ARP - Address Resolution Protocol

The Address Resolution Protocol (ARP) is used to map IP addresses to the physical Media Access Control (MAC) addresses (read about MAC addresses here) of devices on a local area network (LAN).

It operates at the Data Link Layer (Layer 2) of the OSI model. When a device wants to communicate with another device on the same network, it needs to know the target device's MAC address. ARP facilitates this by broadcasting a request to all devices on the network, asking for the MAC address associated with a given IP address. The device with the matching IP address responds with its MAC address, allowing communication to proceed.

ARP plays a crucial role in enabling communication within local networks. It allows devices to discover each other's MAC addresses based on their IP addresses, enabling the delivery of data packets within the local network. Without ARP, devices would not be able to accurately route packets to their intended destinations within the LAN. This protocol is fundamental to the operation of IP networking over Ethernet and similar technologies, ensuring that data reaches the correct hardware device on the local network.

ARP is necessary for multiple networks operations:

Local Network Communication: Device Communication: ARP is used within a local area network (LAN) to allow devices to communicate with each other by resolving IP addresses to MAC addresses. For example, when a computer wants to send data to a printer on the same network, it uses ARP to find the printer's MAC address. For Network Troubleshooting like iagnosing Network Issues: Network administrators use ARP tables to troubleshoot connectivity issues. By checking ARP entries, they can verify if a device is reachable or identify duplicate IP addresses. ARP is used in Routing as well :Router Operations: Routers use ARP to map IP addresses to MAC addresses of devices on their connected networks. This helps in forwarding packets to the correct device within the LAN.

Anatomy

The protocol header anatomy

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Hardware Type | Protocol Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Hardware Size | Protocol Size | Operation Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sender Hardware Address (Bytes 0-3) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Sender Hardware Address (Bytes 4-5)| Sender Protocol Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Target Hardware Address (Bytes 0-1) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Target Hardware Address (Bytes 2-5)| Target Protocol Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Explanation of the ARP Header Fields

Hardware Type (16 bits): Specifies the type of hardware address. For Ethernet, this value is 1. Protocol Type (16 bits): Specifies the type of protocol address. For IPv4, this value is 0x0800. Hardware Size (8 bits): Length in bytes of the hardware address. For Ethernet, this value is 6. Protocol Size (8 bits): Length in bytes of the protocol address. For IPv4, this value is 4. Operation Code (16 bits): Specifies the operation the sender is performing:

1: ARP Request
2: ARP Reply
3: RARP Request
4: RARP Reply Sender Hardware Address (48 bits): The hardware address of the sender (e.g., the MAC address). Sender Protocol Address (32 bits): The protocol address of the sender (e.g., the IPv4 address). Target Hardware Address (48 bits): The hardware address of the target (e.g., the MAC address). For ARP Requests, this field is typically all zeros. Target Protocol Address (32 bits): The protocol address of the target (e.g., the IPv4 address).

The Protocol Sequence

ARP Request TL;DR: A device sends an ARP request to discover the MAC address associated with a given IP address.
Explanation: When a device (such as a computer) wants to communicate with another device on the same local network, it needs to know the MAC address of the target device. It sends an ARP request as a broadcast message to all devices on the local network.

Source IP Address: The IP address of the device sending the request.
Source MAC Address: The MAC address of the device sending the request.
Target IP Address: The IP address of the device whose MAC address is being requested.
Target MAC Address: Initially set to 00:00:00:00:00:00 (unknown).

ARP Request
    Source IP Address: 192.168.1.10
    Source MAC Address: 00:1A:2B:3C:4D:5E
    Target IP Address: 192.168.1.20
    Target MAC Address: 00:00:00:00:00:00

ARP Reply TLDR: The target device responds with an ARP reply, providing its MAC address. Explanation: The device with the IP address specified in the ARP request responds with an ARP reply, which is a unicast message sent directly to the requesting device. This reply includes the MAC address of the responding device.

Source IP Address: The IP address of the device responding to the request.
Source MAC Address: The MAC address of the device responding to the request.
Target IP Address: The IP address of the device that sent the ARP request.
Target MAC Address: The MAC address of the device that sent the ARP request.

