Addressing - Learning Module

Loading content...

0/240

Address Resolution

Bridging Two Worlds

IP addresses identify where devices are in the network topology. MAC addresses identify the physical hardware on the local network. But here's the fundamental challenge: IP packets must ultimately be delivered in frames, and frames require MAC addresses.

When your laptop wants to send a packet to 192.168.1.1, it knows the destination IP—but the network interface card needs to know the destination MAC address to construct the Ethernet frame. How does the system bridge this gap?

This is the address resolution problem: translating between layer 3 (logical) addresses and layer 2 (physical) addresses. The protocols that solve this problem—ARP for IPv4 and Neighbor Discovery for IPv6—are among the most fundamental in networking, operating silently behind every packet delivery.

Learning Objectives

By the end of this page, you will understand: (1) Why address resolution is necessary for packet delivery, (2) ARP protocol operation and message format, (3) ARP caching and its role in efficiency, (4) ARP security vulnerabilities and mitigations, and (5) IPv6 Neighbor Discovery Protocol as ARP's successor.

The Address Resolution Problem

Consider what happens when Host A wants to send an IP packet to Host B on the same local network:

What Host A knows:

Destination IP address: 192.168.1.100
Host A's own MAC address: 00:11:22:33:44:55
Host A's own IP address: 192.168.1.50

What Host A needs to know:

Host B's MAC address: ??:??:??:??:??:??

Why IP alone isn't sufficient:

IP addresses have no physical meaning—they're assigned by software and can change. Ethernet switches don't understand IP; they forward frames based on MAC addresses. The network interface card transmits frames, not packets directly.

To deliver the packet, Host A must:

Construct an IP packet with destination 192.168.1.100
Encapsulate it in an Ethernet frame
Address the frame to Host B's MAC address
Transmit the frame

Step 3 is impossible without knowing Host B's MAC address.

Converting Mermaid diagram...

When Resolution is Needed:

Address resolution occurs in two scenarios:

1. Direct Delivery (Same Network) When the destination IP is on the same network (determined by subnet mask), the sender resolves the destination IP directly to a MAC address.

2. Indirect Delivery (Different Network) When the destination IP is on a different network, the sender must send the packet to its default gateway (router). It resolves the router's IP to a MAC address—not the final destination's.

In both cases, the process is the same: IP address → MAC address mapping via resolution protocol.

Resolution Scope is Always Local

Address resolution only happens on the local network segment. You never resolve MAC addresses for hosts on remote networks—you can't, because remote MACs are meaningless locally. You only resolve the next hop's MAC: either the destination (if local) or the router (if remote). The router then performs its own resolution for the next segment.

ARP Protocol Operation

The Address Resolution Protocol (ARP), defined in RFC 826, resolves IPv4 addresses to MAC addresses through a simple request-reply mechanism.

ARP Request (Broadcast):

When a host needs to resolve an IP address:

Host constructs an ARP Request message containing:
- "Who has IP address X?"
- Sender's IP and MAC addresses
Host broadcasts the request to all devices (destination MAC: FF:FF:FF:FF:FF:FF)
Every device on the local network receives the broadcast

ARP Reply (Unicast):

The device with the requested IP address responds:

Device recognizes its own IP in the request
Device constructs an ARP Reply containing:
- "I have IP X. My MAC is Y."
- Sent unicast to the requester
Original host receives the reply and now knows the mapping

ARP Message Exchange
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Scenario: Host A (192.168.1.50) wants to reach Host B (192.168.1.100)
 
# Step 1: ARP Request (broadcast)
┌────────────────────────────────────────────────────────┐
│ Ethernet Header                                        │
│   Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)      │
│   Source MAC:      00:11:22:33:44:55 (Host A)         │
│   EtherType:       0x0806 (ARP)                       │
├────────────────────────────────────────────────────────┤
│ ARP Message                                            │
│   Operation:       1 (Request)                         │
│   Sender MAC:      00:11:22:33:44:55                  │
│   Sender IP:       192.168.1.50                       │
│   Target MAC:      00:00:00:00:00:00 (unknown)        │
│   Target IP:       192.168.1.100                      │
└────────────────────────────────────────────────────────┘
 
# All hosts on the network receive this broadcast.
# Only Host B (192.168.1.100) responds.
 
# Step 2: ARP Reply (unicast)
┌────────────────────────────────────────────────────────┐
│ Ethernet Header                                        │
│   Destination MAC: 00:11:22:33:44:55 (Host A)         │
│   Source MAC:      AA:BB:CC:DD:EE:FF (Host B)         │
│   EtherType:       0x0806 (ARP)                       │
├────────────────────────────────────────────────────────┤
│ ARP Message                                            │
│   Operation:       2 (Reply)                           │
│   Sender MAC:      AA:BB:CC:DD:EE:FF (Host B)         │
│   Sender IP:       192.168.1.100                      │
│   Target MAC:      00:11:22:33:44:55                  │
│   Target IP:       192.168.1.50                       │
└────────────────────────────────────────────────────────┘
 
