ARP protocol and “what it comes with” (added). ARP protocol

Rating: 4.86 Votes: 7 Comments: 10

Let's start with the theory...

What is ARP and why do we need it?

ARP(“Address Resolution Protocol” - address determination protocol) is a low-level protocol used in computer networks, designed to determine the link layer address from a known network layer address. This protocol has become most widespread due to the ubiquity of IP networks built on top of Ethernet, since in almost 100% of cases ARP is used with this combination.

The ARP protocol works with MAC addresses. Each network card has its own individual MAC address.

MAC address (“Media Access Control” - media access control) is a unique identifier associated with different types of computer networking equipment. Most link-layer network protocols use one of three MAC address spaces managed by IEEE: MAC-48, EUI-48, and EUI-64. Addresses in each space should theoretically be globally unique. Not all protocols use MAC addresses, and not all protocols that use MAC addresses need these addresses to be so unique.

Fig.1. Path to the ARP table.

Fig.2. ARP table.

In Figure 2 we see the ARP table. It contains three entries, they are added automatically and have the following structure. IP Address– this is, in fact, the IP address of the computer on the network, MAC Address– this is the mac address of the same computer, and Interface, which indicates which interface this computer is located on. Please note that in front of all entries there is a letter D. This means that this entry is dynamic and will be changed if any data changes. That is, if the user accidentally enters the wrong IP address, the entry in the ARP table will simply change and nothing else. But this doesn't suit us. We need to insure ourselves against such cases. To do this, static entries are added to the ARP table. How to do it? There are two ways.

Fig.3. We add a Static record in the first way.

Method one. As usual, press the red plus. In the window that appears, enter the IP address, MAC address and select the interface behind which this computer is located.

Fig.4. We add a Static record in the second way.

Method two. Select the desired entry, double-click with the left mouse button, and in the window that appears, press the button Make Statik. Static entry added.

Fig.5. Table with static records.

As you can see in Figure 5, there is no letter D opposite the added entry. This indicates that the entry is static.

Now, if the user accidentally enters an address that is not his own, Mikrotik, having checked the correspondence of the IP and MAC addresses in the ARP table and not finding the required entry, will not allow the user to access the Internet, thereby leading the user to believe that he may have been is wrong and you should call the administrator.

What else would I like? draw your attention e: these entries are used for packets passing through the router.

Router or router- a network device that makes decisions about forwarding network layer packets (layer 3 of the OSI model) between different network segments based on information about the network topology and certain rules.

If you want the rules to apply to the Bridge, then you need to enable the Use IP Firewall function in Bridge (Fig. 6.).

Bridge is a way to connect two Ethernet segments at the data link level, i.e. without using higher level protocols such as IP. Packets are transmitted based on Ethernet addresses rather than IP addresses (as in a router). Because transmission occurs at the data link layer (OSI Layer 2), all higher-layer protocols pass transparently through the bridge.

Fig.6. Enabling the Use IP Firewall function.

Evgeniy Rudchenko

The ARP protocol works differently depending on which link layer protocol is running on a given network - a local area network protocol (Ethernet, Token Ring, FDDI) with the ability to broadcast access simultaneously to all network nodes, or a wide area network protocol (X.25, frame relay), as a rule, does not support broadcast access.

On local networks, ARP uses link-layer protocol broadcast frames to search the network for a host with a given IP address.

Principle of operation:

A node that needs to map an IP address to a local address generates an ARP request, inserts it into a link-layer protocol frame, indicating a known IP address in it, and broadcasts the request.

All hosts on the local network receive an ARP request and compare the IP address specified there with their own.

If they match, the node generates an ARP response, in which it indicates its IP address and its local address and sends it already directed, since in the ARP request the sender indicates its local address.

Arp table for address translation

Address translation is performed by searching the table. This table, called the ARP table, is stored in memory and contains rows for each host on the network.

ARP tables are built according to RFC-1213 and for each IP address contains four codes:

Ifindex - Physical port (interface) corresponding to this address;

Physical adress - MAC address, for example Ethernet address;

IP address - IP address corresponding to the physical address;

address match type - this field can take 4 values: 1 - the option is not standard and does not fit into any of the types described below; 2 - this entry is no longer true; 3 - permanent binding;

4 - dynamic binding;

	Signs of the table for Ethernet technology:
	Ethernet address
	08:00:39:00:2F:C3
	08:00:5A:21:A7:22

08:00:10:99:AC:5

It is customary to write all bytes of a 4-byte IP address as dotted decimal numbers. When writing a 6-byte Ethernet address, each byte is specified in hexadecimal and is separated by a colon.

The ARP table is necessary because IP addresses and Ethernet addresses are chosen independently, and there is no algorithm for converting one to the other.

