Computer Networks

ARP: linking IP and MAC

Every time you ping a neighboring computer, an invisible conversation takes place: "Hey, who has IP 192.168.1.20?" - "Me! Here's my MAC". Without this simple protocol, Ethernet networks wouldn't work.

  • **Troubleshooting:** `arp -a` shows whether the PC can see its neighbors
  • **Security:** ARP spoofing is the foundation of attacks on local networks
  • **Performance:** An ARP storm can take down a large flat network

Предварительные знания

  • ICMP, Ping, and Traceroute

What ARP is for

**ARP** (Address Resolution Protocol) is a protocol that links IP addresses (L3) with MAC addresses (L2). Without ARP, it is impossible to send a frame in a local network, because Ethernet works with MACs while applications only know IPs.

ARP only works within a **local network** (L2 segment). If the recipient is on a different network, we look up the MAC of the router (default gateway), not the final host.

ARP is a broadcast protocol. The request goes to all devices on the network. That's why large flat networks with thousands of hosts suffer from ARP storms.

What is ARP used for?

ARP table (cache)

The **ARP table** is a local cache of IP→MAC mappings. Before sending a frame, the system checks the table. If the entry exists and isn't stale, it's used; otherwise an ARP request is sent.

**Entry TTL:** Usually 2-20 minutes. If a host changes its IP or MAC, a stale entry can cause problems. `ip neigh flush all` clears the cache.

The ARP table shows (incomplete) for IP 192.168.1.50. What does this mean?

ARP Request and Reply

ARP works in two steps: a **Request** (broadcast query) and a **Reply** (unicast response from the IP owner).

**Gratuitous ARP:** A device can send an ARP reply without being asked. Used to update caches (e.g., after an IP change or during failover).

What MAC address is an ARP Request sent to?

ARP Spoofing and security

**ARP Spoofing** (ARP Poisoning) is an attack where an attacker sends fake ARP replies to redirect traffic to themselves. ARP has no authentication - anyone can claim "This IP is mine".

**On public Wi-Fi:** ARP spoofing is a real threat. Always use HTTPS and a VPN. Modern OSes have some protection, but it's not absolute.

ARP works over the internet

ARP only works in a local network (L2 segment)

ARP requests are broadcasts - they don't pass through a router. For remote hosts, we look up the router's MAC, not the final recipient's.

Why is ARP vulnerable to spoofing attacks?

Key ideas

  • **ARP** links IP (L3) with MAC (L2) in a local network
  • **ARP Request** - broadcast "Who has IP X?"
  • **ARP Reply** - unicast response with the MAC address
  • **ARP table** - a cache to avoid repeated requests
  • **ARP Spoofing** - an attack possible due to lack of authentication

Related topics

ARP is critical for understanding:

  • DHCP — DHCP uses ARP to check if an IP is free
  • Switches — A switch uses MACs from ARP for forwarding
  • Network security — ARP spoofing is one of the fundamental attacks

Вопросы для размышления

  • Why is an ARP request a broadcast, but the reply is unicast?
  • What happens if two devices have the same IP?
  • How do you protect yourself from ARP spoofing at a café with open Wi-Fi?

Связанные уроки

  • arch-08-memory-hierarchy
ARP: linking IP and MAC

0

1

Sign In