ARP - Address Resolution Protocol

Related pages
Static Badge
Related RFCs
Static Badge Static Badge Static Badge Static Badge

Definition

Address Resolution Protocol (ARP)
Enables the mapping from a IPv4 address to a link-layer (MAC) address within the same local network segment

Workflow

Blueprint

  1. ARP Request: A host broadcasts a request: "Who has IP X.X.X.X?"
  2. ARP Reply: The host with X.X.X.X IP responds with its MAC address.
  3. Resolution: The requesting host updates its ARP cache and uses given IPv4 address.

Showcase

A PCAP file demonstrating a ARP request and response is provided below.
Static Badge
This capture was generate using this Python script leveraging the scapy library.

ARP Cache

  • Hosts store resolved IP -> MAC records mappings in a local ARP cache to reduce repeated broadcast traffic.
  • Entries have a time-to-live (TTL)
  • Proper cache management is critical; cf the ARP Spoofing and ARP flooding section

Proxy ARP

  • Routers may respond to ARP request on behalf of remote hosts in different subnets
  • Useful for legacy networks

Common attacks

ARP Spoofing

An attacker responds to an ARP request that was not meant for him, thus impersonating the original person

ARP Flooding

The attacker floods the network with ARP answers; after that, every request goes to the attacker

Security mitigations

  • Static ARP entries: Configure critical hosts to prevent spoofing
  • Dynamic ARP inspection (DAI): Enforce ARP validation on managed switches
  • Segmentation and VLANs: Limit broadcasts to reduce attack surface
  • Disable ARP gleaning

References and recommended readings

Static Badge
Static Badge
Static Badge
Static Badge
Static Badge Static Badge