The IP address is selected by the network manager. The Ethernet address is selected by the manufacturer of the network interface equipment from the address space allocated for it under the license. When a machine's network adapter card is replaced, its Ethernet address also changes.

Arp cache.

The effectiveness of ARP largely depends on the ARP cache, which is present on each host.

The standard lifetime of each cache entry is 20 minutes from the moment the entry is created.

Address translation order

During normal operation, a network program such as TELNET sends an application message using TCP transport services. The TCP module sends the corresponding transport message through the IP module. The result is an IP packet that must be sent to the Ethernet driver. The destination IP address is known to the application program, the TCP module, and the IP module. Based on this, you need to find the Ethernet address of the destination. An ARP table is used to determine the desired Ethernet address.

How is the ARP table filled? It is filled in automatically by the ARP module as needed. When an existing ARP table fails to resolve an IP address, the following occurs:

An ARP request is broadcast across the network.

Each network adapter receives broadcasts. All Ethernet drivers check the type field in the received Ethernet frame and forward ARP packets to the ARP module. An ARP request can be interpreted as follows: "If your IP address matches the one listed, then please tell me your Ethernet address." The ARP request packet looks something like this:

Example ARP request

Each ARP module checks the searched IP address field in the received ARP packet and, if the address matches its own IP address, sends a response directly to the Ethernet address of the requester. The ARP response can be interpreted as follows: “Yes, this is my IP address, and such and such an Ethernet address corresponds to it.” The ARP response packet looks something like this:

Example ARP response

This response is received by the machine that made the ARP request. The driver of this machine checks the type field in the Ethernet frame and passes the ARP packet to the ARP module. The ARP module parses the ARP packet and adds an entry to its ARP table.

The updated table looks like this:

For the publication of the original article, as well as to everyone who added karma for the possibility of my own publication. Now an updated version taking into account wishes and additions. Welcome to cat.

Good day, dear Habrausers. With this article I want to begin a series of stories about protocols that help us exchange information transparently, quickly and reliably. And start with the ARP protocol.

As you know, addressing on the Internet is a 32-bit sequence of 0s and 1s, called IP addresses. But direct communication between two devices on the network is carried out using link-level addresses (MAC addresses).

So, to determine the correspondence between the logical address of the network layer (IP) and the physical address of the device (MAC), the ARP protocol (Address Resolution Protocol) described in RFC 826 is used.

ARP consists of two parts. The first one determines the physical address when sending a packet, the second one responds to requests from other stations.

The protocol has a buffer memory (ARP table) in which pairs of addresses (IP address, MAC address) are stored in order to reduce the number of requests sent, therefore saving traffic and resources.

An example of an ARP table.

192.168.1.1 08:10:29:00:2F:C3
192.168.1.2 08:30:39:00:2F:C4

On the left are IP addresses, on the right are MAC addresses.

Before connecting to one of the devices, the IP protocol checks whether there is an entry for the corresponding device in its ARP table. If such an entry exists, then the connection and packet transmission occurs directly. If not, then an ARP broadcast request is sent to find out which device owns the IP address. Having identified itself, the device sends its MAC address in response, and a corresponding entry is entered into the sender’s ARP table.

There are two types of ARP table entries: static and dynamic. Static ones are added by the user himself, while dynamic ones are created and deleted automatically. In this case, the ARP table always stores the broadcast physical address FF:FF:FF:FF:FF:FF (in Linux and Windows).

Creating an entry in the ARP table is simple (via the command line):

arp –s

Display ARP table entries:

arp –a

After adding an entry to the table, it is assigned a timer. Moreover, if the entry is not used for the first 2 minutes, it is deleted, and if used, its lifetime is extended by another 2 minutes, with a maximum of 10 minutes for Windows and Linux (FreeBSD - 20 minutes, Cisco IOS - 4 hours) , after which a new broadcast ARP request is made.

ARP messages do not have a fixed header format and are encapsulated in a link layer data field when transmitted over a network.

ARP message format.

network type (16 bits): for Ethernet – 1;
protocol type (16 bits): h0800 for IP;
hardware address length (8 bits);
network address length (8 bits);
operation type (16 bits): 1 – request, 2 – response;
sender hardware address (variable length);
sender network address (variable length);
recipient hardware address (variable length);
recipient network address (variable length).

And here is how a route is determined using the ARP protocol.

Let the sender A and the recipient B have their own addresses indicating the subnet mask.

If the addresses are on the same subnet, ARP is called and the destination physical address is determined, after which the IP packet is encapsulated in a link-layer frame and sent to the specified physical address corresponding to the destination IP address.
If not, the table begins scanning in search of a direct route.
If a route is found, ARP is called and the physical address of the corresponding router is determined, after which the packet is encapsulated in a link-layer frame and sent to the specified physical address.
Otherwise, ARP is called and the default physical address of the router is determined, after which the packet is encapsulated in a link-layer frame and sent to the specified physical address.

