Harneet Singh
https://www.linkedin.com/in/harneet-singh-97890498
ARP (link Layer protocol)
ARP Address Specification and General Operation
An Address Resolution Protocol transaction begins when a source device on an IP network has
an IP datagram to send. It must first decide whether the destination device is on the local
network or a distant network. If the former, it will send directly to the destination; if the latter,
it will send the datagram to one of the routers on the physical network for forwarding. Either
way, it will determine the IP address of the device that needs to be the immediate destination of
its IP datagram on the local network. After packaging the datagram it will pass it to its ARP
software for address resolution.
Basic operation of ARP is a request/response pair of transmissions on the local network. The
source (the one that needs to send the IP datagram) transmits a broadcast containing
information about the destination (the intended recipient of the datagram). The destination
then responds unicast back to the source, telling the source the hardware address of the
destination.
ARP Request
ARP Response
ARP Cache
Essential to the efficient operation of ARP is the maintenance of an ARP cache (or table)
on each host and router. This cache maintains the recent mappings from network-layer
addresses to hardware addresses for each interface that uses address resolution. When
IPv4 addresses are mapped to hardware addresses, the normal expiration time of an
entry in the cache is 20 minutes for a completed entry and 3 minutes for an incomplete
Entry) from the time the entry was created, as described in [RFC1122]. We can
examine the ARP cache with the arp command on Linux or in Windows. The -a option
displays all entries in the cache for either system. Running arp on Linux yields the
following type of output:
Linux% arp
Address HWtype HWaddress Flags Mask Iface
gw.home ether 00:0D:66:4F:60:00 C eth1
printer.home ether 00:0A:95:87:38:6A C eth1
Linux% arp -a
printer.home (10.0.0.4) at 00:0A:95:87:38:6A [ether] on eth1
gw.home (10.0.0.1) at 00:0D:66:4F:60:00 [ether] on eth1
Running arp on Windows provides output similar to the following:
c:\> arp -a
Interface: 10.0.0.56 --- 0x2
Internet Address Physical Address Type
10.0.0.1 00-0d-66-4f-60-00 dynamic
10.0.0.4 00-0a-95-87-38-6a dynamic
In the Ethernet header of the ARP frame, the first two fields contain the destination and
source Ethernet addresses. For ARP requests, the special Ethernet destination address
of ff:ff:ff:ff:ff:ff (all 1 bits) means the broadcast address—all Ethernet interfaces in the
same broadcast domain receive these frames.
The Op field specifies whether the operation is an ARP request (a value of 1), ARP reply
(2), RARP request (3), or RARP reply (4). This field is required because the Length/Type
field is the same for an ARP request and an ARP reply. The next four fields that follow
are the Sender’s Hardware Address (an Ethernet MAC address in this example), the
Sender’s Protocol Address (an IPv4 address), the Target Hardware (MAC/Ethernet)
Address, and the Target Protocol (IPv4) Address.
For an ARP request, all the fields are filled in except the Target Hardware Address
(which is set to 0). When a system receives an ARP request directed to it, it fills in its
hardware address, swaps the two sender addresses with the two target addresses, sets
the Op field to 2, and sends the reply.
Proxy ARP
ARP was designed to be used by devices that are directly connected on a local network.
Each device on the network should be capable of sending both unicast and broadcast
transmissions directly to each other one. Normally, if device A and device B are
separated by a router, they would not be considered local to each other. Device A would
not send directly to B or vice-versa; they would send to the router instead at layer two
and would be considered “two hops apart” at layer three.
Disadvantages of Proxy ARP
Hosts have no idea of the physical details of their network and assume it to be a flat
network in which they can reach any destination simply by sending an ARP request. But
using ARP for everything has disadvantages. These are some of the disadvantages:

It increases the amount of ARP traffic on your segment.

Hosts need larger ARP tables in order to handle IP-to-MAC address mappings.

Security can be undermined. A machine can claim to be another in order to intercept
packets, an act called "spoofing."

It does not work for networks that do not use ARP for address resolution.
Real time Example: An Proxy Arp would be used when we have a webserver which needs to be hosted on
Internet, so that users from outside are able to access it. Let’s assume that we have a
pool of Public IP addresses and we want to create the DNAT on a loopback/additional
(loopback1) interface which doesn’t have a mac address. We would need to enable
proxy arp on the physical interface (Eth0) of device for the Loopback address, which
would let device respond with mac address of that physical interface (Eth0) in case a
arp request comes for the loopback address.
Technically, both interfaces would share the same mac-address.
GARP (from Windows Machine)
It occurs when a host sends an ARP request looking for its own address. Gratuitous
ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this
case means a request/reply that is not normally needed according to the ARP
specification (RFC 826) but could be used in some cases. A gratuitous ARP request is
an AddressResolutionProtocol request packet where the source and destination IP are
both set to the IP of the machine issuing the packet and the destination MAC is the
broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP
reply is a reply to which no request has been made.Gratuitous ARPs are useful for four
reasons:




