ARP Tutorial

The Need for ARP

ARP (Address Resolution Protocol) is a protocol for mapping link layer addresses to a physical machine address that is recognized in the local network. For example, in IP Version 4, addresses are 32 bits long, are hardware independent, but are dependent upon the network to which a device is connected. In an Ethernet Local Area Network (LAN), however, addresses for attached devices are 48 bits long (the MAC address), are (typically) hardware-dependent, and are location-independent. In other words, the IP address of a device changes when the device is moved. The Ethernet address space is a flat space and the address of a device stays with the device no matter where it is situated.

For an IP host to send a datagram to its IP neighbor on a LAN, the IP host must resolve the destination IP address to the neighbor's physical address to enable transmission and receipt of the datagram on the LAN. Each host will have a table (ARP cache) to maintain a mapping between each IP address (for which it has datagrams to send) and its corresponding physical address. ARP is the protocol used to determine this mapping. ARP resolves the IP (or other network layer) address to the physical address (which is often referred to as the data link layer address or MAC address - to understand why the different terms for the infrastructure address, refer to the tutorial on the Internet Protocol Model).

Historical Background

Back in the 1980s, when Ethernet usage was increasing, but before IP became the universal internetworking protocol, the communications world was multi-protocol. The Ethertype field in the Ethernet frame allows for many different network layer protocols to coexist on a single physical LAN. For each such network layer protocol, there is the need to translate from the network protocol address to the Ethernet address. When ARP was defined in RFC 826, the intent was to provide a protocol that would solve the address resolution requirement for all protocols that ran over Ethernet or any other (current or future) broadcast medium. (At the time that RFC 826 was written, the author could conceive only of packet radio as being another option.) Thus, ARP was an attempt to provide a generic solution, and we will see the result of this generality in the message field definitions. To expand the ARP definition to other broadcast media besides Ethernet, the original RFC 826 was followed by RFCs 1042, 1390, and others, including some that have become obsolete.

However, other than IP, no other network layer protocol used ARP for this purpose (though Appletalk, a protocol that is still in use by old equipment, had a very similar protocol called Appletalk ARP). ARP was and still is used for other LANs besides Ethernet that are broadcast media, such as Token Ring (not very common these days), or the wireless LAN 802.11. In addition, the ARP message format has been adapted for address resolution of non-broadcast multiple access networks, such as Inverse ARP for Frame Relay and for ATM (see the ATMARP page in the ATM Portal).

How ARP Works

When a host wants to send a datagram with to a known IP address on the LAN (either to another neighbor host on the LAN or to a neighboring router), the host asks the ARP program to find a physical address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the corresponding address, provides it so that the datagram can be encapsulated in the data link header and transmitted to the destination. If no entry is found for the specific destination IP address, ARP broadcasts (to the Ethernet broadcast address FF-FF-FF-FF-FF-FF) a request datagram, according to the ARP datagram format, to all the hosts on the LAN to see if one host has that destination IP address. A host that recognizes the IP network address as its own returns a unicast reply (to the requester's unicast address) with its physical address, thus enabling the original requesting host to encapsulate and transmit the awaiting datagram. ARP updates the ARP cache for future reference. A timeout mechanism is used to delete old entries from the ARP cache. Old entries can become stale if hosts change their hardware and thus their hardware addresses, or if IP addresses are changed. A timeout that is too short will cause unnecessary ARP traffic, but a timetout that is too long might cause datagrams to be sent to the wrong destination or to a non-existent destination.

ARP Message Format

The following is the format of the ARP message:

16
32 bits
Hardware Type
Protocol Type
HLen (8)
Plen (8)
Operation
Sender Hardware Address
Sender Protocol Address
Target Hardware Address
Target Protocol Address
ARP Message Format

The fields are as follows:
Hardware type - Specifies a hardware interface type for which the sender requires a response.
Protocol type - Specifies the type of network-level protocol address the sender has supplied.
HLen - Hardware address length (such as 6 bytes for Ethernet)
PLen - Protocol address length (such as 4 bytes for IP)
Operation - The values are as follows:

  1. ARP request
  2. ARP response
  3. RARP request (an antiquated protocol not discussed in this tutorial)
  4. RARP response.
  5. Dynamic RARP request.
  6. Dynamic RARP reply.
  7. Dynamic RARP error.
  8. InARP request.
  9. InARP reply.


Sender hardware address - HLen bytes long
Sender protocol address - PLen bytes long
Target hardware address - HLen bytes ling
Target protocol address - PLen bytes long

Resolving a Local Address

Sending an ARP
1. The host checks its ARP-cache for the hardware address of the destination host in the datagram that is awaiting delivery.
2. If the hardware address is not found, the host broadcasts (to the hardware broadcast address) an ARP message requesting the hardware address of the target IP address.
3. An ARP message is encapsulated in an Ethernet (or other data link) frame with Ethertype 0806 Hexadecimal.
4. To prevent flooding the LAN with ARP messages, hosts will not send more then one ARP to the same destination in a given period.
5. If the destination host receives the request, it sends an ARP reply containing the requested hardware address directly to the requester (to the requester's hardware address). The requester's ARP cache is updated with the information received.

Receiving an ARP
1. All hosts on the LAN identify from the Ethertype (0806 Hexadecimal) that the received frame is an ARP message and then the message is passed to the ARP process.
2. A receiving host checks if the sender is already in its ARP-cache. If so, it updates the information. This is done due to the assumption that if the address was needed before, it might be needed again. Otherwise, it is considered a waste of CPU time and memory to extract every sender's address. Most hosts do not communicate with all of their neighbors.
3. If the ARP is a response to the receiving host, the receiving host adds the new information to its ARP cache.
4. If the ARP is a request for the receiving host (which is determined by examining the target IP address), the receiving host sends a response. The receiving host also updates the ARP cache with the sender's address information. This is done due to the assumption that if another host needs our hardware address, we will probably need his.

Try it yourself!

You can examine the results of the ARP protocol by use of the "arp" command in a Command Prompt Window (what we used to call a "DOS Window").
At the prompt, the arp -a command shows the ARP table on your computer. But if you enter arp -d *, you will delete all entries. After looking at your ARP table, delete the table and check that it is empty. Now, ping a neighboring computer or simply surf the net and you will see that there are entries added to your table, again. If you ping a neighbor, you will have an entry for your neighbor, but if you surf the net (to a site that is not on your local network), you will find an entry for your your router. If you enter arp without any options, you will get a list of all options for the arp command. If you use an operating system other than Windows (for example, Linux), there is similar syntax for arp.

ARP Table of a Host with Entries for a Neighbor and for the Default Router

Notice on the displayed table that the entries are "dynamic". That means they were learned with the ARP protocol. You can enter a static entry (be sure to delete it if you do not intend to rely on static information, which might change) and you will see that the entry is marked as "static". Enter a static ARP table entry with arp -s host ID host MAC, as shown below.

Adding a Static Entry to an empty ARP Table


www.rad.com