# Host A now knows: 192.168.1.100 → AA:BB:CC:DD:EE:FF

ARP Message Format
Field	Size	Description
Hardware Type	2 bytes	Network type (1 = Ethernet)
Protocol Type	2 bytes	Protocol being resolved (0x0800 = IPv4)
Hardware Size	1 byte	MAC address length (6 for Ethernet)
Protocol Size	1 byte	IP address length (4 for IPv4)
Operation	2 bytes	1 = Request, 2 = Reply
Sender Hardware Address	6 bytes	Sender's MAC address
Sender Protocol Address	4 bytes	Sender's IP address
Target Hardware Address	6 bytes	Target's MAC (0 in request)
Target Protocol Address	4 bytes	Target's IP address

ARP is Stateless

ARP has no connection state, acknowledgments, or retransmission logic. If a request goes unanswered, the sender simply tries again. If a reply is lost, the next attempt to communicate triggers a new request. This simplicity keeps ARP lightweight but makes it vulnerable to various attacks.

ARP Cache and Efficiency

Broadcasting ARP requests for every packet would be incredibly inefficient—broadcasts consume bandwidth on every device, and the latency would be intolerable. The solution is the ARP cache: a local table storing recent IP-to-MAC mappings.

ARP Cache Behavior:

Before sending: Check if destination IP is in ARP cache
Cache hit: Use cached MAC immediately—no ARP needed
Cache miss: Send ARP request, wait for reply, cache result
Timeout: Entries expire after a period (typically 2-20 minutes)
Refresh: Communication may refresh entry timers

Viewing and Managing ARP Cache
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Windows: View ARP cache
C:\> arp -a
 
Interface: 192.168.1.50 --- 0x4
  Internet Address      Physical Address      Type
  192.168.1.1          d4-6d-50-a1-b2-c3     dynamic
  192.168.1.100        aa-bb-cc-dd-ee-ff     dynamic
  192.168.1.255        ff-ff-ff-ff-ff-ff     static
  
# Linux/macOS: View ARP cache  
$ arp -n
Address          HWtype   HWaddress           Flags Mask   Iface
192.168.1.1      ether    d4:6d:50:a1:b2:c3   C            eth0
192.168.1.100    ether    aa:bb:cc:dd:ee:ff   C            eth0
 
# Linux: Modern 'ip' command
$ ip neigh show
192.168.1.1 dev eth0 lladdr d4:6d:50:a1:b2:c3 REACHABLE
192.168.1.100 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
 
# Clear specific entry (Windows)
C:\> arp -d 192.168.1.100
 
# Clear entire cache (Linux - requires root)
$ ip neigh flush all
 
# Add static entry (persists until reboot)
C:\> arp -s 192.168.1.200 00-50-56-c0-00-01
$ arp -s 192.168.1.200 00:50:56:c0:00:01

ARP Cache Entry States
State	Meaning	Next Action
REACHABLE	Entry valid; recent successful communication	Use directly
STALE	Entry aged; no recent confirmation	Use but may re-verify on next use
DELAY	Packet sent; waiting briefly for verification	Probe if no traffic confirms
PROBE	Actively verifying with unsolicited ARP	Re-resolve if no response
FAILED	Resolution failed; no response to probes	Report error to higher layers
INCOMPLETE	Resolution in progress; waiting for reply	Queue packets; timeout if no response

Cache Timeout Tradeoffs:

Short timeout (1-2 minutes): Quickly adapts to network changes (device moved, IP reassigned) but more ARP traffic
Long timeout (20-60 minutes): Less ARP traffic but stale entries may cause problems if devices change
Static entries: Never expire; used for critical infrastructure but require manual management

Most operating systems use 2-20 minute dynamic timeouts, with revalidation through normal traffic patterns.

Gratuitous ARP:

A device may broadcast its own IP-MAC mapping unsolicited—this is Gratuitous ARP:

Announces presence after boot or address change
Allows other devices to update their caches proactively
Detects IP address conflicts (if someone responds, collision exists)
Used by high-availability systems to take over virtual IPs

Debugging Stale ARP

Stale ARP entries are a common troubleshooting headache. If a server's NIC is replaced (new MAC) or an IP is reassigned, other devices may still cache the old mapping. Symptoms: intermittent connectivity, connection resets, or complete unreachability. Solution: Clear ARP caches on affected devices or wait for natural expiration.

ARP Security Vulnerabilities

ARP was designed in an era of trusted networks and has no built-in security. This makes it vulnerable to several attacks that exploit its trusting nature.

ARP Spoofing / Poisoning:

An attacker sends forged ARP replies, associating their MAC address with another device's IP (typically the gateway):

Attacker sends: "192.168.1.1 (gateway) is at [attacker's MAC]"
Victim caches this false mapping
Victim sends all gateway-bound traffic to attacker
Attacker can inspect, modify, or drop packets

This enables Man-in-the-Middle (MITM) attacks, where the attacker intercepts and forwards traffic between victim and gateway—reading passwords, modifying responses, or injecting malicious content.

Converting Mermaid diagram...

