James, Jr. Network Engineer
Hey, Adam. I have been working on an IoT network design, and ARP (Address Resolution Protocol) keeps coming up in my discussions. I know it maps IP addresses to MAC addresses, but I am still confused about its connection with IoT devices. Can we go over it?
Adam, Sr. Network Engineer
Address Resolution Protocol, or ARP, is like a network directory service, fundamental to how devices communicate in an IPv4 network. In IoT applications, devices often need to know the MAC address of the destination device to route packets properly. ARP Protocol does this by resolving the IP address of a device to its MAC address in a local network.
James, Jr. Network Engineer
That is interesting! But why do we need both IP and MAC addresses? Why can't we use either one of them?
Adam, Sr. Network Engineer
Good question! IP addresses are like postal codes - they help with logical organization and routing between networks. On the other hand, MAC addresses are like unique house numbers that never change. ARP bridges these two addressing schemes, ensuring data packets reach the correct physical device on a local network.
James, Jr. Network Engineer
So, in an IoT network, the ARP protocol is crucial for devices to communicate with each other. But won’t the ARP broadcast request create inefficiencies in the IoT networks?
Adam, Sr. Network Engineer
Well, in IoT networks, one approach is using static ARP entries. By pre-configuring IP-to-MAC mappings, devices can avoid sending ARP requests altogether. Also, Dynamic Host Configuration Protocol (DHCP) is used to assign IPs to devices dynamically, and ARP is used just once when the device first joins the network. After that, the IP-MAC mapping is cached so that it does not keep broadcasting ARP requests.
There is much more to consider when integrating ARP into real-world IoT applications. From managing the ARP cache to securing communications, a deeper understanding is essential for building robust and scalable IoT systems. This blog lets you break the ice and get started with understanding the role of the Address Resolution Protocol in detail.
What is the ARP Protocol?
The ARP or Address Resolution Protocol is used primarily in local area networks (LANs) to map a device's IP address to its MAC (Media Access Control) address. This mapping is essential for communication within a network, especially in IPv4-based networks, where devices need to know the MAC address of a device to send data frames at the data link layer (Layer 2).
The ARP protocol works on the principle of address resolution, allowing devices to map an IP address to a MAC address in a local network. It uses broadcasting for the ARP Request and unicast for the ARP Reply to enable communication between devices that need to send data using MAC addresses.
Understanding the Relationship Between MAC Address and IPV4 Address
What is a MAC Address?
What is a MAC Address?
The MAC address or Media Access Control Identifier operates in the Data Link Layer in the OSI model. A MAC ID, also known as a MAC address, is a unique identifier assigned to the network interface (such as an Ethernet adapter or a Wi-Fi module). It ensures that data frames get delivered to the correct hardware device on a local network.
Structure of a MAC Address
The MAC address is typically represented as a 48-bit value, written as a series of 12 hexadecimal digits, usually separated by colons or hyphens.
Example: 00:1A:2B:3C:4D:5E
Unique Identification
Each network interface card (NIC) or networked device has a globally unique MAC address, usually assigned by the manufacturer, to facilitate seamless communication within local networks.
What is an IPV4 Address?
What is an IPv4 Address?
An IPv4 Address operates at the Network Layer in the OSI model. An IPv4 address is a unique identifier assigned to each device on a wide-area network, such as the Internet, for routing data between devices over the network.
Structure of an IPv4 Address
An IPv4 address is a 32-bit address, usually written in the dotted-decimal format with four octets.
Example: 192.168.2.33
Details of an IPv4 Address
- Each octet consists of numbers between 0 and 255.
- This results in about 4.3 billion unique addresses.
Function of IPv4 Addresses
IPv4 addresses identify devices on different networks, including the Internet. They help routers to forward data packets from one network to another.
Relationship Between MAC Address and IPv4 Address
In an IPv4 network, when a device wants to communicate with another device on the same local network, it uses ARP (Address Resolution Protocol) to resolve the IPv4 address into a MAC address.
Key Points
- The MAC address operates at the local network level.
- The IPv4 address identifies devices across different networks or on the internet.
