ARP Mechanics: The Glue Between Layer 2 and Layer 3
Deconstructing the Address Resolution Protocol (RFC 826). Analyzing Broadcast/Unicast Cycles, ARP Cache Persistence, and Security Vulnerabilities.
The Identity Problem
In the OSI model, IP addresses (Layer 3) are used for logical routing across networks, but hardware interfaces (Layer 2) only understand MAC addresses. Every time a packet is ready to leave an Ethernet port, the operating system faces a problem: **"I know where I want to go (192.168.1.5), but I don't know who to send the bits to (??:??:??:??:??:??)."**
The **Address Resolution Protocol (ARP)** is the fundamental mechanism that bridges this gap. Without it, your computer would be like a person who knows their friend's name but has no idea which physical person in the room that name belongs to.
1. The ARP Lifecycle: Request and Reply
ARP operates on a simple transactional cycle.
The Broadcast (Request)
When a host needs a MAC address, it sends an ARP Request. This packet is encapsulated in an Ethernet frame with a destination MAC of **FF:FF:FF:FF:FF:FF** (The Broadcast address). Every device in the local broadcast domain (usually the same VLAN) receives this frame and pulls it up to the CPU.
The Unicast (Reply)
While most devices will discard the request after seeing the target IP doesn't match theirs, the rightful owner of the IP address will formulate a response. Crucially, the ARP Reply is **Unicast**—it is sent directly back to the original sender's MAC address, providing the missing link.
2. The ARP Cache (The Table)
Performing a broadcast for every single packet would be incredibly inefficient. Instead, OSs and switches store mappings in a temporary buffer called the **ARP Cache** (or ARP Table).
- Windows/Linus: Usually dynamic entries last 2-20 minutes.
- Cisco Routers: Default timeout is often 4 hours.
You can view your current table using the command: arp -a. If a device is replaced with new hardware (same IP, different MAC), communication may fail until the old ARP entry expires or is manually cleared.
3. Advanced ARP Variants
Proxy ARP
A router can be configured to answer ARP requests on behalf of a host that isn't on the local segment. This is often used to "trick" a poorly configured host into thinking a remote destination is actually local.
Gratuitous ARP
This is an ARP request or reply that a device sends out unsolicited. Why?
- To detect duplicate IP addresses (if someone answers, the IP is in use).
- To update the "learned MAC" tables of switches during a High Availability (HA) failover (e.g., a backup firewall taking over a Virtual IP).
4. Security: ARP Poisoning (Spoofing)
ARP was designed in an era of trust. It lacks any authentication. If Host A asks "Who is 192.168.1.1?", and an attacker (Host M) yells back "I am!" before the real router can, Host A will send all its data to the attacker.
This **Man-in-the-Middle (MITM)** attack is solved in enterprise networks using **Dynamic ARP Inspection (DAI)**, which validates ARP packets against a trusted database of DHCP bindings.
Conclusion
ARP is the silent workhorse of the local area network. It is the first step in almost every network communication. Understanding how it requests, replies, and caches mappings is essential for troubleshooting "Connected but not Pinging" scenarios and for understanding how hardware-level delivery truly functions.