Address Resolution Protocol, or ARP (Address Resolution Protocol), is a TCP/IP protocol that obtains physical addresses based on IP addresses. When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the network, and receives the return message to determine the physical address of the target; after receiving the return message, the IP address and physical address are stored in the local ARP The cache is kept for a certain period of time, and the ARP cache is directly queried for the next request to save resources. The address resolution protocol is based on the mutual trust of each host in the network. The hosts on the network can send ARP reply messages independently. When other hosts receive the reply message, they will not detect the authenticity of the message and record it. Enter the local ARP cache; thus the attacker can send a fake ARP reply message to a certain host, so that the information sent cannot reach the expected host or reach the wrong host, which constitutes an ARP spoofing. ARP commands can be used to query the correspondence between IP addresses and MAC addresses in the local ARP cache, and to add or delete static correspondences. Related protocols are RARP and proxy ARP. NDP is used to replace the Address Resolution Protocol in IPv6.
principle
work process
The IP address of host A is 192.168.1.1, and the MAC address is 0A-11-22-33-44-01;
The IP address of host B is 192.168.1.2, and the MAC address is 0A-11-22-33-44-02;
When host A wants to communicate with host B, the address resolution protocol can resolve the IP address (192.168.1.2) of host B into the MAC address of host B. The following is the workflow:
Step 1: According to the routing table content on host A, IP determines that the forwarding IP address used to access host B is 192.168.1.2. Host A then checks the matching MAC address of host B in its own local ARP cache.
Step 2: If host A does not find a mapping in the ARP cache, it will ask for the hardware address of 192.168.1.2, thus broadcasting the ARP request frame to all hosts on the local network. Both the IP address and MAC address of source host A are included in the ARP request. Each host on the local network receives the ARP request and checks to see if it matches its own IP address. If the host finds that the requested IP address does not match its own, it will drop the ARP request.
Step 3: Host B determines that the IP address in the ARP request matches its own IP address, and then adds the IP address and MAC address mapping of host A to the local ARP cache.
Step 4: Host B sends an ARP reply message containing its MAC address directly back to Host A.
Step 5: When host A receives the ARP reply message from host B, it will update the ARP cache with the IP and MAC address mapping of host B. The native cache has a lifetime. After the lifetime expires, the above process will be repeated again. Once the MAC address of host B is determined, host A can send IP traffic to host B.
Working elements: ARP cache
The ARP cache is a buffer used to store IP addresses and MAC addresses. Its essence is a corresponding table of IP addresses --> MAC addresses. Each entry in the table records the IP addresses and corresponding MAC addresses of other hosts on the network. . Each Ethernet or Token Ring network adapter has its own separate table. When the address resolution protocol is inquired about the MAC address of a node with a known IP address, it first checks it in the ARP cache. If it exists, it directly returns the corresponding MAC address. If it does not exist, it sends an ARP request to the local area network to query.
To minimize broadcast volume, ARP maintains a cache of IP-to-MAC address mappings for future use. The ARP cache can contain both dynamic and static items. Dynamic items are automatically added and removed over time. The potential lifetime of each dynamic ARP cache entry is 10 minutes. Items newly added to the cache are timestamped, if an item is not used within 2 minutes after it is added, the item expires and is removed from the ARP cache; if an item is already in use, another 2 minutes are received ; if an item is always in use, it receives an additional 2 minute lifetime, up to a maximum lifetime of 10 minutes. Static items remain in the cache until the computer is restarted.
The Address Resolution Protocol is an essential protocol in IPv4, but the Address Resolution Protocol will no longer exist in IPv6. In IPv6, the function of address resolution protocol will be implemented by NDP (Neighbor Discovery Protocol), which uses a series of IPv6 control information packets (ICMPv6) to realize the interactive management of adjacent nodes (nodes on the same link). , and maintain the mapping between network layer addresses and data link layer addresses in a subnet. There are five types of information defined in the Neighbor Discovery Protocol: Router Advertisement, Router Solicitation, Route Redirection, Neighbor Solicitation, and Neighbor Advertisement. Compared with ARP, NDP can realize router discovery, prefix discovery, parameter discovery, address automatic configuration, address resolution (instead of ARP and RARP), next hop determination, neighbor unreachable detection, duplicate address detection, redirection and more functions .
