ARP is located in the second layer of the seven-layer model, the data link layer. What is the data link layer? The correct answer is the MAC address. The MAC address refers to the hardware address of the network interface. It is a 48-bit value used to identify the network interface of Ethernet or Token Ring (which has rarely been heard). Delivery must always have an address. At the hardware level, the MAC address does this. Before sending data, you must know the destination hardware address.
In short, in Ethernet, if a host wants to send data frames, it must know the other party's Ethernet address to send data. And we only know the IP address, then we must call the ARP protocol to work, and translate the IP address into a MAC address.
It is generally believed that the ARP protocol is only applicable to local area networks.
Now we know what ARP does, it is used to resolve MAC addresses.
The TCP / IP protocol stack is encapsulated sequentially from the upper layer to the lower layer. Among them, the third layer needs to encapsulate the destination IP address, and the second layer needs to encapsulate the destination MAC address. The destination IP address is obtained by user / application / DNS resolution, but where does the destination MAC address come from? ARP resolution.
Let's take a look at the process of ARP parsing MAC address: for
example, the upper layer data sends a packet, assuming that the destination IP address is already known. At this time, the MAC address needs to be encapsulated in the data link layer. But the host said, I do n’t know, the encapsulation failed, and the destination IP to destination MAC encapsulation mapping was unsuccessful. How to do it? Then do something else first. I first send a broadcast, which is an ARP Request request, the source MAC is the initiator MAC, and the destination MAC address is FFFF: FFFF: FFFF (all hosts). All the devices receiving the broadcast unpack the received ARP Request, read the destination IP that needs to be parsed in the ARP packet, and see who they are looking for. Two results, one is the host discovery, the destination IP address you are looking for is not the same as mine, then it is ignored, just ignore it. The other is the device with the correct destination IP. At first glance, I was looking for me. Then let me reply. Just send an ARP Reply in response. In the ARP Reply message, the source MAC is the MAC of the resolved device, and the destination MAC is the MAC address of the initiator of the ARP Request. After receiving the ARP Reply, the initiator adds the correspondence between the destination IP address and the destination MAC address to the ARP table. Then continue the unfinished encapsulation work, now you can encapsulate the correct destination MAC into the data frame and send it out.
Let's take a look at what ARP did during the establishment of the TCP connection. This time the receiver is a router.
When an application submits a data request through an interactive interface, a TCP connection needs to be established. We know that TCP needs three handshakes. When the first SYN packet of TCP reaches the IP layer, the IP layer starts to look up the routing table. There are several processing methods:
1) If you find that the destination IP and yourself are in the same network segment, then look in the ARP cache table. There is in the cache table, when there is a MAC address corresponding to the destination IP, you can directly take it out to re-encapsulate and send the message; there is not in the cache table, ARP works (the SYN that caches TCP is cached first). Send the ARP Request broadcast to request the MAC of the destination IP. After receiving the ARP response, cache the <IP address, corresponding MAC> in the response in the local ARP cache table, and then re-encapsulate the TCP SYN message and send it.
2) If the destination IP address is not on the same network segment as yourself, it will take a long time to send the packet to the default gateway (need to know the MAC address of the default gateway). Also look up the ARP cache table, when there is a MAC address corresponding to the default gateway, directly extract the data, submit it to the network interface, and the network interface completes the encapsulation and forwarding. If there is no cache table, send an ARP broadcast request to the MAC of the default gateway. After receiving the ARP response, cache the <default gateway address, corresponding MAC> in the response in the local ARP cache table, and then complete the IP of TCP SYN. Encapsulate and forward.
ARP cache The
ARP cache table is used at the IP layer. If an ARP request is sent every time a TCP connection is established, efficiency will be reduced, so there will be an ARP cache table on the host, switch, and router. When establishing a TCP connection, first query the ARP cache table. If it is valid, read the contents of the ARP entry directly to send the second layer of data packets; only when the table fails, do ARP request and reply to obtain the MAC address to establish the TCP connection .
