TCP009:ARP

ARP provides a dynamic mapping between IPv4 addresses (network layer) and hardware addresses (link layer, e.g., Ethernet MAC).

Necessary because:

• IP addresses alone are insufficient to deliver frames on hardware networks.

• Network interfaces need the correct hardware address to send frames.

IPv6 does not use ARP; it uses Neighbor Discovery Protocol (ICMPv6-based).

Network-Layer vs Link-Layer Addresses

Ethernet or 802.11 frames use hardware addresses to determine the destination interface.

IP addresses identify hosts logically; they may move or change.

ARP is a protocol that translates a network-layer IP address (like 192.168.1.1) into a corresponding hardware address (a MAC address) on a local network. 

Essentially, it's a way for devices to talk to each other using the IP addresses.

IPv4 Over Ethernet (IPv4/Ethernet) – The Key Dynamic Aspect:

Mapping: This is the crucial point. ARP essentially establishes a mapping between an IP address and a MAC address. The 32-bit IP address is translated into a 48-bit MAC address. This is vital for Ethernet networks.

Dynamic Adaptation: This is a major design choice. It means that the MAC address can change over time. This is a core characteristic of Ethernet.

Operation of ARP:

Let's walk through the process step-by-step:

Step 1: Lookup in ARP Cache: When a device (e.g., a computer) wants to send an IP packet to another device on the same LAN, it first checks its ARP cache. The ARP cache is like a device's memory of previously resolved IP-to-MAC mappings.

Step 2: Broadcast Request (ARP Request): If the device doesn't find its MAC address in its cache, it broadcasts an ARP request message to the network. This message is essentially asking, Who has my IP address?

Step 3: Reply from the Recipient: The device with the IP address receives the request and sends back a reply containing its MAC address. This reply is the answer.

Step 4: Cache Update: The device that sent the response caches that MAC address for future use. It doesn't waste time re-looking up the same MAC address every time.

Transparent to Users and Administrators:

• Users: Users don't need to know how the ARP process works. It's a background protocol.

• System Administrators: Administrators can see that ARP is in place, but they don’t need to understand its mechanics – it's largely hidden.

Related Protocols: RARP (Reverse ARP)

• Purpose: RARP (Reverse ARP) is specifically designed to solve a problem when a diskless workstation (like a desktop computer) needs to find its IP address. It was a vital tool in early Ethernet networks.

• Manual Configuration: RARP requires manual configuration because it's not an automatic feature.

• Rarely Used Today: Due to the rise of DHCP (Dynamic Host Configuration Protocol) – a more flexible way to assign IP addresses – RARP is largely obsolete.

Key Insights (Summarized)

• ARP Bridges IP and MAC: ARP is the mechanism that combines IP addresses and MAC addresses to work together in network environments, making them compatible.

• Dynamic Address Mapping: The ability to dynamically adjust the MAC addresses for IP addresses is a fundamental aspect of Ethernet networking.

• Importance for Hardware-Based Networks: It’s essential for networks where IP addresses and MAC addresses are fundamentally tied to physical hardware

UNDERSTANDING ARP: THE HEART OF LAN COMMUNICATION

ARP (Address Resolution Protocol) is a fundamental technology used in local area networks (LANs) to allow devices on the same network to dynamically find each other’s IP addresses. 

It's essentially a lookup service that translates IP addresses to MAC addresses – the physical addresses of network devices. Without ARP, devices would need a central router to handle every request.

I. Scenario: A Local Computer Needs to Access a Web Server

• The Problem: The computer (let’s call it Device A) wants to connect to a web server using the URL http://10.0.0.1. The web server's IP address is on the same Ethernet subnet as Device A’s network.

• The Goal: The computer needs to directly communicate with the web server without involving a router.

• Network: We’re working on a 48-bit MAC address network.