How It Works
When a device needs to send data to another device within the same network, it checks the IP address of the destination device. If the destination device's IP address is within the same local network, the sender uses ARP to resolve the IPv4 address to a MAC address. This allows the device to send the data directly to the correct network interface card (NIC) using the MAC address.
ARP Message Structure
Hardware Type (HTYPE):
- Size: 2 bytes (16 bits)
- This field specifies the type of hardware used for the network, typically Ethernet (0x0001). It identifies the link layer protocol.
Protocol Type (PTYPE):
- Size: 2 bytes (16 bits)
- This field specifies the type of protocol used at the network layer. Here, the Type field is set to 0x0806. It signifies the protocol used is ARP. While 0x0800 indicates IPv4 and 0x86DD is used for IPv6.
Hardware Address Length (HLEN):
- Size: 1 byte (8 bits)
- It specifies the length in bytes of the hardware address. For Ethernet, this is typically 6 bytes (48 bits).
Protocol Address Length (PLEN):
- Size: 1 byte (8 bits)
- It specifies the length in bytes of the protocol address. For IPv4, this is typically 4 bytes (32 bits).
Operation (OPER):
- Size: 2 bytes (16 bits)
- Indicates if the ARP message is an:
- ARP Request: The sender wants to find the MAC address of a device with a given IP address.
- ARP Reply: The sender is responding with its MAC address.
Sender Hardware Address (SHA):
- Size: 6 bytes (48 bits)
- It is the MAC address of the sender (i.e., the device issuing the ARP request or reply).
Sender Protocol Address (SPA):
- Size: 4 bytes (32 bits)
- It is the IP address of the sender (i.e., the device issuing the ARP request or reply).
Target Hardware Address (THA):
- Size: 6 bytes (48 bits)
- It is the MAC address of the target. In an ARP request, this field is set to 0s, as the sender is trying to find the target’s MAC address. In an ARP reply, this field contains the target’s MAC address.
Target Protocol Address (TPA):
- Size: 4 bytes (32 bits)
- The IP address of the target (the device whose MAC address is being queried or responded to).
Working of Address Resolution Protocol
Imagine that Device A wants to communicate with Device B over a local network. Device A knows Device B's IP address but also needs Device B's MAC address to send data frames to the data link layer (Ethernet frames). The MAC address helps the Ethernet frame headers to route the data correctly within the local network.
Step 1: ARP Request
Device A wants to send data to Device B, but it doesn't know Device B's MAC address.
- Device A checks its ARP cache to see if it already has a cached entry for Device B's IP address (e.g., 192.168.1.20).
- If there’s no cached mapping for 192.168.1.20, Device A sends out an ARP Request. This is a broadcast message to the entire local network asking: "Who has an IP address 192.168.1.20? Tell me your MAC address."
- The ARP Broadcast Request is sent to all devices on the local network because Device A doesn't know which device has the IP address. It's sent to the Ethernet broadcast address (e.g., FF:FF:FF:FF:FF:FF), which all devices in the local network can receive.
Step 2: ARP Reply
Device B, which has the IP address 192.168.1.20, will receive the ARP request.
- Upon receiving the request, Device B checks if the IP address matches its own. Since it does, Device B sends an ARP Reply to Device A.
- The ARP Reply is a unicast message (sent directly to Device A’s MAC address) containing Device B's MAC address (e.g., 00:1A:2B:3C:4D:6F).
Step 3: ARP Cache Update
Once Device A receives the ARP Reply, it stores the mapping of IP address 192.168.1.20 to the MAC address 00:1A:2B:3C:4D:6F in its ARP cache. This allows Device A to use this information for subsequent communication with Device B.
Step 4: Communication
Now that Device A has Device B’s MAC address, it can send an Ethernet frame containing the data and use Device B's MAC address as the destination address for the frame. The data is then delivered to Device B within the local network.
ARP Cache
Both Device A and Device B store IP-to-MAC address mappings in an ARP cache. This cache is maintained for a certain period (typically a few minutes) to avoid sending ARP requests repeatedly. If a device wants to send data to another device, it first checks its ARP cache to see if the mapping already exists.