ARP-Based Attack Types

•Man-in-the-Middle (MITM) — Attacker positions themselves between victim and gateway, intercepting all traffic for eavesdropping or modification.
•Denial of Service — Attacker poisons cache with nonexistent MAC, causing traffic to vanish into the void.
•Session Hijacking — Attacker captures authentication tokens or session cookies to impersonate victim.
•Cloning — Attacker assumes victim's IP by poisoning the gateway's ARP cache, receiving victim's traffic.
•VLAN Hopping — Combined with other techniques to attack across VLAN boundaries.

Defense Mechanisms:

1. Dynamic ARP Inspection (DAI)

Switch examines ARP packets
Validates against DHCP snooping binding table
Drops ARP with mismatched IP-MAC
Requires managed switches

2. Static ARP Entries

Manually configure known IP-MAC mappings
Immune to spoofing but doesn't scale
Appropriate for critical infrastructure

3. Private VLANs

Isolate hosts from each other at Layer 2
Hosts can only communicate via router (where DAI/DHCP snooping applies)
Prevents direct ARP between potentially hostile hosts

4. Port Security

Limit MAC addresses per switch port
Prevents attacker from impersonating multiple devices
Detects MAC flooding attacks

5. 802.1X Authentication

Authenticate devices before network access
Untrusted devices isolated or blocked
Integrates with RADIUS/AAA infrastructure

Layer 3+ Encryption is Essential

The ultimate defense against ARP-based MITM is encryption at higher layers. HTTPS, SSH, and VPNs render intercepted traffic unreadable. Even if an attacker captures packets, they can't decrypt the contents. Always assume the local network is hostile and encrypt sensitive traffic.

Proxy ARP and Special Cases

Several variations and special cases of ARP behavior exist to handle unusual network configurations.

Proxy ARP:

A router can answer ARP requests on behalf of devices on other networks—this is Proxy ARP (RFC 1027).

Scenario: Host A (192.168.1.50/24) wants to reach Host B (192.168.2.100/24). Without proper routing configuration, Host A might try to ARP directly for 192.168.2.100, not realizing it's on a different network.

Proxy ARP Solution:

Router has interfaces on both networks
Router sees ARP request for 192.168.2.100 on the 192.168.1.x interface
Router responds with its own MAC address
Host A sends packets to router's MAC
Router forwards to Host B on the other network

Proxy ARP makes routing transparent to hosts with misconfigured subnet masks, but is generally considered a legacy workaround rather than a best practice.

ARP Special Cases
Case	Description	Use
Gratuitous ARP	Device announces its own IP-MAC mapping	Detect conflicts, update caches, failover
Proxy ARP	Router answers for hosts on other networks	Transparent routing for misconfigured hosts
Reverse ARP (RARP)	Request IP based on known MAC	Obsolete; replaced by DHCP/BOOTP
Inverse ARP (InARP)	Request IP of known MAC on Frame Relay	Frame Relay DLCI resolution
ARP Probe	ARP for own IP with sender IP = 0	DAD before using DHCP address
ARP Announcement	Gratuitous ARP after passing DAD	Inform network of new binding

ARP for Non-Ethernet Networks:

ARP is hardware-agnostic—its format includes hardware type fields that specify the link layer technology. While Ethernet is most common, ARP works on:

IEEE 802.11 (WiFi): Frames ultimately deliver to MAC addresses
Token Ring: Historical, same ARP concepts applied
FDDI: Fiber networks using MAC-style addressing

Virtual Environment Considerations:

Virtual machines, containers, and cloud instances present unique ARP scenarios:

VM Migration: When a VM moves between hypervisors, its MAC may change or appear on a different physical port. Gratuitous ARP updates switches and peer caches.
Container Networking: Containers may share host's MAC with virtual IPs, using Host NAT or overlay networks to manage addressing.
Cloud Virtual Networks: Cloud providers implement ARP at the hypervisor/SDN layer, often with optimized or controlled behavior to prevent abuse.

Proxy ARP Risks

While Proxy ARP can solve immediate problems, it creates security and manageability issues: it hides routing failures (things seem to work when they shouldn't), expands broadcast domains artificially, and can enable attacks from misconfigured hosts. Modern best practice is to configure hosts correctly rather than rely on Proxy ARP.

IPv6 Neighbor Discovery Protocol

IPv6 replaces ARP with the Neighbor Discovery Protocol (NDP), defined in RFC 4861. NDP uses ICMPv6 messages rather than a separate protocol and provides significantly enhanced functionality.

NDP Message Types:

ICMPv6 Neighbor Discovery Messages
Message	Type	Purpose
Router Solicitation (RS)	133	Host requests router presence/configuration
Router Advertisement (RA)	134	Router announces itself, prefix, configuration options
Neighbor Solicitation (NS)	135	Resolve IPv6 to MAC (like ARP Request)
Neighbor Advertisement (NA)	136	Response with MAC address (like ARP Reply)
Redirect	137	Router informs host of better first hop

Address Resolution with NS/NA:

NDP address resolution is similar to ARP but uses multicast instead of broadcast:

Host needs MAC for 2001:db8::100
Host sends Neighbor Solicitation to solicited-node multicast address:
- Multicast: ff02::1:ff00:0100 (derived from target's last 24 bits)
- Only devices with addresses ending in ...00:0100 listen
Target responds with Neighbor Advertisement (unicast)
Host caches the mapping