The difference between NDP and ARP
The address resolution protocol in IPv4 is an independent protocol, responsible for the conversion of IP addresses to MAC addresses, and different address resolution protocols should be defined for different data link layer protocols. NDP in IPv6 includes the function of ARP, and runs on the Internet Control Information Protocol ICMPv6, which is more general, includes more content, and is applicable to various data link layer protocols;
Address Resolution Protocol and ICMPv4 Router Discovery and ICMPv4 Redirect messages are broadcast based, while NDP Neighbor Discovery messages are based on efficient multicast and unicast
1. How ARP works
As mentioned earlier, the ARP protocol is used to resolve the MAC address of the node's IP address, and then communicate within the local area network. For example, to connect to a certain host, you can enter its IP address in the browser or running window. However, there is no network layer in the local area network, and the host device in the network cannot recognize the IP address, but only the MAC address, so you need to ARP protocol to convert. The basic function of the ARP protocol is to query the MAC address of the target node through the IP address of the target node in the data packet, so as to send the data packet to the target device.
The basic working principle of ARP is as follows:
(1) Each host will establish an ARP list in its own ARP cache area (ARP Cache) according to the previous communication with other nodes in the network to indicate the corresponding relationship between the IP address and the MAC address of the node in the network.
[Explanation] The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time (the time for Windows systems is 2 minutes, and the time for Cisco routers is 5 minutes), it will be deleted. It can greatly reduce the length of the ARP cache table and speed up the query.
(2) When the source node needs to send a data packet to the target node, it will first check whether there is a MAC address corresponding to the IP address of the target node contained in the packet in its ARP list. If so, send the data packet directly to the node with this MAC address; if not, send an ARP request broadcast packet to the local network segment to query the MAC address corresponding to the target node with this IP address. The ARP request packet includes the IP address of the source node, the hardware address, and the IP address of the target node.
(3) After receiving this ARP request, all nodes in the network will check whether the target IP address in the data packet is consistent with their own IP address. If they are not the same, ignore the data packet; if they are the same, the node first adds the corresponding entries of the source's MAC address and IP address to its own ARP list. If it is found that the MAC address entry information corresponding to the IP address already exists in the ARP table, it will overwrite it, and then send an ARP response packet to the source node, telling the other party that it is the MAC address node it needs to find.
(4) After the source node receives the ARP response data packet, it adds the corresponding entries of the IP address and MAC address of the target node to its own ARP list, and uses this information to start data transmission. If the source node has not received the ARP response packet, it means that the ARP query fails.
2. How RARP works
The ARP protocol finds its corresponding MAC address based on the IP address, while RARP finds its corresponding IP address based on the MAC address, so it is called "reverse ARP". When a system with a local disk is booted, the IP address is generally read from the configuration file on the disk, and then the ARP protocol can be used to directly find out the corresponding host MAC address. However, a diskless machine, such as an X terminal or a diskless workstation, is addressed through the MAC address when it is started, and then the IP address needs to be obtained through the RARP protocol.
The basic working principle of RARP is as follows:
(1) The sender sends a local RARP broadcast packet, declares its own MAC address in the broadcast packet, and requests any RARP server that receives this request to assign an IP address.
(2) After receiving the request, the RARP server on the local network segment checks its RARP list to find the IP address corresponding to the MAC address. If it exists, the RARP server sends a response packet to the source host and provides the IP address to the other host; if it does not exist, the RARP server does not respond to it.
(3) After receiving the response information from the RARP server, the source uses the obtained IP address to communicate; if it has not received the response information from the RARP server, it means that the initialization fails.