Tech Juice

Introduction

The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.

Other posts on the ARP protocol are available here:

• Viewing and manipulating the ARP cache on Windows and Linux.
• An introduction to ARP cache poisoning.

ARP Basics

When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.

An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP -> MAC).

Source and Destination Hosts on the Same Local Network

The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host and the destination, only hubs or switches. The following image illustrates this:

ARP Resolution Steps:

1. Host A (1.1.1.1) wants to transmit a packet to host B (2.2.2.2). Host A tries to look up the hardware address for IP 2.2.2.2 in its ARP cache, but determines that it is not present. It must find the MAC address and add the mapping.
2. An ARP request is broadcast by Host A by using the destination MAC address FF-FF-FF-FF-FF-FF. The request basically says: Who has 2.2.2.2? Tell 1.1.1.1!.
3. Each host on the network receives the ARP request sent by Host A, which contains a source IP and MAC of Host A. Host B determines the requested IP matches its own IP, and that it should process the request. The information in the request is used to add a mapping (1.1.1.1 -> MAC of Host A) to Host B’s ARP cache.
4. Host B sends an ARP reply containing its MAC address and IP directly to Host A.
5. Host A receives the ARP reply, and adds the mapping to its ARP cache: (2.2.2.2 -> MAC of Host B).

From this point, Host A uses the mapping stored in its ARP cache for sending packets to Host B.

Source and Destination Hosts on Different Networks

If the routing table determines that the packet needs to travel through a gateway to reach the destination host, a different scenario occurs.

ARP Resolution Steps:

1. Host A (1.1.1.1) wants to transmit a packet to host B (2.2.2.2). Host A determines that it must send the packet through its default gateway, of which it knows the IP: 1.1.2.3. Host A tries to look up the hardware address for IP 1.1.2.3 in its ARP cache, but determines that it is not present. It must find the MAC address and add the mapping.
2. An ARP request is broadcast by Host A by using the destination MAC address FF-FF-FF-FF-FF-FF. The request basically says: Who has 1.1.2.3? Tell 1.1.1.1!.
3. Each host on the network receives the ARP request sent by Host A, which contains a source IP and MAC of Host A. Router determines the requested IP matches its own IP, and that it should process the request. The information in the request is used to add a mapping (1.1.1.1 -> MAC of Host A) to Router’s ARP cache.
4. The router sends an ARP reply containing its MAC address and IP directly to Host A.
5. Host A receives the ARP reply, and adds the mapping to its ARP cache: (1.1.2.3 -> MAC of Router).

Now Host A can send the IP packet to Router, which forwards the packet to Host B. If Host B is connected directly to Router, the same ARP process is used for communication between them. Alternatively, there can be one or more routers between Router and Host B, so the packet will first travel through those devices. But the key point to remember is that communication on the same physical network (between hosts on local networks, between routers, etc) always requires the sender to know the hardware address of the receiver, and thus requires ARP.