Network Notes: ARP
Published: 30th of September 2017
Address resolution protocol (ARP) is a method for mapping IPv4 addresses to MAC addresses. There are a few different flavours of ARP that have evolved over the years.
Regular ARP maps an unknown MAC address to a known IPv4 address and is defined in RFC826.ARP Operation
Proxy ARP is when a device like a router that knows the MAC address of an IPv4 address in another broadcast domain and responds for that host. Proxy ARP is defined in RFC1027.Proxy ARP Operation
In the below example, the outside host
10.1.1.200 is configured with a
/24 so it believes
it is in the same broadcast domain as the inside host on
10.1.1.10. The outside host will not perform
a route lookup and instead go straigt to an arp request. Since proxy arp is enabled on R1, the router will reply
with its own mac address for
Reverse ARP (RARP) does the opposite of ARP and maps an unknown IPv4 address to a known MAC address. RARP is defined in RFC903.
RARP is replaced by DHCP in modern equipment but may still be around if working with ancient sun/solaris equipment.RARP Operation
Gratuitous ARP (GARP) is used to update hosts of a MAC address change. It is used in duplicate address detection, first hop redundancy protocols and also man in the middle attacks to fake an IP to MAC address mapping. Gratuitous ARP is described in the original ARP specification RFC826.
There are two types of gratuitous ARP.
GARP requestSource and destination IP set to the sending host and destination mac is ff:ff:ff:ff:ff:ff.
GARP replyAn ARP reply where no request was made. May be a broadcast or unicast.
Various ARP PCAPs can be found here.