ARP Reply
    Source IP Address: 192.168.1.20
    Source MAC Address: 00:5E:4D:3C:2B:1A
    Target IP Address: 192.168.1.10
    Target MAC Address: 00:1A:2B:3C:4D:5E

Updating ARP Cache TLDR: Devices update their ARP caches with the new IP-to-MAC address mapping. Explanation: Both the requesting device and any other devices on the network that received the ARP reply update their ARP caches. The ARP cache stores recent IP-to-MAC address mappings to reduce the need for future ARP requests. ARP Cache Entry includes:

IP Address: The IP address of the target device.
MAC Address: The MAC address of the target device.
Timestamp: The time the entry was added or refreshed.

ARP Cache Entry
    IP Address: 192.168.1.20
    MAC Address: 00:5E:4D:3C:2B:1A
    Timestamp: <current time>

Note: Gratuitous ARP

TL;DR: A device sends an unsolicited ARP reply to announce its IP-to-MAC address mapping.
Explanation: A device may send a gratuitous ARP message to announce a change in its IP-to-MAC address mapping or to detect IP address conflicts. This message is a broadcast ARP reply that is not in response to an ARP request.

Source IP Address: The IP address of the device sending the gratuitous ARP.
Source MAC Address: The MAC address of the device sending the gratuitous ARP.
Target IP Address: The same as the source IP address.
Target MAC Address: The same as the source MAC address.

Gratuitous ARP
    Source IP Address: 192.168.1.20
    Source MAC Address: 00:5E:4D:3C:2B:1A
    Target IP Address: 192.168.1.20
    Target MAC Address: 00:5E:4D:3C:2B:1A

Technical Specifications

Here are some resources where you can find the technical specifications for the ARP (Address Resolution Protocol):

(RFC 826)[[https://datatracker.ietf.org/doc/html/rfc826]]: An Ethernet Address Resolution Protocol: This is the original specification of ARP, published by the Internet Engineering Task Force (IETF).
(IETF ARP Working Group)[https://datatracker.ietf.org/wg/arpwg/about/]: This page provides information about the working group that developed ARP and related protocols. It includes links to relevant RFCs and other documents.
(IEEE 802.3)[https://standards.ieee.org/standard/802_3-2018.html] Standard: Although ARP itself is specified in RFC 826, the IEEE 802.3 standard provides the underlying specifications for Ethernet, which ARP relies on for operation.

Privacy, Anonymity, and Hacking Concerns Regarding the ARP Protocol

A protocol is a structured set of rules and procedures designed to facilitate standardized interactions and operations within technological systems. When implemented in the technological landscape, protocols inherently display an attack surface, mostly due to the underlying technology used, predictable and repeatable nature of protocols — characteristics upon which some level of vulnerabilities can be exploited to whatever endeavours. The below list some of the ARP protocol exploitations witnessed over the years.

ARP abuse involves maliciously exploiting the ARP protocol to gather information or disrupt network operations. Let's discuss a few potential scenarios of ARP abuses

Privacy & Anonymity

MAC Address Tracking
In the context of applications installed on devices, a real-world example of this type of abuse is the reported events where applications like Facebook and TikTok have been reported to make use of the ARP protocol in order to tracking users' MAC addresses of Android devices without consent. This tracking allows the application providers to create persistent identifiers that can be used to monitor user activity across different networks in a persistent manner. This allowed the companies to create persistent identifiers even if users reset their advertising IDs, updated account policies, or else.

How It Works:
- Step 1: The application initializes the process when installed on a user's device. The application sends an ARP request to the local network, asking for the MAC addresses associated with specific IP addresses.
- Step 2: Devices on the network respond with their MAC addresses.
- Step 3: The application collects these MAC addresses and associates them with user profiles or other identifiers. (Imagine a cluster of all devices around you, family members, friend, to associate with your account as a mean of identification, metadata, profiling accuracy, etc).
- Step 4: Even if users reset other identifiers, the application may still track them using the collected MAC addresses.

Hacking Concerns

There are two prime activities regarding the hacking of the protocol.

The first one is the disruption of network services, so called Denial of Service (DoS), as to disrupt legitimate network communications. Attackers can flood a network with ARP requests, causing network devices to become overwhelmed and unresponsive.

The second one, is ARP Spoofing / Poisoning. While more typically associated with man-in-the-middle attacks, ARP spoofing could also be employed to intercept or manipulate user data in a local network setting. Read about how this works here.

Done!

Congratulation is you read this to the en! We hope this article brings a little clarity over the protocol anatomy and its various use cases.