t routed to another network.

If you go to a website online, you don’t need ARP to find the server’s MAC address because the server isn’t on your local network. You do, however, need ARP to find the MAC of your router to get out of your network and route your packets to the internet. Check this article for a refresher on routing vs. switching.

Here’s how an ARP request happens:

1. One device needs to communicate with another device on the network. That device first checks its ARP cache for a previously resolved entry.

2. If no entry for the needed IP is cached, the device will send a broadcast to the network, saying, “Who has this IP, and what is your MAC address?”

The next step is the ARP reply, which goes like this:

1. Assuming the device with the IP in your broadcast is live, that device replies to your device with its MAC address.

2. Your device caches the reply in its ARP cache.

3. Your device can then communicate with the device, sending the traffic as a request to the newly acquired MAC address.

The ARP cache that each device maintains is an essential part of keeping the network humming along efficiently. It lets devices store previously requested MAC addresses, reducing the need to send a request and await a reply whenever they need to communicate.

It is important to note that ARP cache entries do expire over time. The cache timeout default varies by device and OS, typically between 1 and 20 minutes. After an entry expires, the request and reply process must repeat.

What is ARP Spoofing and Security?

ARP is an essential network protocol, and like anything else in IT, someone will find a way to break it, manipulate it, or otherwise wreak havoc with it. ARP is no exception. It is vulnerable in one critical way that can cause chaos on your network: ARP spoofing (also known as ARP cache poisoning.)

Here’s how it can go down:

1. One device needs to communicate with another device on the network, so it broadcasts an ARP request.

2. The attacker receives the broadcast and sends their own reply with bogus information, like the MAC of their device.

3. The first device receives the reply, unaware that it is malicious, and adds the reply to its ARP cache, as ARP cannot authenticate the reply as legitimate.

This kind of exploit can be used for a number of different attacks, the most common being a man-in-the-middle. In this attack, traffic bound for one destination goes to the attacker instead. The attacker can then inspect the packets and steal any unencrypted contents, including sensitive data, HTTP session info, or credentials.

Even without packet forwarding, an ARP spoof can cause chaos. An attacker can simply return a non-existent MAC address to an ARP request, causing a denial-of-service where the traffic goes nowhere.

ARP spoofing can be a huge problem with considerable consequences. There are a few things you can do, though, to protect your networks:

• Static ARP entries: Creating static ARP table entries for gateways and essential servers will prevent the caching of spoofed ARP replies.

• ARP spoofing detection tools: Network monitoring tools can monitor for and alert on ARP spoofing on your network.

• ARP security protocols: Some switches, like Dynamic ARP Inspection and ARP Guard, support security protocols that can prevent ARP spoofing traffic. 

Final Thoughts on ARP in Networking 

ARP is an essential yet flawed protocol. Understanding how it works is essential, not only for just about any networking certification but also for real-world network administration. Knowing how ARP works is more important than knowing how to keep it secure. So, as an essential piece of the networking pie, do everything you can to stay safe and keep those packets flowing!

Not a CBT Nuggets subscriber? Sign up for a 7-day free trial.