NDP Address Resolution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# IPv6 Address Resolution Example
 
# Host A wants to reach Host B at 2001:db8::100
# Host B's MAC: aa:bb:cc:dd:ee:ff
 
# Step 1: Neighbor Solicitation
Source IP:      2001:db8::50 (Host A)
Destination IP: ff02::1:ff00:0100 (solicited-node multicast)
ICMPv6 Type:    135 (Neighbor Solicitation)
Target Address: 2001:db8::100
Options:        Source Link-Layer Address = 00:11:22:33:44:55
 
# Only hosts with addresses ending in ...00:0100 receive this
# Much more efficient than broadcast!
 
# Step 2: Neighbor Advertisement
Source IP:      2001:db8::100 (Host B)
Destination IP: 2001:db8::50 (Host A - unicast)
ICMPv6 Type:    136 (Neighbor Advertisement)
Target Address: 2001:db8::100
Flags:          Solicited=1, Override=1
Options:        Target Link-Layer Address = aa:bb:cc:dd:ee:ff
 
# Host A now knows: 2001:db8::100 → aa:bb:cc:dd:ee:ff
 
 
# View IPv6 Neighbor Cache (Linux)
$ ip -6 neigh show
2001:db8::1 dev eth0 lladdr d4:6d:50:a1:b2:c3 router REACHABLE
2001:db8::100 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
fe80::1 dev eth0 lladdr d4:6d:50:a1:b2:c3 router REACHABLE

NDP Improvements Over ARP:

Multicast, not Broadcast: Solicited-node multicast targets only potentially matching hosts, reducing network load
Integrated Protocol: Part of ICMPv6, not a separate protocol
Router Discovery: Hosts find routers automatically without configuration
Prefix Information: Routers advertise network prefixes for SLAAC
Neighbor Unreachability Detection (NUD): Actively verifies neighbor reachability
Redirect Messages: Routers redirect hosts to better next hops
SEND (Secure NDP): Optional cryptographic security extension

NDP's Multicast Efficiency

The solicited-node multicast address is derived from the target's last 24 bits. In a /64 network with 1,000 hosts, a Neighbor Solicitation reaches only ~1 host (statistically), not all 1,000 as ARP broadcast would. This dramatic efficiency gain scales better for large networks.

Resolution in Packet Delivery

Let's trace address resolution through a complete packet delivery scenario to see how all the pieces fit together.

Scenario: Host A (192.168.1.50) connects to web server (10.0.0.100) on another network.

Network Configuration:

Host A: 192.168.1.50/24, Gateway: 192.168.1.1
Router: 192.168.1.1 ↔ 10.0.0.1
Server: 10.0.0.100/24

Complete Resolution Trace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Phase 1: Host A determines routing decision
Host A destination: 10.0.0.100
Host A network:     192.168.1.0/24
Is 10.0.0.100 in 192.168.1.0/24? → NO
Decision: Send to default gateway (192.168.1.1)
 
# Phase 2: Host A resolves gateway MAC
Host A checks ARP cache for 192.168.1.1
├─ Cache HIT: Use cached MAC (e.g., D4:6D:50:A1:B2:C3)
└─ Cache MISS: Send ARP Request
   ARP Request: "Who has 192.168.1.1?"
   → Router responds: "192.168.1.1 is at D4:6D:50:A1:B2:C3"
   → Host A caches: 192.168.1.1 → D4:6D:50:A1:B2:C3
 
# Phase 3: Host A constructs and sends frame
IP Packet:
  Source IP:      192.168.1.50
  Destination IP: 10.0.0.100      ← Final destination
  Payload:        [HTTP Request]
 
Ethernet Frame:
  Source MAC:      00:11:22:33:44:55 (Host A)
  Destination MAC: D4:6D:50:A1:B2:C3 (Router!) ← Next hop only
  Payload:         [IP Packet]
 
→ Frame transmitted on wire
 
# Phase 4: Router receives and processes
Router receives frame on interface 192.168.1.1
Router decapsulates: extracts IP packet
Router checks: Is 10.0.0.100 directly connected?
  Interface 10.0.0.1 connects to 10.0.0.0/24 → YES
 
# Phase 5: Router resolves server MAC
Router checks ARP cache for 10.0.0.100
├─ Cache HIT: Use cached MAC (e.g., AA:BB:CC:DD:EE:FF)
└─ Cache MISS: Send ARP on 10.0.0.0/24 interface
   → Server responds with its MAC
 
# Phase 6: Router forwards to server
New Ethernet Frame:
  Source MAC:      [Router's 10.0.0.1 interface MAC]
  Destination MAC: AA:BB:CC:DD:EE:FF (Server)
  Payload:         [Same IP Packet - unchanged!]
 
→ Server receives and processes

Critical Observations:

IP addresses never change across the journey (192.168.1.50 → 10.0.0.100)
MAC addresses change at every hop (Host A → Router, Router → Server)
Resolution happens at each hop for the next-hop destination only
ARP is transparent to higher layers—applications never see it
Caching is essential for performance—without it, every packet would require resolution

This pattern repeats for every hop in a multi-router path. The IP layer provides end-to-end addressing; the data link layer and ARP provide point-to-point delivery between each pair of adjacent devices.

