In the realm of networking, understanding the intricate relationship between MAC (Media Access Control) and IP (Internet Protocol) addresses is crucial. This article will explore essential aspects such as Destination on Same Network, Destination on Remote Network, ARP (Address Resolution Protocol) overview, functions, ARP Request, ARP Operation – ARP Reply, ARP Tables on Networking Devices, ARP Broadcasts, and the critical concept of ARP Spoofing.
Destination on Same Network
When a device sends data within the same network, it uses ARP to map the IP address to the MAC address of the intended recipient. This process helps devices communicate effectively within their local network.
Sometimes a host must send a message, but it only knows the IP address of the destination device. The host needs to know the MAC address of that device, but how can it be discovered? That is where address resolution becomes critical.
There are two primary addresses assigned to a device on an Ethernet LAN:
- Physical address (the MAC address) – Used for NIC to NIC communications on the same Ethernet network.
- Logical address (the IP address) – Used to send the packet from the source device to the destination device. The destination IP address may be on the same IP network as the source or it may be on a remote network.
Layer 2 physical addresses (i.e., Ethernet MAC addresses) are used to deliver the data link frame with the encapsulated IP packet from one NIC to another NIC that is on the same network. If the destination IP address is on the same network, the destination MAC address will be that of the destination device.
Destination on Remote Network
For communication across different networks, the sender device relies on ARP to determine the MAC address of the default gateway or router. This gateway facilitates communication between networks by forwarding data packets based on their destination IP addresses.
When the destination IP address (IPv4 or IPv6) is on a remote network, the destination MAC address will be the address of the host default gateway (i.e., the router interface).
Routers examine the destination IPv4 address to determine the best path to forward the IPv4 packet. When the router receives the Ethernet frame, it de-encapsulates the Layer 2 information. Using the destination IPv4 address, it determines the next-hop device, and then encapsulates the IPv4 packet in a new data link frame for the outgoing interface.
ARP Overview and Functions
The Address Resolution Protocol (ARP) acts as the bridge between MAC and IP addresses. It resolves IP addresses to MAC addresses, ensuring seamless communication within a network.
If your network is using the IPv4 communications protocol, the Address Resolution Protocol, or ARP, is what you need to map IPv4 addresses to MAC addresses. This topic explains how ARP works.
Every IP device on an Ethernet network has a unique Ethernet MAC address. When a device sends an Ethernet Layer 2 frame, it contains these two addresses:
- Destination MAC address – The Ethernet MAC address of the destination device on the same local network segment. If the destination host is on another network, then the destination address in the frame would be that of the default gateway (i.e., router).
- Source MAC address – The MAC address of the Ethernet NIC on the source host.
To send a packet to another host on the same local IPv4 network, a host must know the IPv4 address and the MAC address of the destination device. Device destination IPv4 addresses are either known or resolved by device name. However, MAC addresses must be discovered.
A device uses Address Resolution Protocol (ARP) to determine the destination MAC address of a local device when it knows its IPv4 address.
ARP provides two basic functions:
- Resolving IPv4 addresses to MAC addresses
- Maintaining a table of IPv4 to MAC address mappings
When a packet is sent to the data link layer to be encapsulated into an Ethernet frame, the device refers to a table in its memory to find the MAC address that is mapped to the IPv4 address. This table is stored temporarily in RAM memory and called the ARP table or the ARP cache.
The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC address.
- If the packet’s destination IPv4 address is on the same network as the source IPv4 address, the device will search the ARP table for the destination IPv4 address.
- If the destination IPv4 address is on a different network than the source IPv4 address, the device will search the ARP table for the IPv4 address of the default gateway.
In both cases, the search is for an IPv4 address and a corresponding MAC address for the device.
Each entry, or row, of the ARP table binds an IPv4 address with a MAC address. We call the relationship between the two values a map. This simply means that you can locate an IPv4 address in the table and discover the corresponding MAC address. The ARP table temporarily saves (caches) the mapping for the devices on the LAN.
If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC address in the frame. If there is no entry is found, then the device sends an ARP request.
Understanding ARP Request
An ARP Request is broadcasted to identify the MAC address corresponding to a specific IP address. When a device needs to communicate with another and lacks the MAC address, it sends out an ARP Request broadcast.
# Python example illustrating an ARP Request
import scapy.all as scapy
arp_request = scapy.ARP(pdst="192.168.1.1") # Example IP address
ARP messages are encapsulated directly within an Ethernet frame. There is no IPv4 header. The ARP request is encapsulated in an Ethernet frame using the following header information:
- Destination MAC address – This is a broadcast address FF-FF-FF-FF-FF-FF requiring all Ethernet NICs on the LAN to accept and process the ARP request.
- Source MAC address – This is MAC address of the sender of the ARP request.
- Type – ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process.
Because ARP requests are broadcasts, they are flooded out all ports by the switch, except the receiving port. All Ethernet NICs on the LAN process broadcasts and must deliver the ARP request to its operating system for processing. Every device must process the ARP request to see if the target IPv4 address matches its own. A router will not forward broadcasts out other interfaces.
ARP Tables on Networking Devices
Networking devices maintain ARP tables containing IP-to-MAC address mappings. These tables help devices quickly retrieve MAC addresses without the need for frequent ARP broadcasts.
On a Cisco router, the show ip arp command is used to display the ARP table, as shown below.
R1# show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.10.1 - a0e0.af0d.e140 ARPA GigabitEthernet0/0/0
Internet 209.165.200.225 - a0e0.af0d.e141 ARPA GigabitEthernet0/0/1
Internet 209.165.200.226 1 a03d.6fe1.9d91 ARPA GigabitEthernet0/0/1
R1#On a Windows 10 PC, the arp –a command is used to display the ARP table
C:\Users\PC> arp -a
Interface: 192.168.1.124 --- 0x10
Internet Address Physical Address Type
192.168.1.1 c8-d7-19-cc-a0-86 dynamic
192.168.1.101 08-3e-0c-f5-f7-77 dynamic
192.168.1.110 08-3e-0c-f5-f7-56 dynamic
192.168.1.112 ac-b3-13-4a-bd-d0 dynamic
192.168.1.117 08-3e-0c-f5-f7-5c dynamic
192.168.1.126 24-77-03-45-5d-c4 dynamic
192.168.1.146 94-57-a5-0c-5b-02 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
C:\Users\PC>ARP Broadcasts and ARP Spoofing
ARP Broadcasts are crucial for resolving MAC addresses but can also be exploited through ARP Spoofing. This manipulation involves sending falsified ARP messages, leading to potential network security vulnerabilities.
As a broadcast frame, an ARP request is received and processed by every device on the local network. On a typical business network, these broadcasts would probably have minimal impact on network performance. However, if a large number of devices were to be powered up and all start accessing network services at the same time, there could be some reduction in performance for a short period of time, as shown in the figure. After the devices send out the initial ARP broadcasts and have learned the necessary MAC addresses, any impact on the network will be minimized.
In conclusion, mastering the intricate relationship between MAC and IP addresses, as facilitated by ARP, is indispensable in networking. Understanding how ARP resolves addresses, maintains tables, and its vulnerabilities like ARP Spoofing empowers network administrators to optimize network performance while ensuring robust security measures.
By integrating these concepts into network management practices, one can elevate network efficiency, mitigate vulnerabilities, and foster secure communication across networks.