Professional Documents
Culture Documents
Address
Resolution
Protocol (ARP)
Tariq Bader
CCIE # 35627
Security/VPN team
Cisco TAC
Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Agenda
Introduction to ARP
ARP Operation
ARP Applications
RARP
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
ARP
Introduction to ARP
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Introduction to ARP
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Introduction to ARP
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
ARP
ARP Operation
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
ARP Functions/Operation
ARP Table
o Used to find the data link layer address that is mapped to the
destination IPv4 address.
o As a node receives frames from the media, it records the source IP
and MAC address as a mapping in the ARP table.
o L3 devices and end hosts do have this table
ARP Request
o Layer 2 broadcast to all devices on the Ethernet LAN.
o The node that matches the IP address in the broadcast will reply.
o If no device responds to the ARP request, the packet is dropped
because a frame cannot be created.
Note: Static map entries can be entered in an ARP table, but
this is rarely done.
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
ARP Operation – Local Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
ARP Operation – Local Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
ARP Operation – Local Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
ARP Operation – Local Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
ARP Operation – Local Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
ARP Operation – Local Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
ARP Operation – Remote Communication
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
ARP Operation – ARP Request Cases
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
The Format of ARP Packet
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
The Format of ARP Packet
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Encapsulation of ARP Packet
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Encapsulation of ARP Packet
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
ARP Tables on Networking Devices
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Removing Entries from an ARP Table
The ARP cache
timer removes
ARP entries that
have not been
used for a
specified period
of time.
Commands may
also be used to
manually remove
all or some of the
entries in the ARP
table ‘clear
arp’ on router
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
ARP
ARP Applications
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Proxy ARP
A proxy ARP, running in a router, can respond to an ARP
request for any of its other directly connected hosts.
The proxy ARP replies with its own MAC address.
When the packet arrives, the router delivers it to the
appropriate host.
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Gratuitous ARP
Also called ARP Announcements
Updating other host's mapping of a hardware address when the
sender's IP address or MAC address has changed
Broadcast as an ARP request containing the sender's protocol
address (SPA) in the target field (TPA=SPA), with the target
hardware address (THA) set to zero.
Detecting IP conflicts
No ARP reply is expected
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
ARP Probe
An ARP request constructed with an all-zero sender IP address
Used in the IPv4 Address Conflict Detection specification (RFC
5227)
Sent when there is any change in connectivity
Should not send periodically
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
ARP Spoofing
Malicious host sends unsolicited ARP replies
to take over another host’s IP address
For what?
o Passive sniffing
o Modifying packets (man-in-the-middle attack)
o Denial-of-service attack
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
ARP Spoofing
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
RARP
Reverse Address Resolution Protocol
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Reverse Address Resolution Protocol (RARP)
RARP finds the logical address for a machine that only knows
its physical address.
This is often encountered on thin-client workstations. No
disk, so when machine is booted, it needs to know its IP
address (don’t want to burn the IP address into the ROM).
RARP requests are broadcast, RARP replies are unicast.
If a thin-client workstation needs to know its IP address, it
probably also needs to know its subnet mask, router
address, DNS address, etc. So we need something more than
RARP. BOOTP, and now DHCP have replaced RARP.
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
RARP Operation
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
RARP Packet Format & Encapsulation
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Q&A
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33