The Illusion of Direct Delivery

From the application's perspective, it communicates directly with the server using IP addresses. The complex dance of ARP requests, MAC address lookups, frame encapsulation, and multi-hop forwarding is completely invisible. This abstraction is the power of layered networking—each layer hides complexity from those above it.

Summary: Address Resolution

Address resolution is the essential glue between logical and physical networking. Let's consolidate the key concepts:

Key Takeaways

•Resolution bridges layers — IP packets must be delivered in frames, requiring translation from IP addresses to MAC addresses.
•ARP uses broadcast request, unicast reply — Any host can request; only the target responds. Simple but generates network traffic.
•ARP caching is essential — Without caching, every packet would require a broadcast. Caches trade freshness for efficiency.
•ARP has no security — Spoofing enables MITM attacks. Defense requires switch features (DAI), static entries, or encryption at higher layers.
•IPv6 NDP uses multicast, not broadcast — Solicited-node multicast targets only likely responders, dramatically improving efficiency.
•Resolution is local and per-hop — You only resolve next-hop addresses (destination if local, gateway if remote). Resolution repeats at each router.

Module Complete:

With this page, you've completed the Addressing module of Network Layer Concepts. You now understand:

Logical addresses and why they're essential for internetworking
Hierarchical addressing and how it enables scalable routing
Address uniqueness and the systems that maintain it
Address assignment mechanisms from static to DHCP to SLAAC
Address resolution bridging the logical-physical divide

These concepts form the foundation for understanding IP routing, subnetting, NAT, and all higher-level network protocols.

Module Complete

Congratulations! You've mastered network layer addressing—from the theoretical foundations of logical vs. physical addresses to the practical mechanisms of DHCP and ARP. This knowledge is essential for network administration, troubleshooting, security, and understanding how the Internet actually delivers billions of packets every second.

Address Resolution

Bridging Two Worlds

Learning Objectives

The Address Resolution Problem

Consider what happens when Host A wants to send an IP packet to Host B on the same local network:

What Host A knows:

Destination IP address: 192.168.1.100
Host A's own MAC address: 00:11:22:33:44:55
Host A's own IP address: 192.168.1.50

What Host A needs to know:

Host B's MAC address: ??:??:??:??:??:??

Why IP alone isn't sufficient:

To deliver the packet, Host A must:

Construct an IP packet with destination 192.168.1.100
Encapsulate it in an Ethernet frame
Address the frame to Host B's MAC address
Transmit the frame

Step 3 is impossible without knowing Host B's MAC address.

Converting Mermaid diagram...

When Resolution is Needed:

Address resolution occurs in two scenarios:

1. Direct Delivery (Same Network) When the destination IP is on the same network (determined by subnet mask), the sender resolves the destination IP directly to a MAC address.

In both cases, the process is the same: IP address → MAC address mapping via resolution protocol.

Resolution Scope is Always Local

ARP Protocol Operation

The Address Resolution Protocol (ARP), defined in RFC 826, resolves IPv4 addresses to MAC addresses through a simple request-reply mechanism.

ARP Request (Broadcast):

When a host needs to resolve an IP address:

Host constructs an ARP Request message containing:
- "Who has IP address X?"
- Sender's IP and MAC addresses
Host broadcasts the request to all devices (destination MAC: FF:FF:FF:FF:FF:FF)
Every device on the local network receives the broadcast

ARP Reply (Unicast):

The device with the requested IP address responds:

Device recognizes its own IP in the request
Device constructs an ARP Reply containing:
- "I have IP X. My MAC is Y."
- Sent unicast to the requester
Original host receives the reply and now knows the mapping

ARP Message Exchange
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Scenario: Host A (192.168.1.50) wants to reach Host B (192.168.1.100)
 
# Step 1: ARP Request (broadcast)
┌────────────────────────────────────────────────────────┐
│ Ethernet Header                                        │
│   Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)      │
│   Source MAC:      00:11:22:33:44:55 (Host A)         │
│   EtherType:       0x0806 (ARP)                       │
├────────────────────────────────────────────────────────┤
│ ARP Message                                            │
│   Operation:       1 (Request)                         │
│   Sender MAC:      00:11:22:33:44:55                  │
│   Sender IP:       192.168.1.50                       │
│   Target MAC:      00:00:00:00:00:00 (unknown)        │
│   Target IP:       192.168.1.100                      │
└────────────────────────────────────────────────────────┘
 
# All hosts on the network receive this broadcast.
# Only Host B (192.168.1.100) responds.
 
# Step 2: ARP Reply (unicast)
┌────────────────────────────────────────────────────────┐
│ Ethernet Header                                        │
│   Destination MAC: 00:11:22:33:44:55 (Host A)         │
│   Source MAC:      AA:BB:CC:DD:EE:FF (Host B)         │
│   EtherType:       0x0806 (ARP)                       │
├────────────────────────────────────────────────────────┤
│ ARP Message                                            │
│   Operation:       2 (Reply)                           │
│   Sender MAC:      AA:BB:CC:DD:EE:FF (Host B)         │
│   Sender IP:       192.168.1.100                      │
│   Target MAC:      00:11:22:33:44:55                  │
│   Target IP:       192.168.1.50                       │
└────────────────────────────────────────────────────────┘
 