II. Direct Delivery Steps with ARP

Let's walk through the process step-by-step:

1. Application Layer (Browser Parsing): The browser, like Chrome or Firefox, starts by parsing the URL. It recognizes the http:// part, indicating a web protocol.

2. Detects URL Contains IP: The browser doesn’t automatically know the IP address. It needs to figure out what the URL actually refers to.

3. TCP Attempts Connection: TCP (Transmission Control Protocol) is used to establish a connection. TCP is a reliable protocol that ensures data is delivered in order.

4. TCP asks IPv4 to send datagram: TCP asks the network itself what address to send the data to. It uses IPv4 to send a  datagram (a packet) to 10.0.0.1. IPv4 is the addressing system used on most networks today.

5. IPv4 Sees Same Subnet: The IPv4 address 10.0.0.1 is on the same network segment as the sender (Device A's network). This is crucial! It means there's no need for a router. Devices can communicate directly without a hop.

6. ARP Request: The browser sends a Broadcast message to all devices on the network, asking: Who has the IP address 10.0.0.1?. This broadcast message is essentially a hello message to the network.

7. ARP Reply: Only the device with the IP address 10.0.0.1 responds. It sends a reply message back to the browser. This reply contains:

• Destination IPv4 Address: The actual IP address (10.0.0.1)

• Corresponding MAC Address: The physical MAC address of the device that has that IP address.

8. Sender learns MAC: The browser now learns the MAC address of the device that responded. This is essential for future communication.

9. Datagram Encapsulation: The browser encapsulates this IP datagram inside an Ethernet frame, ready to be sent over the network.

III. Important Notes

ARP Operates on Multi-Access Broadcast Networks (MARNs): ARP only works on networks like Ethernet, Wi-Fi, and other networks that use a broadcast domain. It’s not used in point-to-point links (like PPP).

Broadcast Domain Limits ARP: Each network segment (or VLAN) has its own broadcast domain. Devices within the same broadcast domain cannot directly exchange ARP requests with each other. This is a fundamental security and performance consideration.

Broadcast Mechanism: The ARP request is sent as a broadcast frame. This means all devices on the network receive the message.

IV. Key Concepts Illustrated

ARP Bridges IPv4 to Hardware Addresses: ARP transforms the complex IP address of a webpage into the physical hardware address of the device sending the data. It's the key to translating the address of the web server into a device's actual location.

Direct Delivery (Without Routers): ARP enables devices to exchange addresses directly without intermediaries, fostering a streamlined network communication process.

ARP as Transparency: ARP is designed to be invisible to users and applications. It works in the background, automatically fulfilling the task of finding devices on the network.

V. Key Concepts Illustrated

ARP Bridges IPv4 to MAC Addresses: The core function of ARP – to efficiently translate IP addresses to physical device addresses.

Direct Delivery: Enables communication between devices on the LAN without needing a central router.

Transparency: ARP's operation is designed to be seamless and unnoticeable to users and applications.

VI. Local Network Communication (ARP) from the image…

The ARP Process: When a Querier wants to send data to a target host (e.g., 10.0.0.1) on the same Ethernet segment, it uses the Address Resolution Protocol (ARP) to find the target's physical MAC address.

Broadcast Mechanism: The ARP request is sent as a broadcast frame, reaching every device in the broadcast domain.

Host Filtering:

• The Target Host recognizes its IP and responds directly to the querier.

• Wrong Hosts (with different IPs) and Non-IP Hosts receive the frame but must discard it once they realize the request is not intended for them.

The ARP cache is like a little notebook on each host or router where it keeps track of recent mappings between IP addresses and hardware (MAC) addresses. 

Without it, every time a device wants to send a packet on a local network, it would have to broadcast an ARP request, which is slow and inefficient.

I. How long do ARP entries last?

Each entry has a normal expiration time of 20 minutes (RFC1122).

After that, it’s removed, and the next packet to that IP triggers a fresh ARP request.

