Address Resolution Protocol (ARP): What It Is and How It Works
The address resolution protocol, or ARP, connects an always-changing IP address to a fixed media access (MAC) address. A directory holds a detailed map of both IP addresses and MAC addresses.
The ARP protocol may sound confusing. While the computing is complex, the work moves quickly. You may never even know the translation is happening.
What is ARP?
Every device within a local area network (LAN) has two addresses. One changes (your IP address), and one is fixed (your MAC address). ARP keeps those two systems connected.
The ARP process involves translation. For example, your IP address may be quite a bit shorter than your MAC address. And they're never made up of the same numerals in the same order.
But if a system can't resolve one to the other, data can't flow between devices. Quick translation is critical.
The Internet Working Group developed the ARP protocol back in 1982, and it serves as the foundation of connectivity today.
How does ARP work?
A piece of data arrives at a network gateway, and it needs to connect with a machine within the LAN. ARP helps the data arrive at the right place.
The ARP protocol leans on:
-
MAC address. Also known as the data link layer, the MAC address connects two devices and allows them to transfer information.
-
IP addresses. When a new device joins a LAN, the system assigns an IP address. Periodically, the system randomizes and assigns new IP addresses to protect user privacy. An IP address facilitates packet forwarding through routers.
The following steps take place during the ARP process:
-
Arrival. Data is destined for a machine on the LAN, and it lands on a piece of hardware within the network.
-
Check. The gateway machine asks the ARP program to find a MAC address that matches the IP address specified in the data packet. ARP uses a simple message format with a size that can vary.
-
Specification. When the lookup is complete, the gateway machine releases the information, and the data moves ahead.
Client-requested illustration: https://cdn.ttgtmedia.com/rms/onlineimages/whatis-arp_desktop.png
Let's dig deeper into ARP message formats. A typical request includes several fields, such as these:
-
Hardware type
-
Protocol type
-
Hardware address length
-
Protocol address length
-
Sender hardware address
-
Sender protocol address
-
Target hardware address
-
Target protocol address
While a great deal of information sits within each message, the total size is very small.
Types of ARP variations
We've described a simple ARP message and protocol. But companies can experiment and develop their own implementation methods.
These are two different versions of ARP companies often use.
-
Inverse: A system begins with the MAC address and requests an IP address.
-
Proxy: A device on the network handles ARP requests coming from IP addresses that aren't on the LAN.
Some companies prefer to avoid ARP altogether, and they use the Neighbor Discovery Protocol. The Network Working Group released Internet Protocol Version 6 (IPv6) in 2007, and this release supports the NDP. Companies that use NDP allow computers to maintain lists of known addresses rather than using an active protocol for lookup.
Known ARP problems
While ARP is fast and efficient, hackers can manipulate the system.
During an ARP spoofing (or ARP poisoning) attack, a hacker crafts fake ARP messages that link a malignant MAC address and a legitimate LAN IP address. Data heading to the victim's device will go to the hacker instead. This approach can lead to man-in-the-middle attacks.
An ARP spoofing attack is very similar to an IP spoofing attack. Learn more about how this vulnerability works and how you can address it on our blog.
References
An Ethernet Address Resolution Protocol. (November 1982). Network Working Group.
ARP Message Format. TCP/IP Guide.
Neighbor Discovery for IP Version 6 (IPv6). (September 2007). Network Working Group.