LLMpediaThe first transparent, open encyclopedia generated by LLMs

Address Resolution Protocol

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Ethernet Hop 3
Expansion Funnel Raw 86 → Dedup 21 → NER 18 → Enqueued 0
1. Extracted86
2. After dedup21 (None)
3. After NER18 (None)
Rejected: 3 (not NE: 3)
4. Enqueued0 (None)
Address Resolution Protocol
NameAddress Resolution Protocol
Introduced1982
AuthorDavid C. Plummer
OsUnix family, Microsoft Windows, Linux kernel, BSD
PortsLayer 2/Layer 3
StatusIn widespread use

Address Resolution Protocol is a network protocol used to map network layer addresses to link layer addresses on local area networks, enabling packet delivery between hosts and routers. It operates at the boundary between the Internet Protocol family and link technologies such as Ethernet, facilitating interoperability among devices from vendors like Cisco Systems, Juniper Networks, and Hewlett-Packard. ARP implementations appear in stacks for systems including Windows NT, macOS, FreeBSD, and NetBSD.

Overview

ARP was specified during the development of the BSD variants of UNIX and standardized for IPv4 within the Internet Engineering Task Force communities and related working groups. It associates 32-bit IPv4 addresses used by the Internet Protocol with 48-bit MAC addresss used by Ethernet II, IEEE 802.3, and compatible link layers. Variants and successor approaches address mapping for other protocols and media, including Inverse ARP and Neighbor Discovery Protocol. ARP is fundamental to networking equipment from vendors such as Intel, Broadcom, and Qualcomm and interacts with routing software like BIRD and Quagga.

Operation and Packet Format

ARP uses request and reply messages encapsulated directly in link-layer frames for protocols such as Ethernet and Token Ring. An ARP request is a broadcast frame directed to the link's broadcast address and contains the sender's MAC address and IPv4 address and the target's IPv4 address; typical ARP reply is unicast to the requester. The ARP packet format includes fields defined alongside standards developed by groups like the Internet Assigned Numbers Authority and the IETF; implementations in stacks such as the Linux kernel and FreeBSD parse hardware type, protocol type, hardware length, protocol length, operation, and address fields. Device drivers for network interface controllers from Realtek and Broadcom forward ARP frames to network stacks while firmware on devices like Cisco Nexus switches may implement ARP proxying and snooping.

Address Resolution Mechanisms and Variants

Beyond the original ARP for IPv4 over Ethernet, related mechanisms include Inverse Address Resolution Protocol used by Frame Relay and ATM setups, and Proxy ARP employed by devices such as Juniper SRX to respond on behalf of other hosts. For IPv6, Neighbor Discovery Protocol defined in RFC 4861 replaces ARP and integrates with ICMPv6; implementations appear in Windows Server and OpenBSD. Other link-layer address mapping mechanisms include RARP for bootstrapping diskless workstations and ARP proxying used by Network Address Translation appliances such as pfSense and Cisco IOS devices. Hardware offload features in Intel Ethernet controllers and virtualized environments such as VMware ESXi and KVM may provide ARP acceleration or filtering.

Security and Vulnerabilities

ARP's lack of authentication enables attacks including ARP spoofing and ARP cache poisoning widely discussed in security contexts alongside tools and mitigations used by organizations like SANS Institute and CERT. Attack techniques can be orchestrated with utilities such as Ettercap and Cain and Abel to intercept traffic in man-in-the-middle scenarios, affecting services running on Microsoft Exchange Server, Apache HTTP Server, Nginx, and other software. Defenses include static ARP entries, dynamic ARP inspection features in switches from Cisco Systems and Arista Networks, and network monitoring tools from vendors like SolarWinds and Splunk. Research by groups at MIT, Stanford University, and Carnegie Mellon University has led to proposals combining cryptographic authentication with link-layer protocols, as well as detection methods implemented in projects like ARPwatch and Suricata.

Implementation and Usage in Protocol Stacks

ARP is implemented in major operating systems' networking stacks: the Linux kernel networking subsystem, Microsoft's TCP/IP stack for Windows NT family, and BSD-derived stacks in OpenBSD and FreeBSD. Network device firmware and operating systems in embedded platforms from Cisco Systems and Juniper Networks provide ARP table management, gratuitous ARP, and ARP proxying. Virtualization platforms such as Xen Project, VMware ESXi, and Hyper-V integrate ARP handling in virtual switches; cloud providers like Amazon Web Services and Google Cloud Platform implement ARP behavior across tenant networks. ARP interacts with routing daemons like Quagga, FRRouting, and tools such as iproute2 and ifconfig for table inspection and manipulation.

Performance, Scaling, and Alternatives

ARP operates efficiently on small LANs but faces scaling challenges in large data centers and multi-tenant clouds, where ARP broadcast traffic and cache churn can degrade performance; solutions include ARP suppression, ARP proxying, and ARP caching strategies used by devices from Cisco Nexus and Arista Networks. Overlay networks and software-defined networking controllers like OpenDaylight and ONOS reduce ARP load by handling address resolution at the controller level, while protocols such as ND Proxy or ARP-Path and mechanisms like gratuitous ARP and ARP flux address specific operational issues. Alternatives for large-scale environments include Neighbor Discovery for IPv6, layer-3 approaches like VXLAN and GRETAP overlays, and directory-assisted resolution used in Data Center Fabric designs promoted by companies such as Facebook and Google.

Category:Internet protocols