II. How to check the ARP cache

On Linux

Use the arp command:

Or with BSD-style formatting: 

On Windows: 

III. Understanding the Linux ARP output

A typical Linux ARP entry has five parts:

Flags

• C → learned dynamically by ARP

• M → manually entered by user (arp -s)

• P → publish → the host replies to ARP requests for this IP (used for proxy ARP)

IV. Understanding the Windows ARP output

Windows gives slightly different info:

Note on MAC formatting:

Linux uses colons (:) while Windows uses dashes (-). Same 48-bit address, just different style.

V. Key takeaways

1. ARP cache improves network efficiency by storing recent IP → MAC mappings.

2. Entries expire in ~20 minutes, but this is adjustable on some systems.

3. Linux vs Windows: similar info, different formatting and notation.

4. Flags are important to know if the entry is dynamic, static, or for proxy ARP.

5. Use arp -a to inspect your cache at any time.

ARP (Address Resolution Protocol) is the friendly helper that tells your computer, Hey, what’s the MAC address for this IP? 

Let’s break down how an ARP frame looks on an Ethernet network.

I. Ethernet Header (First 14 Bytes)

Destination MAC – This is where the frame is headed.

For ARP requests, it’s the special broadcast address ff:ff:ff:ff:ff:ff. That’s like shouting to everyone on the network: Hey, who has this IP?

• Source MAC – The sender’s hardware address.

• Type/Length – A 2-byte field that tells the Ethernet frame what’s inside. For ARP, it’s always 0x0806.

II. The ARP Packet (After Ethernet Header)

The ARP part starts with 8 generic bytes, then the rest depends on the address types. When mapping an IPv4 address to a 48-bit Ethernet MAC:

1. Hardware Type (Hard Type) – What kind of hardware address are we talking about?

  Ethernet = 1

2. Protocol Type (Prot Type) – What type of network address is being mapped?

  IPv4 = 0x0800 (same as IPv4 Ethernet frames)

3. Hardware Size (Hard Size) – How many bytes is the hardware address?

  Ethernet MAC = 6 bytes

4. Protocol Size (Prot Size) – How many bytes is the protocol address?

  IPv4 = 4 bytes

5. Operation (Op) – What are we doing?

  1 = ARP request

  2 = ARP reply

  3 = RARP request

  4 = RARP reply

III. Who’s Who in the ARP Packet

Next, we have the addresses. This is where ARP really shines:

• Sender Hardware Address – Your MAC address (also appears in the Ethernet header)

• Sender Protocol Address – Your IP address

• Target Hardware Address – MAC of the device you’re asking for. For requests, this is set to 0 because you don’t know it yet.

• Target Protocol Address – The IP address you’re trying to find the MAC for

IV. How It Works

1. Your computer wants to talk to an IP.

2. It broadcasts an ARP request (Target Hardware Address = 0).

3. The device with that IP sees the request, fills in its MAC, swaps sender/target info, sets Op to 2 (reply), and sends it back.

4. Voila! Now your computer knows the MAC for that IP.

 ARP EXAMPLES – SEEING THE MAGIC HAPPEN

In this section, we’re going to peek behind the scenes and see what really happens with ARP (Address Resolution Protocol) when we use normal TCP/IP tools like Telnet.

Telnet is a simple app that lets two systems chat over a TCP/IP connection. In our example, we’ll connect to a web server running on host 10.0.0.3 over TCP port 80 (the standard HTTP port).

I. Normal Example

First, let’s make sure our ARP cache is empty:

Great! Now we’ll use Telnet to connect to our web server:

The quit command exits Telnet.

While we’re doing this, we can watch the traffic using tcpdump on another system that can see our network.

We’ll use the -e option to show MAC addresses, which are 48-bit Ethernet addresses.

II. Tcpdump Output

Here’s a simplified version of what tcpdump shows (we’ve removed the connection teardown lines—they’re not important right now):

Let’s break this down in plain English:

Packet 1 – The ARP Request

Source MAC: 0:0:c0:6f:2d:40

Destination MAC: ff:ff:ff:ff:ff:ff → This is a broadcast, so everyone on the LAN sees it.

