The figure below shows the use of arp when a computer tries to contact a remote computer on the same LAN known as "sysa" using the " ping" program. It is assumed that no previous IP datagrams have been received form this computer, and therefore arp must first be used to identify the MAC address of the remote computer.
The arp request message "who is X. X tell Y. Y", where X. X and Y. Y are IP addresses is sent using the Ethernet broadcast address, and an Ethernet protocol type of value 0x Since it is broadcast, it is received by all systems in the same collision domain LAN. This is ensures that is the target of the query is connected to the network, it will receive a copy of the query. Only this system responds. The other systems discard the packet silently. The target system forms an arp response "X.
X is hh:hh:hh:hh:hh:hh", where hh:hh:hh:hh:hh:hh is the Ethernet source address of the computer with the IP address of X. This packet is unicast to the address of the computer sending the query in this case Y. Since the original request also included the hardware address Ethernet source address of the requesting computer, this is already known, and doesn't require another arp message to find this out. It can also be used to force a common view of the node's IP address e.
When a new device joins the LAN, it broadcasts its MAC address to the entire network immediately after its network interface boots up. There will be no follow up packets sent in response to a gratuitous ARP packet.
Instead, they have a unique identifier called DLCI for every virtual circuit they are connected to. It is used mainly for device configuration. This is a common scenario on networks that share data-link addresses across different physical networks, such as Frame Relay and ATM. Routers cannot forward Layer 2 packets and hence, ARP messages are never propagated outside of their networks.
When a device wants to resolve the MAC address of another device in a different subnet, the router located between the two subnets acts as a proxy for the other device and responds to the ARP broadcast with its own MAC address. When the ARP request from It acts as the proxy and sends an ARP response to The router takes care of further ARP resolution and routes packets to the intended destination.
It is defined in RFC She is passionate about computer networks, machine learning and data science. Then the ARP process takes over. The algorithm the hosts use is discussed in Chapter 7. The conversation shown in Figure illustrates another important facet of ARP—only the host originating the conversation generating the ARP request will place an entry for the destination host in its local ARP table.
That is, other stations hearing the exchange, even if they are receiving the ARP request, will not add these stations to their own ARP tables. However, many hosts especially routers are aggressive when it comes to populating their tables and, upon hearing ARP traffic or being involved in ARP messages, will subsequently generate their own ARP requests to populate their tables.
The packet capture sequence shown in Figure shows the original host using ARP to determine its default gateway when attempting to send to an offsite host. After the conversation has been routed, the router default gateway issues its own ARP request for the original sending host. In this way, it populates its table with what it believes is a valid host address. This improves routing efficiency for future traffic forwarding.
But the host must make sure no other network node is using the same address. For this reason, network hosts will often ARP for themselves. If a device answers , the sender is alerted that another node is using the same IP address. The distributed approach to address resolution can be subject to attackers. Although hosts should populate their tables only with information they have requested, not all operating systems are programmed this way. This allows attackers to populate the ARP table with bogus data, resulting in hosts forwarding traffic based on erroneous information.
The effect is that the valid network hosts send their traffic to the attacker, who then makes copies of the data and sends the traffic on to the correct destination.
This is called a man-in-the-middle attack because the attacker has placed himself between the source and the proper destination and is effectively invisible. You can diagnose this type of attack by examining the ARP tables on the host machines and the routers, looking for multiple entries with identical MAC addresses. Security heuristics will also look for excessive ARP messages on the network.
While these tables are easy to access, overworked network administrators do have to look, so this information is often missed. ARP is absent in IPv6. Rather, network hosts use a series of messages called redirects, solicitations, and advertisements in a process called neighbor discovery. Instead of using an approach that requires hosts to discover MAC addresses when they are needed, IPv6 adopts a slightly different process.
Neighbor solicitation and advertisement messages help discover information about the network before it is needed. These messages are multicast out to all IPv6 nodes. Examples of these packets are given in Chapter 6. ARP, a distributed approach to address resolution and discovery, is not without problems. Consider the traffic generated in a node network, where each host must discover every address on the network. If nodes do not cache information as a result of a transmission from a neighbor, every node has the potential to send 99 messages.
Adding another 99 messages for the corresponding replies brings the total to for that single requesting node. It is unlikely that most of these frames will be generated at the same time, but there are times for example, at the beginning and end of the workday when a large number of network hosts will be transmitting concurrently.
Complicating matters is the fact that ARP tables age out for nodes that are not routinely participating in message exchanges. Refreshing those tables further adds to network traffic. Thus, when a router receives a message to be sent to a distant host, it must first determine the MAC address of the neighboring router. At the other end, the router receiving an IP packet may have to ARP for the destination host, further adding delays to the message traffic.
As a result, it is not uncommon for the first packet of a transmission to be delayed or lost while addresses are being resolved. For this reason, routers will aggressively populate their ARP tables with known hosts.
IPv6 alleviates some of this, but it creates other traffic issues, as the discovery process uses several types of message some of which are multicast.
Switch behavior with multicast is similar in that multicast frames are sent everywhere throughout the Layer 2 domain. While routers, switches, and hosts have some ability to filter multicast traffic, we have increased the number of message types redirects, router advertisements, router solicitations, neighbor advertisements, and neighbor solicitations , arguably increasing the overhead on the network.
In this chapter, we examined the problem of Layer 2 address resolution. After examining the packets themselves and the addressing used, you should now have a solid understanding of ARP. We have also examined several of the operations used and the security threat represented by this distributed approach. This chapter has taken you through the operation and structure of ARP. This information is about all you will need to handle ARP on almost any network. However, there are some operations or standards that you should familiarize yourself with, even though you are not likely to run into them very often.
Useful resources include:. This is the base address resolution standard. While not very descriptive, current operation is based on this RFC. This RFC approaches the issue of address resolution from the opposite direction.
This RFC allows a host to request a particular protocol address for a given hardware address. Describe the Ethernet addressing used in the standard ARP request. Are the source and destination addresses unicast, broadcast, or multicast? Describe the Ethernet addressing used in the standard ARP reply.
The ARP request uses a unicast address for the source and a broadcast address for the destination. The ARP reply uses a unicast address for the source and a unicast address for the destination. This term refers to a node sending out an ARP request for its own IP address in order to determine if another node is using the same address.
It also shows whether each entry is static or dynamic. Hosts then make incorrect forwarding decisions. ARP transmissions are also sent in the clear.
0コメント