The main advantage of the ARP protocol is its simplicity, which also gives rise to its main drawback - absolute insecurity, since the protocol does not verify the authenticity of packets, and, as a result, it is possible to replace entries in the ARP table (material for a separate article), wedging between sender and recipient.

You can combat this drawback by manually entering entries into the ARP table, which adds a lot of routine work both when creating the table and its subsequent maintenance during network modification.

There are also protocols InARP (Inverse ARP), which performs the reverse function: the logical recipient is searched for a given physical address, and RARP (Reverse ARP), which is similar to InARP, only it searches for the logical address of the sender.

In general, the ARP protocol is universal for any network, but is used only in IP and broadcast (Ethernet, WiFi, WiMax, etc.) networks, as the most widespread, which makes it indispensable when searching for matches between logical and physical addresses.

P.S. I wrote this article myself, without looking anywhere, based only on my knowledge gained during the study of networks.

TCP/IP does not consider link and physical layer technologies; during actual data transfer, you still have to map the IP address to the link layer address.

An Ethernet network uses IP and MAC addresses to identify the source and destination of information. Information sent from one computer to another over a network contains the sender's physical address, the sender's IP address, the recipient's physical address, and the recipient's IP address. ARP provides communication between these two addresses because the two addresses are not related to each other in any way.

ARP- Address Resolution Protocol is a protocol of the third (network) layer of the OSI model, used to convert IP addresses to MAC addresses, plays an important function in multiple access networks. ARP was defined by RFC 826 in 1982.

Direct communication between an IP address and a MAC address is carried out using so-called ARP tables, where each line indicates the correspondence of the IP address to the MAC address.

An example of an ARP table in Windows OS is shown in the figure.

In the ARP table, in addition to the IP and MAC address, the type of connection is also indicated; there are two types of entries:

Static entries are created manually and last as long as the computer or router remains turned on.
Dynamic records must be updated periodically. If a record has not been updated within a certain time (approximately 2 minutes), then it is excluded from the table. The ARP table does not contain entries about all network nodes. But only those who actively participate in network operations. This storage method is called an ARP cache.

In IPv6, ARP functionality is provided by the protocol NDP(Neighbor Discovery Protocol).

RARP(English: Reverse Address Resolution Protocol) is a protocol of the third (network) layer of the OSI model, performs reverse address mapping, that is, converts the hardware address into an IP address.

There are four types of ARP messages:

ARP request(ARPrequest);
ARP reply;
RARP-request;
RARP-reply.

ARP header structure

Hardware type (HTYPE) Each channel data transfer protocol has its own number, which is stored in this field. For example, Ethernet is number 0x0001
Protocol type (PTYPE) Network protocol code. For example, for IPv4 it will be written 0x0800
Hardware length (HLEN) Length of the physical address in bytes. Ethernet addresses are 6 bytes long.
Protocol length (PLEN) Length of the logical address in bytes. IPv4 addresses are 4 bytes long.
Operation Sender's operation code: 1 in case of request and 2 in case of response.
Sender hardware address (SHA) The physical address of the sender.
Sender protocol address (SPA) Logical address of the sender.
Targethardwareaddress (THA) The recipient's physical address. The field is empty when requested.
Target protocol address (TPA) Logical destination address.

Let's look at the structure of the ARP request header using the example of an intercepted packet using the Wireshark network analyzer

Let's look at the structure of the ARP response header (reply) using the example of an intercepted packet using the Wireshark network analyzer

Any device connected to a local network (Ethernet, FDDI, etc.) has a unique physical network address specified in hardware. The 6-byte Ethernet address is selected by the manufacturer of the network interface equipment from the address space allocated for it under the license. If a machine's network adapter changes, its Ethernet address also changes.

The 4-byte IP address is set by the network manager, taking into account the machine’s position on the Internet. If a machine is moved to another part of the Internet, its IP address must be changed. Converting IP addresses to network addresses is done using the arp table. Each machine on the network has a separate ARP table for each of its network adapters. It is not difficult to see that there is a problem mapping a physical address (6 bytes for Ethernet) into the network IP address space (4 bytes) and vice versa.

The ARP protocol (address resolution protocol, RFC-826) solves exactly this problem - it converts ARP into Ethernet addresses.

ARP table for address translation

Address translation is performed by searching the table. This table, called the ARP table, is stored in memory and contains rows for each host on the network. Two columns contain IP and Ethernet addresses. If you need to convert an IP address to an Ethernet address, the entry with the corresponding IP address is searched. Below is an example of a simplified ARP table.

IP address	Ethernet address
223.1.2.1 223.1.2.3 223.1.2.4	08:00:39:00:2F:C3 08:00:5A:21:A7:22 08:00:10:99:AC:54

Table 1. Example ARP table

It is customary to write all bytes of a 4-byte IP address as dotted decimal numbers. When writing a 6-byte Ethernet address, each byte is specified in hexadecimal and is separated by a colon.

