Address Resolution Protocol (ARP)

Mapping IP addresses to MAC addresses in local networks.

The Two-Address Problem: A Networking Detective Story

To send data over the internet, a computer needs to know a destination IP address. This is the logical address, which helps routers guide the packet across different networks, from Los Angeles to New York. However, once the packet arrives at the final destination network (e.g., the local office Wi-Fi in New York), IP addresses are no longer enough.

Analogy: Imagine sending a package to your colleague, "Jane Doe," who works at a large corporation. The public mail service uses the building's street address (like a public IP address) to get the package to the correct building. But once it arrives at the mailroom, the internal staff needs to know Jane's specific office number (e.g., "Suite 304") to complete the delivery. Her name, "Jane Doe," is her logical address, but her physical location is "Suite 304."

In a local network, every device has a unique, permanent (the office number). For a device to send data to another device on the same local network, it must know the recipient's MAC address. The fundamental question that every device faces is: "I know I want to send this packet to the IP address $192.168.1.100$ , but what is the actual hardware MAC address of that device?"

is the detective that solves this mystery. Its sole purpose is to translate a known IP address into its corresponding MAC address within a local network.

The ARP Process: "Who has this IP? Tell me!"

The ARP process is a simple yet elegant request-and-reply mechanism. When a source device (let's call it Host A) needs to send a packet to a destination device (Host B) on the same local network, it follows these steps:

Step 1: Check the ARP Cache

Before doing anything else, Host A checks its local ARP cache. This is a small, temporary table in memory that stores recently resolved IP-to-MAC address mappings. If Host A has recently communicated with Host B, the mapping will likely still be in the cache, and the process can skip directly to sending the data.

Step 2: The ARP Request (Broadcast)

If the mapping for Host B's IP address is not found in the cache, Host A must find it. To do this, it constructs a special message called an ARP Request.
Analogy: This is the equivalent of Host A going into the office lobby and shouting, "Attention everyone! Who is Jane Doe at IP $192.168.1.100$ ? Please tell me your office number!"

This "shout" is a message. It is sent to a special MAC address FF:FF:FF:FF:FF:FF that every device on the local network listens to. The ARP Request essentially contains the following query:

"Who has the IP address 192.168.1.100? Please tell the device with MAC address AA:BB:CC:11:22:33 (my own MAC address)."

Every device on the local network receives and processes this broadcast request.

Step 3: The ARP Reply (Unicast)

Only the device that recognizes its own IP address in the request will respond. All other devices on the network will simply ignore the request.
Analogy: In the office lobby, only Jane Doe will respond to the shout. Everyone else will continue with their work.

Host B, recognizing its IP $192.168.1.100$ , will create an ARP Reply. This reply is a message, sent directly back to the MAC address of Host A (which was included in the request). It is not a shout; it's a direct response. The reply says:

"I am the device with IP address $192.168.1.100$ , and my MAC address is DD:EE:FF:44:55:66."

Step 4: Update Cache and Send Data

Host A receives the ARP Reply. It now has the crucial mapping: $192.168.1.100$ = DD:EE:FF:44:55:66. Host A adds this information to its ARP cache for future use. Now that it knows the physical "office number," it can finally create the data packet's frame with the correct destination MAC address and send it directly to Host B.

The ARP Cache: A Short-Term Memory for Efficiency

Sending a broadcast ARP Request for every single packet would be incredibly inefficient and would flood the network with unnecessary traffic. The ARP cache solves this problem by acting as a short-term memory.

Function: The cache stores a dynamic list of recently learned IP-to-MAC address mappings.
Timeout: Cache entries are not permanent. They are typically kept for a short period (from a few minutes to several hours, depending on the operating system). After the timer expires, the entry is removed. This ensures that the cache doesn't hold onto stale information if a device changes its IP address or is removed from the network. The next time communication is needed, a new ARP request will be sent.
Viewing the Cache: You can view your computer's ARP cache by opening a command prompt or terminal and typing the command arp -a. This will display a list of known IP addresses and their corresponding MAC addresses on your local network.