# Host A now knows: 192.168.1.100 → AA:BB:CC:DD:EE:FF

ARP Message Format
Field	Size	Description
Hardware Type	2 bytes	Network type (1 = Ethernet)
Protocol Type	2 bytes	Protocol being resolved (0x0800 = IPv4)
Hardware Size	1 byte	MAC address length (6 for Ethernet)
Protocol Size	1 byte	IP address length (4 for IPv4)
Operation	2 bytes	1 = Request, 2 = Reply
Sender Hardware Address	6 bytes	Sender's MAC address
Sender Protocol Address	4 bytes	Sender's IP address
Target Hardware Address	6 bytes	Target's MAC (0 in request)
Target Protocol Address	4 bytes	Target's IP address

ARP is Stateless

ARP Cache and Efficiency

ARP Cache Behavior:

Before sending: Check if destination IP is in ARP cache
Cache hit: Use cached MAC immediately—no ARP needed
Cache miss: Send ARP request, wait for reply, cache result
Timeout: Entries expire after a period (typically 2-20 minutes)
Refresh: Communication may refresh entry timers

Viewing and Managing ARP Cache
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Windows: View ARP cache
C:\> arp -a
 
Interface: 192.168.1.50 --- 0x4
  Internet Address      Physical Address      Type
  192.168.1.1          d4-6d-50-a1-b2-c3     dynamic
  192.168.1.100        aa-bb-cc-dd-ee-ff     dynamic
  192.168.1.255        ff-ff-ff-ff-ff-ff     static
  
# Linux/macOS: View ARP cache  
$ arp -n
Address          HWtype   HWaddress           Flags Mask   Iface
192.168.1.1      ether    d4:6d:50:a1:b2:c3   C            eth0
192.168.1.100    ether    aa:bb:cc:dd:ee:ff   C            eth0
 
# Linux: Modern 'ip' command
$ ip neigh show
192.168.1.1 dev eth0 lladdr d4:6d:50:a1:b2:c3 REACHABLE
192.168.1.100 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
 
# Clear specific entry (Windows)
C:\> arp -d 192.168.1.100
 
# Clear entire cache (Linux - requires root)
$ ip neigh flush all
 
# Add static entry (persists until reboot)
C:\> arp -s 192.168.1.200 00-50-56-c0-00-01
$ arp -s 192.168.1.200 00:50:56:c0:00:01

ARP Cache Entry States
State	Meaning	Next Action
REACHABLE	Entry valid; recent successful communication	Use directly
STALE	Entry aged; no recent confirmation	Use but may re-verify on next use
DELAY	Packet sent; waiting briefly for verification	Probe if no traffic confirms
PROBE	Actively verifying with unsolicited ARP	Re-resolve if no response
FAILED	Resolution failed; no response to probes	Report error to higher layers
INCOMPLETE	Resolution in progress; waiting for reply	Queue packets; timeout if no response

Cache Timeout Tradeoffs:

Short timeout (1-2 minutes): Quickly adapts to network changes (device moved, IP reassigned) but more ARP traffic
Long timeout (20-60 minutes): Less ARP traffic but stale entries may cause problems if devices change
Static entries: Never expire; used for critical infrastructure but require manual management

Most operating systems use 2-20 minute dynamic timeouts, with revalidation through normal traffic patterns.

Gratuitous ARP:

A device may broadcast its own IP-MAC mapping unsolicited—this is Gratuitous ARP:

Announces presence after boot or address change
Allows other devices to update their caches proactively
Detects IP address conflicts (if someone responds, collision exists)
Used by high-availability systems to take over virtual IPs

Debugging Stale ARP

ARP Security Vulnerabilities

ARP was designed in an era of trusted networks and has no built-in security. This makes it vulnerable to several attacks that exploit its trusting nature.

ARP Spoofing / Poisoning:

An attacker sends forged ARP replies, associating their MAC address with another device's IP (typically the gateway):

Attacker sends: "192.168.1.1 (gateway) is at [attacker's MAC]"
Victim caches this false mapping
Victim sends all gateway-bound traffic to attacker
Attacker can inspect, modify, or drop packets

This enables Man-in-the-Middle (MITM) attacks, where the attacker intercepts and forwards traffic between victim and gateway—reading passwords, modifying responses, or injecting malicious content.

Converting Mermaid diagram...

ARP-Based Attack Types

•Man-in-the-Middle (MITM) — Attacker positions themselves between victim and gateway, intercepting all traffic for eavesdropping or modification.
•Denial of Service — Attacker poisons cache with nonexistent MAC, causing traffic to vanish into the void.
•Session Hijacking — Attacker captures authentication tokens or session cookies to impersonate victim.
•Cloning — Attacker assumes victim's IP by poisoning the gateway's ARP cache, receiving victim's traffic.
•VLAN Hopping — Combined with other techniques to attack across VLAN boundaries.