The ARP cache is a buffer used to store the IP address and MAC address, which is essentially the correspondence table of <IP address, MAC address>. An entry in the table records the IP address and corresponding MAC address of a host on the network. Each Ethernet or Token Ring network adapter has its own separate table.
When the address resolution protocol is asked for the MAC address of a node with a known IP address, first check it in the ARP cache. If it exists, it directly returns the corresponding MAC address. If it does not exist, it sends an ARP request to the local area network for query.
The ARP cache contains dynamic and static items:
dynamic items are automatically added and deleted over time. Each dynamic ARP cache item has a TTL (time to live) set. When the TTL is 0, the item is deleted from the table. TTL under Windows Generally no more than 10 minutes.
Static ARP cache entries are permanent and can be added and deleted manually using TCP / IP tools. Static ARP cache entries are used to prevent nodes from sending ARP requests to commonly used local IPv4 addresses (such as routers and servers' IPv4 addresses).
ARP aging mechanism for
dynamic ARP refers to the device by dynamically learn ARP packets, dynamic refresh the mapping between the IP address and MAC address, the network administrator does not require manual maintenance.
For a period of time, if a mapping relationship in the ARP table has not been used, this mapping relationship will be deleted. The dynamic ARP aging mechanism is a set of mechanisms for the system to automatically delete ARP entries. Through the dynamic ARP aging mechanism, ARP entries that are not frequently used can be deleted in time, saving the storage space of the ARP table, and then speeding up the device to query the ARP table before sending data packets.
As can be seen from the use of the ARP cache, the ARP cache can reduce the amount of broadcasting, thereby reducing the amount of network traffic and improving the communication efficiency between computers. Has certain security risks (refer to free ARP below)
Free ARP
Free ARP means that the host sends ARP to find its own IP address, which usually happens when the interface is configured during system boot.
The difference from standard ARP is that the destination IP address field of the free ARP packet encapsulates its own IP address, that is, it requests its own MAC address from the network where it is located.
What can free ARP do?
1) One host can use it to determine whether another host has the same IP address. Under normal circumstances, sending a free ARP request will not receive an ARP response. If an ARP response is received, it means that there is a host with the same IP address as the machine on the network, and an address conflict has occurred.
2) Update the old hardware address in the cache of other hosts.
If the host sending the free ARP just changed the hardware address, such as replacing the interface card. When other hosts receive this ARP request, they find that there is a corresponding IP address in their ARP cache table, but the MAC address does not match, so they need to use the received ARP request to update the local ARP cache table entry.
3) The gateway uses free ARP to prevent ARP attack
Some gateway devices actively send free ARP messages to the network within a certain time interval, allowing other hosts in the network to update the gateway MAC address information in the ARP entry to prevent or mitigate ARP * **Effect.
Free ARP security hidden trouble The
ARP protocol not only receives ARP replies after sending an ARP request, as long as the computer receives the ARP reply packet, it will use the IP and MAC addresses in the reply to update the local ARP cache.
The host can construct a fake free ARP reply, set the source MAC address of ARP to the wrong MAC address, and send the fake free ARP reply to the network, then all hosts that receive this free ARP reply will update the local ARP table The MAC address corresponding to the corresponding IP address in the entry. After the update is successful, the data packets of these hosts will be forwarded to the wrong MAC address, thereby achieving ARP spoofing ***.
Proxy ARP
proxy ARP is to use a host (usually a router) to use its own MAC address as a designated device to respond to ARP requests from another device.
Why do you need proxy ARP?
We know that one of the important functions of the router is to limit the broadcast packets of the local area network to the network and prevent its spread, otherwise it will cause a network storm.
An ARP request is a broadcast packet. If the object it queries is in the same local area network, it will receive a response. But what should I do if the target is not in the same LAN? The proxy ARP provided by the router provides a solution to this problem.
When two hosts A and B are on the same network segment but different broadcast segments, when host A sends an ARP request to the MAC address of host B, the ARP request can only reach the router because the router does not forward broadcast packets. If the router enables proxy ARP and knows that host B belongs to the network to which it is connected, the router uses the MAC address of its interface to replace the MAC address of host B to respond to host A with an ARP. Host A receives the ARP reply, but does not know the existence of proxy ARP.