- Example entry in the ARP cache:
- IP Address: 192.168.1.20
- MAC Address: 00:1A:2B:3C:4D:6F
- If the mapping has expired or the cache is empty, a new ARP request will be initiated.
ARP Request and ARP Reply Packets
ARP Request Packet
The ARP request is sent as a broadcast packet to the entire network. The ARP packet contains:
- Sender's IP address (Device A's IP)
- Sender's MAC address (Device A's MAC)
- Target's IP address (Device B's IP)
- Target's MAC address (unknown at this point)
ARP Reply Packet
The ARP reply is sent as a unicast message to the requesting device (Device A) and contains:
- Sender's IP address (Device B's IP)
- Sender's MAC address (Device B's MAC)
- Target's IP address (Device A’s IP)
Types of ARP Protocol
- Dynamic ARP: Automatically resolves an IP address to a MAC address by sending an ARP request and receiving an ARP reply.
- Static ARP: Manually configured mapping of an IP address to a MAC address that does not expire or change automatically.
- Proxy ARP: A router responds to ARP requests on behalf of another device not directly accessible in the same subnet.
- Gratuitous ARP: A device sends an ARP message to announce its IP-to-MAC mapping to the network, often used to refresh ARP tables or detect IP conflicts, even when no ARP request is sent.
- Inverse ARP (InARP): Resolves a MAC address to an IP address. InARP is used in Frame Relay and ATM networks where MAC addresses are already known, but IP addresses need to be discovered.
| Type of ARP | Definition | Operation | Use Case | Security Considerations | Caching |
|---|---|---|---|---|---|
| Dynamic ARP | Automatically resolves IP-to-MAC addresses via ARP broadcasts. | Sends an ARP request and receives an ARP reply. Updates the ARP cache. | General IP-to-MAC resolution in local networks. | Vulnerable to ARP spoofing/poisoning. | ARP cache stores mappings temporarily (TTL). |
| Static ARP | Manually configured IP-to-MAC mappings that don’t expire. | Static IP-MAC mappings are configured manually; no ARP request/reply. | Used in secure or controlled environments. | More secure as it prevents ARP spoofing. | Permanent mapping until manually changed. |
| Proxy ARP | A router responds to ARP requests for devices in other subnets. | The router replies to ARP requests on behalf of devices in another subnet. | When devices in different subnets need to communicate. | Can create security risks if misconfigured. | Do not use a traditional ARP cache; it depends on the router’s table. |
| Gratuitous ARP | A device announces its IP-to-MAC mapping without being prompted. | Sends an ARP request/reply with the sender and target IP as the same address. | Used to resolve IP conflicts or refresh caches. | It can be misused for IP conflicts or spoofing. | Updates the ARP cache of all devices on the network. |
| Inverse ARP (InARP) | Resolves MAC addresses to IP address in non-Ethernet networks. | Sends an InARP request to map a known MAC address to an IP address. | Used in Frame Relay, ATM, and similar networks. | Not as widely used; security concerns depend on the network. | ARP cache updates with the IP from the InARP reply. |
What is ARP Cache Poisoning?
ARP Poisoning or ARP Cache Spoofing is a type of cyber attack that manipulates the ARP cache of a device on the network by sending fraudulent ARP replies, causing the device to associate an incorrect MAC address with an IP address. This attack is possible because the ARP protocol itself has no built-in security mechanisms to authenticate the sender of ARP requests or replies.
In simpler terms, ARP poisoning occurs when an attacker sends false ARP messages over the network to trick a device (or multiple devices) into believing that the attacker's MAC address is associated with the IP address of another device (such as a router or another computer). Once this happens, the attacker can intercept, modify, or block network traffic causing security threats.
ARP Cache Spoofing: The Attack Process
- The attacker, often on the same local network, sends a fake ARP reply to Device A.
- This fake reply claims that the attacker’s MAC address is associated with the IP address of Device B (the target).
- Device A updates its ARP cache, thinking that the attacker's MAC address is the correct one for Device B's IP address.
- Now, when Device A tries to send data to Device B, the traffic is instead sent to the attacker.