What’s happening: The system at 10.0.0.56 is asking, Hey, who has IP 10.0.0.3? Tell me your MAC!

ARP requests are always broadcast. The full Ethernet frame is padded to 60 bytes (minimum size) plus a 4-byte CRC.

Packet 2 – The ARP Reply

Source MAC: 0:0:c0:c2:9b:26 (the web server)

Destination MAC: 0:0:c0:6f:2d:40 (our system)

What’s happening: The web server responds directly to our machine: I’m 10.0.0.3, and my MAC is 0:0:c0:c2:9b:26.

ARP replies are unicast—not broadcast—so only the requester sees it.

Packet 3 – First TCP Segment

Source MAC: Our system

Destination MAC: Web server

What’s happening: Now that our system knows the MAC address, it can send the TCP SYN segment to start the connection.

Packet 4 – TCP Acknowledgment

Source MAC: Web server

Destination MAC: Our system

What’s happening: The web server replies to acknowledge the connection request.

Packet 5 – ACK

Source MAC: Our system

Destination MAC: Web server

What’s happening: Our system confirms the acknowledgment. TCP handshake complete!

Key Takeaways

1. ARP is very fast — in this case, the request/response cycle took only ~2.2 ms, with the first TCP segment following just 0.7 ms later.

2. If the destination MAC is already in the ARP cache, no ARP exchange occurs and TCP starts immediately.

3. Modern systems optimize by caching the sender’s info when receiving an ARP request, reducing future queries.

Fun Fact

You don’t always see ARP from the other side first — if they already have your MAC in cache, they skip the request. Think of ARP cache as a “friends list” for MAC addresses!

ARP works quietly in the background to enable smooth TCP/IP connections, and tools like tcpdump let you watch this quick handshake in action.

What happens if your computer tries to reach a device that doesn’t exist on the local network? Let’s explore with an example.

I. The Scenario

• Suppose your subnet is 10.0.0.0/24.

• You try to connect to 10.0.0.99, but no device actually has that IP.

• On Linux, you might run:

💡 Observation: After 3 seconds, the connection fails because the host is unreachable.

II. ARP Behavior

Before sending any actual data, your host must resolve the IP address to a MAC address using ARP.

Check the ARP cache:

<incomplete> means your computer tried to resolve the IP but got no response.

III. Monitoring ARP with tcpdump

If you capture the traffic using tcpdump, you’ll see something like this:

Explanation:

1. Your host broadcasts an ARP request asking: Who has 10.0.0.99? Tell me!

2. No host replies because 10.0.0.99 doesn’t exist.

3. Linux repeats this roughly once per second, the maximum rate recommended by RFC1122.

IV. Differences on Windows

Windows behaves a bit differently:

TCP waits longer so it can send two ARP requests before giving up on the connection.

This is why sometimes Windows seems slower at detecting a missing host.

V. Key Takeaways

1. When the target IP doesn’t exist:

•  ARP entries remain <incomplete> until they time out.

•  No MAC address is resolved.

2. Linux aggressively retries once per second; Windows adjusts based on protocol.

3. TCP gives up after 2 unanswered ARP requests (Windows), or a few seconds (Linux).

4. This mechanism prevents wasting bandwidth but also exposes unresponsive hosts quickly.

💡 Analogy: 

ARP is like shouting across a room:

You ask, Who owns IP 10.0.0.99?

If no one answers, you shout again every second (Linux) or every 5–10 seconds (Windows), then give up.

Think of the ARP cache like a little sticky note in your computer that says: Hey, this IP lives at this MAC address. 

But sticky notes don’t last forever, they fade away if not refreshed. That’s what we call an ARP cache timeout.

I. How Timeouts Work

• Completed entries (you’ve successfully resolved the MAC for an IP) usually stick around for about 20 minutes.

