Overview

Address resolution protocol (ARP) is a method for mapping IPv4 addresses to MAC addresses. There are a few different flavours of ARP that have evolved over the years.

ARP

Regular ARP maps an unknown MAC address to a known IPv4 address and is defined in RFC826.

ARP Operation
blog/arp/arp.svg

Proxy ARP

Proxy ARP is when a device like a router that knows the MAC address of an IPv4 address in another broadcast domain and responds for that host. Proxy ARP is defined in RFC1027.

Proxy ARP Operation

In the below example, the outside host 10.1.1.200 is configured with a /24 so it believes it is in the same broadcast domain as the inside host on 10.1.1.10 . The outside host will not perform a route lookup and instead go straigt to an arp request. Since proxy arp is enabled on R1, the router will reply with its own mac address for 10.1.1.10 .

blog/arp/proxy-arp.svg

Reverse ARP

Reverse ARP (RARP) does the opposite of ARP and maps an unknown IPv4 address to a known MAC address. RARP is defined in RFC903.

RARP is replaced by DHCP in modern equipment but may still be around if working with ancient sun/solaris equipment.

RARP Operation
blog/arp/rarp.svg

Gratuitous ARP

Gratuitous ARP (GARP) is used to update hosts of a MAC address change. It is used in duplicate address detection, first hop redundancy protocols and also man in the middle attacks to fake an IP to MAC address mapping. Gratuitous ARP is described in the original ARP specification RFC826.

There are two types of gratuitous ARP.

  • GARP request Source and destination IP set to the sending host and destination mac is ff:ff:ff:ff:ff:ff.
  • GARP reply An ARP reply where no request was made. May be a broadcast or unicast.
GARP Request
blog/arp/garp-request.svg

GARP Reply
blog/arp/garp-reply.svg

Packet Captures

Various ARP PCAPs can be found here.