ARP Poisoning: The Impact
- Man-in-the-Middle (MitM) Attack: The attacker can intercept the communication between Device A and Device B, allowing them to eavesdrop, modify, or even inject malicious data.
- Denial of Service (DoS): The attacker can also cause a DoS by dropping or blocking the intercepted packets, effectively preventing communication between devices.
- Traffic Redirecting: In more sophisticated attacks, the attacker may redirect traffic to external malicious servers (e.g., redirecting all traffic from a device to a fake gateway).
- VLAN Hopping: ARP poisoning can be combined with VLAN hopping to extend the attack across VLAN boundaries.
ARP Poisoning Vulnerabilities:
- No Authentication in ARP: Since the ARP protocol lacks an authentication or validation mechanism, any device on the same network can send an ARP reply, including malicious devices.
- Easily Targeted: Devices with incorrect ARP mappings (caused by spoofing) will unknowingly send data to the attacker, leading to malicious movements.
Mitigation Measures Against ARP Poisoning
- Static ARP Entries: Manually configuring ARP mappings on devices ensures that ARP tables can’t be altered by spoofing. However, this approach is not scalable in large networks.
- ARP Spoofing Detection Tools: Network administrators can use tools like ARPwatch, XArp, or Snort to monitor and detect unusual ARP activity or changes in ARP tables.
- Dynamic ARP Inspection (DAI): Managed switches support DAI, which can verify ARP packets based on known, trusted IP-to-MAC bindings, ensuring that only valid ARP replies are accepted.
- IPSec/TLS Encryption: Encrypting the traffic between devices using protocols like IPSec or TLS prevents an attacker from easily reading or modifying intercepted data.
- Segmentation and VLANs: Network segmentation through VLANs can help limit the ARP broadcast domain and reduce the attack surface available to an attacker attempting ARP cache spoofing.
- Using HTTPS for Communication: Secure web traffic (HTTPS) and other encrypted communication protocols (like SSH) can protect data integrity even if an attacker intercepts it.
Closing Notes
The ARP is essential for efficient local network communication. ARP is a vital protocol for resolving IP addresses to MAC addresses. It improves network efficiency by caching these mappings and reducing the need for repeated ARP requests. Although ARP operates in a simple, connectionless manner, it plays a fundamental role in ensuring seamless data transmission between devices on a subnet.
Amusing Tech Chronicles
Facts and Anecdotes Related to this Edition of Wireless By Design
The Bus System
Imagine you’re in a city and need a bus to take you to a specific location. But you only know the destination (IP address). ARP protocol works like calling a dispatcher to connect the destination to a specific bus(MAC address). You tell the dispatcher, “I need a ride to 123 Elm Street”. The dispatcher then tells you the bus number (the MAC address).
The Library
Let’s say you want to borrow a book from the library. You know the book title (IP address), but to find the book, you need to know the shelf location (MAC address). You ask the librarian (ARP), “Where can I find the book on 'Architecting the Internet of Things"?. The librarian tells you the shelf number (the MAC address) and now you can go to that shelf and grab the book.
The Phonebook
Think of your local phonebook(ARP protocol). You know someone’s name (IP address), but you don’t know their phone number (MAC address). Here you opt for a phonebook service. It helps you connect the name (IP) to the phone number (MAC). Now, you can make the call (send the data) to that phone number.
Go Beyond and Explore
How does DHCP impact ARP in IoT networks and how does it make ARP more efficient?
Comparison of ARP with Other Communication Protocols
DNS is a network service that translates human-readable domain names (like "google.com") into IP addresses. This allows users to access websites and services using easy-to-remember names instead of numerical IP addresses.
NDP (Neighbor Discovery Protocol)NDP is a protocol used in IPv6 networks to perform tasks similar to ARP in IPv4. It resolves IPv6 addresses to MAC addresses and handles other functions like duplicate address detection, router discovery, and neighbor unreachability detection. Unlike ARP, NDP includes built-in security features through the Secure Neighbor Discovery (SeND) protocol.
Is ARP connectionless?
Author
Drishya Manohar
Sr. Associate - Content Marketing