• Incomplete entries (you asked, but didn’t get an answer—like trying to ARP a ghost host) stick around for only 3 minutes.

Most systems are friendly—they restart the 20-minute timer every time you use the entry, so frequently used addresses don’t disappear. Technically, [RFC1122] says the timeout should tick down even if the entry is being used, but in practice, many systems keep refreshing it.

II. Soft State Magic

This is a perfect example of what engineers call soft state:

• It’s info that disappears automatically unless it’s refreshed.

• Soft state is super handy—it lets the network reconfigure itself automatically if things change.

• The trade-off? Some protocol has to keep refreshing the state to stop it from expiring. That’s where soft state refreshes come in—they keep the sticky note alive as long as it’s needed.

So, in short: ARP cache entries are temporary helpers, and soft state is what lets your network stay flexible and responsive without manual intervention.

Proxy ARP (PA) is a technique where one device (often a router) acts as an intermediary to forward ARP (Address Resolution Protocol) requests on behalf of another device (typically a host). 

Think of it like a digital telephone switch for network traffic.

Why Did It Exist? (Historical Reasons)

• Network Hiding: Historically, it was used to obscure the physical network layout of two networks. If two routers were in the same location and responded to ARP requests, the first network could potentially share the same IP address prefix. Proxy ARP allowed the first network to pretend to be the destination of the ARP requests.

• Compatibility Issues: Older systems struggled with subnetting (dividing a network into smaller subnets). Proxy ARP helped work around this limitation.

• Older Broadcast Address Formats: Older broadcast address formats in ARP requests could cause conflicts. Proxy ARP offered a way to bypass these restrictions.

Why is it Now Discouraged?

Confusion & Misrouting: It caused significant problems because it undermined normal subnetting rules. It introduced complexity and potential for routing errors.

Security Risks: It became a common method for hackers to bypass security measures.

How Does it Work? (Modern Use)

Linux Support: Linux now has a feature called auto-proxy arp that simplifies the process. It lets you enable proxy ARP by setting a specific value in the proxy_arp settings in /proc/sys/net/ipv4/conf/sysctl/proxy_arp.

Automatic Addressing: It automatically forwards a defined range of addresses instead of manually configuring each one.

In short: 

Proxy ARP is a clever trick where one device pretends to be another, mainly used in the past for network hiding and compatibility issues, but now generally avoided for security and complex network setups.

It is a historical method for network manipulation. While it's been used in the past, modern networks typically use more robust and secure methods like subnetting and routing.

This is a fundamental protocol that only detects IP address conflicts. It’s a simple, often overlooked mechanism. 

It essentially broadcasts an ARP request for its own IP address, and if another host responds, it indicates a potential conflict. It’s a basic security measure.

I. ARP Discovery Process (The ACD - Address Conflict Detection): 

This is a more sophisticated system designed to handle those conflicts intelligently. It's a multi-stage process:

• Probing: The host sends up to three ARP probes – a small amount of time between each probe – to try and establish a connection.

• Conflict Detection: If a reply is received or a conflicting probe is seen, a conflict is detected.

• Handling Conflicts: The host must then choose a different IP address (typically assigned by DHCP or another mechanism).

• Announcements: The host sends two announcements – a 2-second delay between announcements – to update the local ARP cache.

• Monitoring: The host continues to monitor ARP traffic for its IP address to be used by another host.

II. Key Improvement over Gratuitous ARP section:

• ARP Probe: This is a crucial part of the ACD process. It’s a test packet sent to verify that the host’s MAC address is genuinely the one it's intended to be. The probe attempts to establish a communication link.

• Conflict Handling - Rate Limiting: After 10 conflicting probes, the host enters a rate-limiting phase. This means it will only continue to use the IP address if it continues to respond to ARP requests.

• Overall Goal: The ARP Discovery Process is designed to be more robust and reliable than the simple Gratuitous ARP, effectively managing IP address conflicts in a network.