Defense Mechanisms:

1. Dynamic ARP Inspection (DAI)

Switch examines ARP packets
Validates against DHCP snooping binding table
Drops ARP with mismatched IP-MAC
Requires managed switches

2. Static ARP Entries

Manually configure known IP-MAC mappings
Immune to spoofing but doesn't scale
Appropriate for critical infrastructure

3. Private VLANs

Isolate hosts from each other at Layer 2
Hosts can only communicate via router (where DAI/DHCP snooping applies)
Prevents direct ARP between potentially hostile hosts

4. Port Security

Limit MAC addresses per switch port
Prevents attacker from impersonating multiple devices
Detects MAC flooding attacks

5. 802.1X Authentication

Authenticate devices before network access
Untrusted devices isolated or blocked
Integrates with RADIUS/AAA infrastructure

Layer 3+ Encryption is Essential

Proxy ARP and Special Cases

Several variations and special cases of ARP behavior exist to handle unusual network configurations.

Proxy ARP:

A router can answer ARP requests on behalf of devices on other networks—this is Proxy ARP (RFC 1027).

Proxy ARP Solution:

Router has interfaces on both networks
Router sees ARP request for 192.168.2.100 on the 192.168.1.x interface
Router responds with its own MAC address
Host A sends packets to router's MAC
Router forwards to Host B on the other network

Proxy ARP makes routing transparent to hosts with misconfigured subnet masks, but is generally considered a legacy workaround rather than a best practice.

ARP Special Cases
Case	Description	Use
Gratuitous ARP	Device announces its own IP-MAC mapping	Detect conflicts, update caches, failover
Proxy ARP	Router answers for hosts on other networks	Transparent routing for misconfigured hosts
Reverse ARP (RARP)	Request IP based on known MAC	Obsolete; replaced by DHCP/BOOTP
Inverse ARP (InARP)	Request IP of known MAC on Frame Relay	Frame Relay DLCI resolution
ARP Probe	ARP for own IP with sender IP = 0	DAD before using DHCP address
ARP Announcement	Gratuitous ARP after passing DAD	Inform network of new binding

ARP for Non-Ethernet Networks:

ARP is hardware-agnostic—its format includes hardware type fields that specify the link layer technology. While Ethernet is most common, ARP works on:

IEEE 802.11 (WiFi): Frames ultimately deliver to MAC addresses
Token Ring: Historical, same ARP concepts applied
FDDI: Fiber networks using MAC-style addressing

Virtual Environment Considerations:

Virtual machines, containers, and cloud instances present unique ARP scenarios:

VM Migration: When a VM moves between hypervisors, its MAC may change or appear on a different physical port. Gratuitous ARP updates switches and peer caches.
Container Networking: Containers may share host's MAC with virtual IPs, using Host NAT or overlay networks to manage addressing.
Cloud Virtual Networks: Cloud providers implement ARP at the hypervisor/SDN layer, often with optimized or controlled behavior to prevent abuse.

Proxy ARP Risks

IPv6 Neighbor Discovery Protocol

IPv6 replaces ARP with the Neighbor Discovery Protocol (NDP), defined in RFC 4861. NDP uses ICMPv6 messages rather than a separate protocol and provides significantly enhanced functionality.

NDP Message Types:

ICMPv6 Neighbor Discovery Messages
Message	Type	Purpose
Router Solicitation (RS)	133	Host requests router presence/configuration
Router Advertisement (RA)	134	Router announces itself, prefix, configuration options
Neighbor Solicitation (NS)	135	Resolve IPv6 to MAC (like ARP Request)
Neighbor Advertisement (NA)	136	Response with MAC address (like ARP Reply)
Redirect	137	Router informs host of better first hop

Address Resolution with NS/NA:

NDP address resolution is similar to ARP but uses multicast instead of broadcast:

Host needs MAC for 2001:db8::100
Host sends Neighbor Solicitation to solicited-node multicast address:
- Multicast: ff02::1:ff00:0100 (derived from target's last 24 bits)
- Only devices with addresses ending in ...00:0100 listen
Target responds with Neighbor Advertisement (unicast)
Host caches the mapping

NDP Address Resolution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# IPv6 Address Resolution Example
 
# Host A wants to reach Host B at 2001:db8::100
# Host B's MAC: aa:bb:cc:dd:ee:ff
 
# Step 1: Neighbor Solicitation
Source IP:      2001:db8::50 (Host A)
Destination IP: ff02::1:ff00:0100 (solicited-node multicast)
ICMPv6 Type:    135 (Neighbor Solicitation)
Target Address: 2001:db8::100
Options:        Source Link-Layer Address = 00:11:22:33:44:55
 
# Only hosts with addresses ending in ...00:0100 receive this
# Much more efficient than broadcast!
 
# Step 2: Neighbor Advertisement
Source IP:      2001:db8::100 (Host B)
Destination IP: 2001:db8::50 (Host A - unicast)
ICMPv6 Type:    136 (Neighbor Advertisement)
Target Address: 2001:db8::100
Flags:          Solicited=1, Override=1
Options:        Target Link-Layer Address = aa:bb:cc:dd:ee:ff
 
