Chapter 4ARP: Address Resolution Protocol

Highlights

• ARP is used with IPv4 only; IPv6 uses the Neighbor Discovery Protocol, which is incorporated into ICMPv6

• ARP is used to resolve an IP address• RARP: Reverse ARP– Used for diskless systems– Rarely used today

Ethernet hosts in the same broadcast domain

ARP queries are sent using link-layer broadcast frames that are received by all hosts. The single host with the assigned address responds directly to the requesting host. Non-IP hosts must actively discard ARP queries.

ARP Cache

Linux% arpAddress HWtype HWaddress Flags Mask Ifacegw.home ether 00:0D:66:4F:60:00 C eth1printer.home ether 00:0A:95:87:38:6A C eth1

Linux% arp -aprinter.home (10.0.0.4) at 00:0A:95:87:38:6A [ether] on eth1gw.home (10.0.0.1) at 00:0D:66:4F:60:00 [ether] on eth1

Flags

• M: manually entered

• C: learned by ARP

• P: Publish. Host responds to incoming ARP requests with an ARP response– Used for proxy ARP

ARPfor mapping IPv4 to 48 bit MAC

ExampleC:\> arp -a Verify that the ARP cache is emptyNo ARP Entries FoundC:\> telnet 10.0.0.3 www Connect to the Web server [port 80]Connecting to 10.0.0.3...Escape character is '^]'.

Type Control + right bracket to get the Telnet client prompt.

Welcome to Microsoft Telnet ClientEscape Character is 'CTRL+]'Microsoft Telnet> quit

Example (contd.)

Linux# tcpdump -e1 0.0 0:0:c0:6f:2d:40 ff:ff:ff:ff:ff:ff arp 60: arp who-has 10.0.0.3 tell 10.0.0.562 0.002174 (0.0022)0:0:c0:c2:9b:26 0:0:c0:6f:2d:40 arp 60: arp reply 10.0.0.3 is-at 0:0:c0:c2:9b:26

3 0.002831 (0.0007)0:0:c0:6f:2d:40 0:0:c0:c2:9b:26 ip 60: 10.0.0.56.1030 > 10.0.0.3.www: S 596459521:596459521(0) win 4096 <mss 1024> [tos 0x10]4 0.007834 (0.0050)0:0:c0:c2:9b:26 0:0:c0:6f:2d:40 ip 60: 10.0.0.3.www > 10.0.0.56.1030: S 3562228225:3562228225(0) ack 596459522 win 4096 <mss 1024>5 0.009615 (0.0018)0:0:c0:6f:2d:40 0:0:c0:c2:9b:26 ip 60: 10.0.0.56.1030 > 10.0.0.3.discard: . ack 1 win 4096 [tos 0x10]

ARP to a non-existent host

Linux% date ; telnet 10.0.0.99 ; dateFri Jan 29 14:46:33 PST 2010Trying 10.0.0.99...telnet: connect to address 10.0.0.99: No route to hostFri Jan 29 14:46:36 PST 2010 3s after previous date

Linux% arp -a? (10.0.0.99) at <incomplete> on eth0

Linux# tcpdump –n arp1 21:12:07.440845 arp who-has 10.0.0.99 tell 10.0.0.562 21:12:08.436842 arp who-has 10.0.0.99 tell 10.0.0.563 21:12:09.436836 arp who-has 10.0.0.99 tell 10.0.0.56

ARP Features

• ARP Cache Timeout– Typically 20 mins for completed entry– Typically 3 mins for an incomplete entry

• Proxy/Promiscuous ARP– Fools the sender into thinking that it is the

destination

ARP Features

• ARP Cache Timeout– Typically 20 mins for compelted entry– Typically 3 mins for an incomplete entry

• Proxy/Promiscuous ARP– Fools the sender into thinking that it is the

destination

Gratuitous ARP

• Send ARP request looking for own IP address• Goals– To find out if another host is using same IP– Flush cache of others upon hardware interface

change

Linux# tcpdump -e -n arp1 0.0 0:0:c0:6f:2d:40 ff:ff:ff:ff:ff:ff arp 60: arp who-has 10.0.0.56 tell 10.0.0.56

IPv4 Address Conflict Detection (ACD).

• Gratuitous ARP provides indication of duplicate use. • ACD provides a way to address the issue• ARP Probe: to find out if anyone is using my IP address

– Like gratuitous ARP– But, Sender’s Protocol Address field to 0– To avoid polluting caches in case it is in use

• ARP announcement: to tell other nodes that I am using this IP address– Like probe but Sender’s and Target’s protocol address are filled in with the IP

address

• Operation– Sends 3 probes at random times at bootup– Sends 2 announcements to announce that it is taking the IP address