III. Here's a breakdown to solidify understanding:

• Gratuitous ARP: A basic, reactive measure. It detects conflicts, but doesn’t offer resolution.

• ARP Discovery Process: A proactive, controlled process. It identifies conflicts and provides a mechanism to handle them.

⚡ Key Differences 

• Gratuitous ARP → quick way to check for duplicates and refresh caches.

• ACD (RFC 5227) → formalized process with probes, announcements, and conflict resolution.

• Together, they help prevent IP conflicts in IPv4 LANs, especially in DHCP environments and dynamic networks.

🖧 The arp Command: Managing the ARP Cache

The arp command is a utility for inspecting and manipulating the Address Resolution Protocol (ARP) cache, which maps IPv4 addresses to Ethernet (MAC) addresses. Common Options: 

arp -a

Displays all entries in the ARP cache.

On Linux, simply running arp shows similar information.

arp -d <IP>

Deletes a specific entry from the ARP cache.

Useful for forcing a fresh ARP exchange.

arp -s <IP> <MAC>

Adds a static entry (IPv4 → MAC).

Entry is semipermanent (persists until reboot).

⚙️ Linux-Specific Extensions

temp keyword → makes the entry temporary (expires like normal ARP entries).

pub keyword → enables the system to act as an ARP responder for that entry.

  If the IP belongs to the system → acts as proxy ARP (responds on behalf of another host).

  Even if /proc/sys/net/ipv4/conf/*/proxy_arp is set to 0, using arp -s ... pub forces proxy ARP behavior.

✅ Key Takeaway

The arp command gives administrators direct control over the ARP cache:

• Inspect (-a),

• Remove (-d),

Add (-s) entries. Linux adds flexibility with temporary entries and proxy ARP support, making it a powerful tool for troubleshooting and specialized configurations.

I. Why ARP? (The Problem It Solves)

The Core Issue: Many embedded devices (IoT, industrial controllers, etc.) lack input interfaces (no keyboard/display). They still need an IP address to join the network. Alternatives: DHCP, ARP-based assignment.

This is a huge challenge. Think about it: these devices are remote. They don’t have a way to directly interact with the network – no keyboard, no touchscreen – meaning they can't manually configure their IP address.

The Need for a Solution: The problem is, without an IP address, these devices can't even join the network. They're essentially stuck.

Why is manual assignment a problem? DHCP (Dynamic Host Configuration Protocol) is the automatic way to assign IP addresses. It's convenient, but it requires a network administrator to manage it. ARP provides a manual, crucial fallback when DHCP isn't available.

II. The Basic Idea – How It Works

ARP is a communication protocol: It's how devices within a network communicate about their IP addresses.

It's a Two-Way Street: It's a simple mapping:

• Host (Device) sends an ARP Request: The device wants to know the MAC address of a particular device. It sends a request to the network.

• Device replies with an ARP Reply: The device, having learned the MAC address, sends back a reply with the MAC address of the device it was talking to.

• The Trick – Manually Adding an Entry: The key to using ARP is to manually add an entry to the device's ARP table. Think of it as creating a phone directory for the network.

• The Device Sees the Packet: When a device receives an ARP packet, it examines the destination IP address within the packet. It recognizes that the destination device's MAC address matches the MAC address it just received from the ARP request.

• Adopting the IP Address: The device automatically adopts that IP address as its own, because it knows the MAC address it received from the ARP request is associated with the device it's talking to.

In short, ARP is a way to tell the network who a device is, using a simple, low-bandwidth conversation.

Imagine you're at a party. You need to be recognized by the host. ARP is like you standing in front of the host and saying, I'm here. My name is [your device's MAC address]. The host then tells everyone else your MAC address, and everyone knows who you are.

III. The steps we just discussed above: 

Know the device’s MAC address - Usually printed on the device (sometimes doubles as serial number).