They can help detect IP conflicts. When a machine receives an ARP request
containing a source IP that matches its own, then it knows there is an IP
conflict.
They assist in the updating of other machines' ARP tables. Clustering
solutions utilize this when they move an IP from one NIC to another, or from
one machine to another. Other machines maintain an ARP table that contains
the MAC associated with an IP. When the cluster needs to move the IP to a
different NIC, be it on the same machine or a different one, it reconfigures the
NICs appropriately then broadcasts a gratuitous ARP reply to inform the
neighboring machines about the change in MAC for the IP. Machines
receiving the ARP packet then update their ARP tables with the new MAC.
They inform switches of the MAC address of the machine on a given switch
port, so that the switch knows that it should transmit packets sent to that MAC
address on that switch port.
Every time an IP interface or link goes up, the driver for that interface will
typically send a gratuitous ARP to preload the ARP tables of all other local
hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up
event, such as a link bounce, a machine just being rebooted or the
user/sysadmin on that host just configuring the interface up. If we see multiple
gratuitous ARPs from the same host frequently, it can be an indication of bad
Ethernet hardware/cabling resulting in frequent link bounces.
From Cisco Router:-
Although gratuitous ARP provides some indication that multiple stations may be
attempting to use the same IPv4 address, it really provides no mechanism to react to the
situation (other than by printing a message that is ideally acted upon by a system
administrator). To deal with this issue, [RFC5227] describes IPv4 Address Conflict
Detection (ACD). ACD defines ARP probe and ARP announcement packets.
'ARP Probe' is used to refer to an ARP Request packet, broadcast on the local link, with
an all-zero 'sender IP address'. The 'sender hardware address' MUST contain the
hardware address of the interface sending the packet. The 'sender IP address' field
MUST be set to all zeroes, to avoid polluting ARP caches in
other hosts on the same link in the case where the address turns out to be already in use
by another host. The 'target hardware address' field is ignored and SHOULD be set to all
zeroes. The 'target IP address' field MUST be set to the address being probed. An ARP
Probe conveys both a question ("Is anyone using this address?") and an implied
statement ("This is the address I hope to use.").
ARP Probe
An ARP announcement is identical to an ARP probe, except both the Sender’s Protocol Address
and the Target Protocol Address fields are filled in with the candidate IPv4 address. It is used to
announce the sender’s intention to use the candidate IPv4 address as its own.
To perform ACD, a host sends an ARP probe when an interface is brought up or out of sleep, or
when a new link is established (e.g., when an association with a new wireless network is made).
It first waits a random amount of time (in the range 0–1s, distributed uniformly) before sending
up to three probe packets. The delay is used to avoid power-on congestion when multiple
systems powered on simultaneously would otherwise attempt to perform ACD at once, leading
to a network traffic spike. The probes are spaced randomly, with between 1 and 2s of delay
(distributed uniformly) placed between.
While sending its probes, a requesting station may receive ARP requests or replies. A reply to its
probe indicates that a different station is already using the candidate IP address. A request
containing the same candidate IPv4 address in the Target Protocol Address field sent from a
different system indicates that the other system is simultaneously attempting to acquire the
candidate IPv4 address. In either case, the system should indicate an address conflict message
and pursue some alternative address. For example, this is the recommended behaviour when
being assigned an address using DHCP (see Chapter 6). [RFC5227] places a limit of ten conflicts
when trying to acquire an address before the requesting host enters a rate-limiting phase when
it is permitted to perform ACD only once every 60s until successful.
If a requesting host does not discover a conflict according to the procedure just described, it
sends two ARP announcements spaced 2s apart to indicate to systems in the broadcast domain
the IPv4 address it is now using. In the announcements, both the Sender’s Protocol Address and
the Target Protocol Address fields are set to the address being claimed. The purpose of sending
these announcements is to ensure that any pre-existing cached address mappings are updated
to reflect the sender’s current use of the address.
ACD is considered to be an ongoing process, and in this way, it differs from gratuitous ARP.
Once a host has announced an address it is using, it continues inspecting incoming ARP traffic
(requests and replies) to see if its address appears in the Sender’s Protocol Address field. If so,
some other system believes it is rightfully using the same address. In this case, [RFC5227]
provides three possible resolution mechanisms: cease using the address, keep the address but
send a “defensive” ARP announcement and cease using it if the conflict continues, or continue to
use the address despite the conflict. The last option is recommended only for systems that truly
require a fixed, stable address (e.g., an embedded device such as a printer or router).
[RFC5227] also suggests the potential benefit of having some ARP replies be sent using linklayer broadcast. Although this has not traditionally been the way ARP works, there can be some
benefit in doing so, at the expense of requiring all stations on the same segment to process all
ARP traffic. Broadcast replies allow ACD to occur more quickly because all stations will notice
the reply and invalidate their caches during a conflict
Unicast Arp - In an attempt to refresh an expired, or expiring, ARP entry, many Client OS's will
issue a "targeted" ARP query to the MAC address they already expect. Most of the time, this
prompts a response from the intended target and allows the entry to be refreshed without
sending a broadcast to the entire network.
https://tools.ietf.org/html/rfc791#page-11
https://tools.ietf.org/html/rfc5227#page-12
ARP request: -
ARP response: -
GARP: -
ARP Probe: -
Questions which can come up for this Topic:1) What is ARP/Why it’s needed.
2) What are the contents of ARP (source/Destination IP address/Macaddress). What are they going to be in a request or response.
3) What is Gratuitous ARP/ why it’s needed/ When it would be used.
4) What is Proxy ARP/ When it would be used.