# Host A now knows: 2001:db8::100 → aa:bb:cc:dd:ee:ff
 
 
# View IPv6 Neighbor Cache (Linux)
$ ip -6 neigh show
2001:db8::1 dev eth0 lladdr d4:6d:50:a1:b2:c3 router REACHABLE
2001:db8::100 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE
fe80::1 dev eth0 lladdr d4:6d:50:a1:b2:c3 router REACHABLE

NDP Improvements Over ARP:

Multicast, not Broadcast: Solicited-node multicast targets only potentially matching hosts, reducing network load
Integrated Protocol: Part of ICMPv6, not a separate protocol
Router Discovery: Hosts find routers automatically without configuration
Prefix Information: Routers advertise network prefixes for SLAAC
Neighbor Unreachability Detection (NUD): Actively verifies neighbor reachability
Redirect Messages: Routers redirect hosts to better next hops
SEND (Secure NDP): Optional cryptographic security extension

NDP's Multicast Efficiency

Resolution in Packet Delivery

Let's trace address resolution through a complete packet delivery scenario to see how all the pieces fit together.

Scenario: Host A (192.168.1.50) connects to web server (10.0.0.100) on another network.

Network Configuration:

Host A: 192.168.1.50/24, Gateway: 192.168.1.1
Router: 192.168.1.1 ↔ 10.0.0.1
Server: 10.0.0.100/24

Complete Resolution Trace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Phase 1: Host A determines routing decision
Host A destination: 10.0.0.100
Host A network:     192.168.1.0/24
Is 10.0.0.100 in 192.168.1.0/24? → NO
Decision: Send to default gateway (192.168.1.1)
 
# Phase 2: Host A resolves gateway MAC
Host A checks ARP cache for 192.168.1.1
├─ Cache HIT: Use cached MAC (e.g., D4:6D:50:A1:B2:C3)
└─ Cache MISS: Send ARP Request
   ARP Request: "Who has 192.168.1.1?"
   → Router responds: "192.168.1.1 is at D4:6D:50:A1:B2:C3"
   → Host A caches: 192.168.1.1 → D4:6D:50:A1:B2:C3
 
# Phase 3: Host A constructs and sends frame
IP Packet:
  Source IP:      192.168.1.50
  Destination IP: 10.0.0.100      ← Final destination
  Payload:        [HTTP Request]
 
Ethernet Frame:
  Source MAC:      00:11:22:33:44:55 (Host A)
  Destination MAC: D4:6D:50:A1:B2:C3 (Router!) ← Next hop only
  Payload:         [IP Packet]
 
→ Frame transmitted on wire
 
# Phase 4: Router receives and processes
Router receives frame on interface 192.168.1.1
Router decapsulates: extracts IP packet
Router checks: Is 10.0.0.100 directly connected?
  Interface 10.0.0.1 connects to 10.0.0.0/24 → YES
 
# Phase 5: Router resolves server MAC
Router checks ARP cache for 10.0.0.100
├─ Cache HIT: Use cached MAC (e.g., AA:BB:CC:DD:EE:FF)
└─ Cache MISS: Send ARP on 10.0.0.0/24 interface
   → Server responds with its MAC
 
# Phase 6: Router forwards to server
New Ethernet Frame:
  Source MAC:      [Router's 10.0.0.1 interface MAC]
  Destination MAC: AA:BB:CC:DD:EE:FF (Server)
  Payload:         [Same IP Packet - unchanged!]
 
→ Server receives and processes

Critical Observations:

IP addresses never change across the journey (192.168.1.50 → 10.0.0.100)
MAC addresses change at every hop (Host A → Router, Router → Server)
Resolution happens at each hop for the next-hop destination only
ARP is transparent to higher layers—applications never see it
Caching is essential for performance—without it, every packet would require resolution

The Illusion of Direct Delivery

Summary: Address Resolution

Address resolution is the essential glue between logical and physical networking. Let's consolidate the key concepts:

Key Takeaways

•Resolution bridges layers — IP packets must be delivered in frames, requiring translation from IP addresses to MAC addresses.
•ARP uses broadcast request, unicast reply — Any host can request; only the target responds. Simple but generates network traffic.
•ARP caching is essential — Without caching, every packet would require a broadcast. Caches trade freshness for efficiency.
•ARP has no security — Spoofing enables MITM attacks. Defense requires switch features (DAI), static entries, or encryption at higher layers.
•IPv6 NDP uses multicast, not broadcast — Solicited-node multicast targets only likely responders, dramatically improving efficiency.
•Resolution is local and per-hop — You only resolve next-hop addresses (destination if local, gateway if remote). Resolution repeats at each router.

Module Complete:

With this page, you've completed the Addressing module of Network Layer Concepts. You now understand:

Logical addresses and why they're essential for internetworking
Hierarchical addressing and how it enables scalable routing
Address uniqueness and the systems that maintain it
Address assignment mechanisms from static to DHCP to SLAAC
Address resolution bridging the logical-physical divide

These concepts form the foundation for understanding IP routing, subnetting, NAT, and all higher-level network protocols.

Module Complete