Create a static ARP entry:

This Maps IP 192.168.0.50 to device MAC 00:11:22:33:44:55.

Send an IP packet to that address – Example, just ping the device:

Once it receives the packet, it sets its IPv4 address to 192.168.0.50, thus adopts the IP, and becomes accessible via IP (e.g., embedded web server, SNMP, or custom protocol).

IV. Limitations

Not automatic → requires manual ARP entry.

Only works if device firmware supports this ARP-based assignment trick.

DHCP is more flexible and widely supported.

ARP method is typically used for initial bootstrap configuration.

✅ Key Takeaway

Using ARP to set an embedded device’s IPv4 address is a manual bootstrap technique:

Insert a static ARP entry → send a packet → device adopts the IP.

Useful when DHCP isn’t available and the device has no user interface.

Afterward, the device can be configured normally (e.g., via web interface).

1. Proxy ARP Masquerading

Attacker responds to ARP requests pretending to be another host.

If the real host is offline → attack is stealthy and harder to detect.

If the real host is online → multiple ARP replies per request → easier to spot.

Consequence: traffic meant for the victim is redirected to the attacker.

2. ARP Table Leakage (Multi-Network Interfaces)

Bug: ARP entries from one interface leak into another interface’s ARP table.

Exploit: attacker can misdirect traffic onto the wrong network segment.

Linux mitigation:

• /proc/sys/net/ipv4/conf/*/arp_filter

• Setting value = 1 → kernel checks if ARP request came from the correct interface.

• If mismatch → ARP response suppressed → prevents leakage.

3. Static ARP Entry Poisoning

Static ARP entries sometimes used to lock important IP ↔ MAC mappings.

Problem: many ARP implementations still replace static entries if they receive unsolicited ARP replies.

Attacker sends fake ARP replies → overwrites static entry.

Consequence: attacker hijacks traffic even when static ARP was intended as a safeguard.

4. Why These Attacks Matter

ARP is stateless and unauthenticated → inherently vulnerable.

Attacks can lead to:

• Man-in-the-middle (MITM) interception.

• Traffic redirection to malicious hosts.

• Denial of service if traffic is misrouted.

✅ Key Takeaway

ARP attacks exploit the protocol’s simplicity:

Proxy ARP → impersonation.

Leakage → misrouting across interfaces.

Static poisoning → bypassing locked entries. Mitigation requires kernel-level checks (arp_filter), careful configuration, and in modern networks, stronger alternatives like IPv6 Neighbor Discovery or secure ARP extensions.

SUMMARY OF ARP📜

ARP is a fundamental protocol in TCP/IP networks, quietly mapping IPv4 addresses to hardware (MAC) addresses so devices can communicate on a local subnet.

Core Function

Resolves IPv4 → MAC addresses for local subnet communication.

Used both for direct delivery and for reaching a router when the destination is outside the subnet.

ARP Cache

Stores recently resolved mappings.

Entries expire after a timer unless added manually (e.g., via the arp command).

Can be inspected, deleted, or added by administrators.

Special Variants

Proxy ARP → a router answers ARP requests on behalf of hosts on another interface.

Gratuitous ARP → a host announces its own IP/MAC mapping (often at boot or for conflict detection).

Address Conflict Detection → uses gratuitous ARP-like exchanges to prevent duplicate IPs in the same broadcast domain.

Security Concerns

ARP is vulnerable to attacks because it trusts responses.

Common attack: ARP spoofing/poisoning, where an attacker fabricates ARP replies to impersonate another host.

This can redirect traffic, enable man-in-the-middle attacks, or disrupt communication.

✅ Key Takeaway

ARP is essential for IPv4 networking, enabling seamless communication at the link layer. While normally invisible to users, its cache and variants (proxy, gratuitous ARP) are critical for network operation. 

However, its lack of built-in security makes it a frequent target for attacks, highlighting the importance of stronger protections at higher layers.