Proxy ARP can add a new router without affecting the routing table, making the subnet transparent to the host. Generally, proxy ARP should be used on the network where the host is not configured with a default gateway or without any routing strategy. The disadvantage is that it can be seen from the work process that this is actually a kind of ARP spoofing. Moreover, the proxy ARP function of the router between the two physical networks actually hides the physical network from each other, which makes it impossible to generalize the network topology. In addition, proxy ARP increases the ARP traffic of the network that uses it, and the host needs more ARP cache space.
ARP security The
ARP protocol has the advantages of simplicity and ease of use, but because it does not have any security mechanism, it is easily used by attackers. In the network, common ARP attack methods mainly include:
ARP flood attack, also known as denial of service (DDoS), there are two main scenarios:
1) The device needs to consume ARP packets and maintain ARP entries System resources, and in order to meet the requirements of ARP entry query efficiency, general equipment will have limits on the size of ARP entries. Attacker uses this to forge a large number of ARP packets whose source IP address changes, so that the device's ARP table resources are exhausted by invalid ARP entries, and legitimate users' ARP packets cannot continue to generate ARP entries, causing normal communication to be interrupted.
2) Attackers who use tools to scan hosts on this network segment or perform cross-segment scanning will send a large number of IP packets with unresolved target IP addresses to the device, causing the device to trigger a large number of ARP Miss messages, generating and delivering a large number of temporary ARP tables Item, and broadcast a large number of ARP request packets to resolve the target IP address, causing CPU (Central Processing Unit) overload.
ARP spoofing means that Attacker maliciously modifies the ARP entries of the device or other user hosts in the network by sending forged ARP packets, causing abnormal communication between the user and the network.
ARP program to improve the safety of
products from different manufacturers and configuration characteristics are different, but generally these ways to improve the security of ARP:
ARP packet rate limit; ARP Miss messages speed limit; free initiative ARP packets discarded; ARP Optimized response; ARP entry limit; ARP entry limit; ARP entry solidification; dynamic ARP detection; ARP anti-gateway conflict; MAC address consistency check in ARP packets, etc.
"Spec of ARP full" case
This case is for reference only.
Equipment: Huawei NE05E-SE router;
Phenomenon: During routine inspection, the error alarm "Spec of ARP full" was found.
After searching the information, I learned that ARP entries are restricted by hardware specifications. If the ARP entry is full, it will cause the MAC address of the new device cannot be registered, it cannot provide the resolution of the IP address to the MAC address, and the network communication cannot be connected.
What needs to be considered is that if these ARPs are real, if the number of ARP table entries cannot be increased through software, the only replacement is hardware.
In this case, the current version of the router supports 1055 ARP entries (device ARP and ND specifications are shared), which can be set by the "set arp specification {1055 | 8192}" command. The device ARP specification is exclusively 8192, and the ND specification is exclusive Enjoy 1055.
RARP Reverse ARP When
the system boots with a local disk, it generally reads the IP address from the configuration file in the disk. But diskless machines, such as diskless workstations, need to use other methods to obtain the IP address.
Each system on the network has a unique hardware address, which is configured by the network interface manufacturer. The RARP implementation process of the diskless system is to read the unique hardware address from the interface card, and then send a RARP request (a frame of data on the network) to request the IP address of a host in the diskless system.
The complexity of the RARP server lies in. The server generally provides hardware address to IP address mapping for multiple hosts. To complicate matters further, RARP requests are transmitted as a special type of Ethernet data frame. This means that the RARP server must be able to send and receive this type of Ethernet data frame.
RARP is used by many diskless systems to obtain an IP address when booting. RARP is more complicated to implement than ARP because RARP requests are actually broadcast on the hardware layer. This means that they do not forward through the router. To enable diskless systems to boot even when RARP is turned off, it is common to provide multiple RARP servers on a network (one cable).