> arp -a

Interface: $192.168.1.50$ --- 0x15

Internet Address Physical Address Type

$192.168.1.1$ a0-b1-c2-d3-e4-f5 dynamic

$192.168.1.101$ dd-ee-ff-44-55-66 dynamic

$192.168.1.255$ ff-ff-ff-ff-ff-ff static

ARP's Scope: The Local Network Boundary

It is absolutely critical to understand that ARP only works within a single local network segment (or broadcast domain). ARP requests are broadcasts, and routers, by definition, do not forward broadcast messages between different networks.

So, how do we send data to a different network?

Let's go back to our office analogy. If you want to send a package to a different company across town, you don't try to find the recipient's personal office number yourself. You simply address the package to the recipient and drop it off at your own building's mailroom. The mailroom (your network's router or default gateway) then takes responsibility for sending it out into the public postal system.

When your computer (Host A) wants to send a packet to a remote destination (like a web server on the internet), it follows these steps:

Destination Check: The computer compares the destination IP address with its own IP address and subnet mask. It quickly determines that the destination is on a remote network.
Target the Gateway: Because the destination is remote, the computer knows it cannot deliver the packet directly. It must send it to its configured (the local router).
ARP for the Gateway: Now, the computer initiates the ARP process, but with a different goal. It sends out an ARP Request broadcast asking:
"Who has the IP address of my default gateway ( $192.168.1.1$ )? Please tell me your MAC address."
Send to Gateway: Once the router replies with its MAC address, the computer creates the data packet. The packet's destination IP address is still the final remote server, but the destination MAC address is that of the local router. The packet is then sent to the router, which takes over the task of forwarding it toward its final destination.

Variations of ARP

Besides the standard request/reply mechanism, several other types of ARP messages and techniques serve specific functions.

Reverse ARP (RARP): A historical protocol used by diskless workstations. A device would know its MAC address but not its IP address. It would broadcast a RARP request ("My MAC is X, what is my IP?"), and a RARP server on the network would reply with an assigned IP address. RARP is now obsolete and has been replaced by more advanced protocols like BOOTP and, most commonly, DHCP.
Proxy ARP: A technique where a router on one network responds to ARP requests for IP addresses that are on another network. The router effectively "lies" and provides its own MAC address, acting as a proxy for the remote hosts. When it receives the packet, it then forwards it to the real destination. It's a way to connect two physical networks without changing IP addressing schemes, but can be complex to manage.
Gratuitous ARP: This is an ARP message that is sent by a host without being prompted by an ARP request. The host sends a broadcast ARP Reply (or Request) for its own IP address. This serves two main purposes:
- IP Conflict Detection: When a device gets a new IP address, it sends a gratuitous ARP. If another device on the network replies, it means that IP address is already in use, and the device will report an IP address conflict error.
- Updating Caches: If a device changes its network card (and thus its MAC address) but keeps its IP address, it can send a gratuitous ARP to instantly update the ARP caches of all other devices on the network, ensuring they now send data to the new MAC address. This is also vital in high-availability systems where a backup server takes over the IP address of a failed primary server.

ARP and Network Security

The simplicity and trust-based nature of ARP make it vulnerable to a significant security threat known as ARP Spoofing or ARP Poisoning. Since devices on a network blindly trust ARP replies, a malicious attacker can send forged ARP replies.

For instance, an attacker could tell the default gateway that the attacker's MAC address corresponds to your computer's IP address. At the same time, the attacker could tell your computer that the attacker's MAC address belongs to the default gateway. This places the attacker's machine right in the middle of all your internet traffic, allowing them to eavesdrop, modify, or block your data in what's known as a Man-in-the-Middle (MitM) attack. Various security mechanisms are used to mitigate this risk.

The End of an Era: ARP's Role in IPv6

With the introduction of IPv6, the ARP protocol was officially retired. Its functions have been completely replaced by a more comprehensive and efficient suite of protocols integrated into ICMPv6, known collectively as the Neighbor Discovery Protocol (NDP).

NDP performs address resolution (the core function of ARP) but does so using more efficient multicast messages instead of broadcasts, and it also handles other critical functions like router discovery, prefix discovery, and address autoconfiguration. While the problem of resolving a Layer 3 address to a Layer 2 address still exists, the protocol used to solve it in the modern IPv6 world is entirely new.