LLMpediaThe first transparent, open encyclopedia generated by LLMs

Address Resolution Protocol

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: TCP/IP Hop 3
Expansion Funnel Raw 40 → Dedup 25 → NER 4 → Enqueued 4
1. Extracted40
2. After dedup25 (None)
3. After NER4 (None)
Rejected: 21 (not NE: 21)
4. Enqueued4 (None)
Address Resolution Protocol
NameAddress Resolution Protocol
DeveloperDavid C. Plummer
DateNovember 1982
PurposeIP to MAC address resolution
Osi layerLink layer
RfcsRFC 826

Address Resolution Protocol. It is a fundamental communication protocol used within Internet Protocol networks to map a dynamic IP address to a fixed physical machine address, known as a MAC address, on the local network segment. This mapping is essential for the delivery of data packets at the data link layer, as network interface hardware uses MAC addresses, not IP addresses, for local frame transmission. The protocol operates through a simple request-and-reply mechanism and is defined by the Internet Engineering Task Force standard RFC 826.

Overview

The protocol was conceived to solve the problem of discovering the hardware address associated with a given network layer address in a transparent manner. It functions as a critical bridge between the network layer, typified by protocols like IPv4, and the underlying data link layer technologies such as Ethernet. Its operation is confined to a single broadcast domain, meaning it does not traverse router boundaries, which aligns with the localized nature of hardware addressing. The design philosophy emphasizes simplicity and efficiency, allowing hosts to maintain a cache of recently resolved addresses to minimize network traffic. This protocol is so integral to local network operations that it is implemented in the firmware of most network interface controllers and supported by all modern operating systems, including Microsoft Windows, Linux, and macOS.

Operation

The fundamental process involves two packet types: an ARP request and an ARP reply. When a host needs to send a packet to another device on the same local network, it first checks its local ARP cache for a matching MAC address. If no entry exists, the source host broadcasts an ARP request packet containing its own IP address and MAC address, and the target IP address. This broadcast is received by all hosts on the local area network, as defined by standards like IEEE 802.3. Only the host whose IP address matches the target in the request packet will respond. That destination host then sends a unicast ARP reply directly back to the requester, providing its MAC address. Upon receipt, the original host updates its ARP cache with the new mapping and can then correctly address Ethernet frames for transmission. This cache is typically temporary, with entries expiring after a short period to account for potential changes in network configuration.

Packet structure

An ARP packet is directly encapsulated within the data link layer frame, such as an Ethernet frame, and does not have an IP header. The packet structure includes fields for hardware type (e.g., Ethernet is type 1), protocol type (e.g., IPv4 is 0x0800), and lengths for hardware and protocol addresses. Key fields are the sender hardware address (SHA) and sender protocol address (SPA), which identify the source of the request, and the target hardware address (THA) and target protocol address (TPA), which identify the intended recipient. In a request, the THA is typically set to all zeros. The format is designed to be generic, supporting different hardware and protocol combinations beyond just Ethernet and IPv4, though that is its most common use. The simplicity of this structure, documented in RFC 826, has contributed to its widespread and enduring adoption.

Security considerations

The protocol is inherently trusting and lacks any authentication mechanism, making it vulnerable to spoofing attacks. A malicious actor can easily send forged ARP replies, known as ARP spoofing or ARP cache poisoning, to associate their own MAC address with the IP address of another host, such as the default gateway. This allows for man-in-the-middle attacks, session hijacking, or denial-of-service attacks on a local network. Defenses against these exploits include the use of static ARP entries, which are manually configured and do not accept dynamic updates, and implementation of dynamic ARP inspection features on managed network switches from vendors like Cisco Systems. Security protocols such as IEEE 802.1X for network access control can also help mitigate risks by authenticating devices before they join the network.

Several other protocols fulfill similar roles for different network technologies or address families. The Reverse Address Resolution Protocol, defined in RFC 903, performs the inverse function, discovering an IP address from a known MAC address. For IPv6 networks, the function of ARP is replaced by the Neighbor Discovery Protocol, which is part of the Internet Control Message Protocol version 6 suite and provides enhanced features like router discovery. In Asynchronous Transfer Mode networks, address resolution is handled by the ATMARP protocol. Furthermore, protocols like the Dynamic Host Configuration Protocol often interact closely with ARP, using it to detect IP address conflicts before assigning an address to a client.