Address Resolution Protocol (ARP)
Understanding how devices in a local network discover each other's MAC addresses
Address Resolution Protocol (ARP)
A computer needs to send data to an IP in the same network but doesn't know its MAC address
Address Resolution Protocol (ARP) is a communication protocol used to discover the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is critical for data to be transmitted across a local network from one device to another.
Why ARP is Necessary
In networking, devices communicate at two different addressing levels:
IP Address (Network Layer)
A logical address assigned to a network interface that identifies the device on a larger network.
- 32-bit address (IPv4) or 128-bit address (IPv6)
- Hierarchical structure with network and host portions
- Globally routable (with public IPs)
- Configured manually or via DHCP
MAC Address (Data Link Layer)
A physical address burned into network interface hardware that uniquely identifies the device.
- 48-bit address (6 bytes, usually displayed as 12 hexadecimal digits)
- Globally unique (in theory)
- Flat structure (no hierarchy)
- Hardcoded into the network interface card
When data needs to be sent on a local network, the sender knows the recipient's IP address but needs the MAC address to create the proper Ethernet frame. ARP provides the mechanism to discover this MAC address.
How ARP Works
When a device wants to communicate with another device on the local network, it checks its ARP cache first. If the mapping isn't found, it broadcasts an ARP request packet to all devices on the local network asking: "Who has IP address x.x.x.x? Tell y.y.y.y."
Only the device with the requested IP address responds with an ARP reply containing its MAC address: "IP address x.x.x.x is at MAC address aa:bb:cc:dd:ee:ff."
The requesting device receives the reply and updates its ARP cache with the IP-to-MAC mapping for future reference.
With the MAC address now known, the device can create properly addressed Ethernet frames to send data directly to the target device.
ARP Cache
To reduce network traffic, devices maintain an ARP cache (or ARP table) that temporarily stores IP-to-MAC address mappings.
| IP Address | MAC Address | Type | Interface |
|---|---|---|---|
| 192.168.1.1 | 00:1A:2B:3C:4D:5E | Dynamic | eth0 |
| 192.168.1.5 | AA:BB:CC:11:22:33 | Static | eth0 |
| 192.168.1.10 | 11:22:33:44:55:66 | Dynamic | eth0 |
ARP cache entries typically have timeouts and are removed after a period of inactivity to ensure freshness and handle network changes.
Types of ARP
Standard ARP
- Used for mapping IPv4 addresses to MAC addresses
- Operates on local networks (same broadcast domain)
- Defined in RFC 826
Proxy ARP
- A router answers ARP requests on behalf of devices in different subnets
- Allows devices to communicate as if they were on the same network
- Less common in modern networks due to security concerns
Reverse ARP (RARP)
- Legacy protocol used to obtain an IP address based on a MAC address
- Largely replaced by DHCP
- Used in diskless workstations
Gratuitous ARP
- Unsolicited ARP message sent to update other devices' ARP caches
- Used when a device's IP or MAC address changes
- Also used for detecting IP address conflicts
ARP Security Concerns
ARP has no authentication mechanism, which makes it vulnerable to various attacks including ARP spoofing, ARP cache poisoning, and man-in-the-middle attacks.
An attacker sends falsified ARP messages to associate their MAC address with the IP address of a legitimate network resource, redirecting traffic through the attacker's device.
- Static ARP entries for critical systems
- ARP inspection and monitoring
- Network segmentation
- Encryption protocols like HTTPS and SSH
- 802.1X port-based authentication
ARP in IPv6 Networks
In IPv6 networks, ARP is replaced by the Neighbor Discovery Protocol (NDP), which uses ICMPv6 messages for address resolution. NDP provides additional functionality beyond ARP, including router discovery, prefix discovery, and duplicate address detection.