ARP

ARP
Name	ARP
Full name	Address Resolution Protocol
Introduced	1982
Defined in	RFC 826
Purpose	Mapping between Internet Protocol addresses and link-layer addresses
Layer	Link layer / Internet layer interface
Media	Ethernet, Wi‑Fi, Token Ring, ARCNET

ARP

ARP is a protocol designed to translate logical Internet Protocol addresses into physical link-layer addresses on local networks. It enables hosts and routers to discover the hardware address associated with an IP address so that frames can be delivered over technologies such as Ethernet, Wi‑Fi, Token Ring, and ARCNET. ARP operates at the interface between the Internet Protocol suite and a variety of link-layer technologies and is foundational to IPv4-based internetworking.

Overview

ARP provides a mapping mechanism used by IPv4 nodes to associate a 32‑bit logical address with a 48‑bit or other link-layer hardware address. When a sending host needs to transmit an IPv4 packet to a neighbor on the same local link, it issues an ARP request that is broadcast on the link; the owner of the target IPv4 address responds with an ARP reply containing its hardware address. Typical actors in ARP exchanges include end systems such as IBM PC, network devices such as Cisco Systems routers and switches, and operating systems including Microsoft Windows, Linux kernel, BSD variants and macOS. ARP behavior intersects with protocols and standards such as IEEE 802.3 and RFC 791 specifications.

Operation and Message Types

ARP defines frame formats and two principal message types: Request and Reply. An ARP Request asks “Who has IP address X?” and is sent as a link-layer broadcast; an ARP Reply is a unicast frame containing the requested hardware address. Implementations also use Gratuitous ARP for address conflict detection and Proxy ARP to respond on behalf of another host, a technique used by devices like Juniper Networks routers, Cisco IOS routers, and virtualization platforms such as VMware ESXi and KVM. Variants like Reverse ARP, BootP, and DHCP are historically related mechanisms addressing address assignment and discovery in environments involving systems like Sun Microsystems workstations and legacy VAX systems. ARP packet fields include hardware type, protocol type, hardware address length, protocol address length, operation, sender hardware address, sender protocol address, target hardware address, and target protocol address; implementations often integrate with Address Resolution Protocol Table caches within operating systems such as FreeBSD.

Security Issues and Attacks

ARP’s lack of authentication enables multiple security concerns exploited in attacks like ARP spoofing and ARP poisoning. In these attacks an adversary sends forged ARP replies to associate their hardware address with the IP address of a target such as a gateway device or DNS server, facilitating man-in-the-middle attacks against victims using services hosted on systems like Apache HTTP Server or Microsoft Exchange. Tools historically used by adversaries include Cain and Abel and Ettercap, while defensive technologies include static ARP entries, Dynamic ARP Inspection provided by switches from Cisco Systems and Arista Networks, and host-based mitigations in SELinux-enabled Linux distributions. Incident response often references guidance from agencies like US‑CERT and standards bodies such as IETF working groups. Network monitoring solutions from vendors like Splunk and Wireshark are commonly used to detect anomalous ARP traffic patterns.

Implementations and Variants

ARP is implemented in virtually all IPv4-capable operating systems and embedded stacks used by vendors including Intel and Broadcom. Variants and related protocols include Reverse ARP (RARP), Inverse ARP (InARP), and Neighbor Discovery Protocol used by IPv6 as standardized in RFCs produced by IETF working groups. Proxy ARP has been used in scenarios involving Network Address Translation appliances and VPN concentrators from vendors such as Palo Alto Networks and Fortinet. Virtualization and container platforms such as Docker and orchestration systems like Kubernetes may implement ARP proxying or gratuitous ARP to update layer‑2 forwarding state across bridges and virtual switches like Open vSwitch. Hardware offload and acceleration appear in network interface controllers by Mellanox Technologies and Broadcom that implement ARP processing in silicon.

Performance and Scalability

ARP scales reasonably for small to medium local area networks but can become a source of broadcast traffic and cache churn in very large or highly dynamic environments. High-density deployments in data centers operated by organizations such as Amazon Web Services, Google and Microsoft Azure employ techniques like ARP suppression, Proxy ARP, and layer‑2 segmentation to mitigate ARP broadcast storms. ARP cache timeout values are tuned in operating systems like Windows NT and Linux to balance staleness against traffic; excessive cache entries can stress switching tables in devices from Cisco Systems and Juniper Networks. Monitoring and tuning with tools such as Nagios and Prometheus combined with observability platforms like Grafana help administrators manage ARP-related performance issues.

History and Standards Development

ARP was formalized in RFC 826 authored by D. Plummer in 1982 during early TCP/IP development at institutions including MIT and BBN Technologies. Over time, ARP evolved alongside Ethernet standards from DEC/Intel/Xerox and later IEEE 802.3 activity. Subsequent work on related protocols and defenses has appeared in IETF working groups and in proprietary enhancements by vendors including Cisco Systems and Juniper Networks. The transition to IPv6 led to development of Neighbor Discovery in RFC 4861, reducing ARP’s role in new deployments while legacy IPv4 infrastructure continues to rely on ARP in enterprise, carrier, and home networks.

Category:Internet protocols