The ARP table is necessary because IP addresses and Ethernet addresses are chosen independently, and there is no algorithm for converting one to the other. The IP address is selected by the network manager taking into account the machine’s position on the Internet. If a machine is moved to another part of the internet, its IP address must be changed. The Ethernet address is selected by the manufacturer of the network interface equipment from the address space allocated for it under the license. When a machine's network adapter card is replaced, its Ethernet address also changes.

Internet Control Message Protocol (ICMP) is a mandatory TCP/IP standard described in RFC 792, Internet Control Message Protocol (ICMP). Using ICMP, hosts and routers communicating over IP can report errors and exchange limited control and status information.

ICMP messages are usually sent automatically in the following cases.

The Internet Control Message Protocol (ICMP) allows a router to report to an end host about errors that the router encountered while transmitting an IP packet from that end host.

ICMP control messages cannot be sent to the intermediate router that participated in the transmission of the packet with which problems arose, since there is no address information for such a sending - the packet carries only the source and destination addresses, without recording the addresses of intermediate routers.

ICMP is an error reporting protocol, not an error correction protocol. The end host can take some actions to ensure that the error no longer occurs, but these actions are not regulated by the ICMP protocol.

Each ICMP message is sent across the network within an IP packet. IP packets with ICMP messages are routed just like any other packet, without priority, so they can also be lost. In addition, on a busy network they can cause additional load on routers. To avoid causing an avalanche of error messages, lost IP packets carrying ICMP error messages cannot generate new ICMP messages.

ICMP packet format

ICMP messages are encapsulated and transmitted in IP datagrams, as shown in the following figure.

There are several types of ICMP messages. Each message type has a different format, but they all start with three common fields: an 8-bit integer indicating the message type (TYPE), an 8-bit code field (CODE) that specifies the purpose of the message, and a 16-bit control field. amounts (CHECKSUM). In addition, the ICMP message always contains the header and first 64 bits of data of the IP packet that caused the error. This is done so that the sending node can more accurately analyze the cause of the error, since all application layer protocols of the TCP/IP stack contain the most important information for analysis in the first 64 bits of their messages.

First of all, TCP and UDP are protocols. And their main difference is that TCP is a protocol with guaranteed delivery of packets, UDP is not.

TCP is a “guaranteed” connection-pre-established transport mechanism that provides an application with a reliable data stream, ensures that the data it receives is error-free, re-requests data if lost, and eliminates duplication of data. TCP allows you to regulate the load on the network, as well as reduce the latency of data when transmitting over long distances. Moreover, TCP ensures that the received data was sent in exactly the same sequence. This is its main difference from UDP.

UDP connectionless datagram transmission protocol. It is also called an “unreliable” transmission protocol, in the sense of the impossibility of verifying the delivery of a message to the recipient, as well as the possible mixing of packets. Applications that require guaranteed data transfer use the TCP protocol.
UDP is typically used in applications such as video streaming and computer games, where packet loss is acceptable and retrying is difficult or unjustified, or in challenge-response applications (such as DNS queries) where creating a connection takes more resources than Resending.
Both TCP and UDP use a number called a port to identify their upper-layer protocol.

Rip ospf

At first, RIP was distributed along with the BSD operating system and was not considered as an Internet standard. However, like many other BSD services, it subsequently became a critical element of IP networks. There are currently two versions of RIP documented in the IETF: version 1 (original) in RFC 1058 and version 2 in RFC 1722 (Internet Standard 56). They are both similar, but there are some important differences between them.

The RIP protocol is based on a distance-vector algorithm, which relates the length of a route (hops) to its vector (the destination network or host). RIP devices receive information about routes to particular networks/hosts from neighboring routers and then select the route with the least number of hops. Once a route to a destination is selected, it is stored in the local database, and information about all other routes to the same destination is erased. Periodically, each router informs others about the routes it has discovered.

The number of hops in RIP is equal to the number of routers between the sender and the destination network/host. If the router is connected to the desired network directly, then the distance to it is zero hops. If to access the desired network you only need to forward datagrams through a neighboring router, then the distance to it is equal to one hop. When a router broadcasts information about a found route, it increases the number of hops by one. Once this data arrives at neighboring routers, it is compared with information in their own databases. If any of the proposed routes is shorter than the one stored in the database, it is entered into the local routing table, and the router from which the message came becomes the first node to forward traffic along this route.

The OSPF protocol emerged as an IP-oriented variant of the IS-IS protocol. It is defined in several IETF documents: RFC 1131 defines OSPF 1 (the legacy version), RFC 1583 is probably the most common version of OSPF 2, and finally RFC 2328 defines the latest version of OSPF 2 (Internet Standard 54).

With OSPF, each router maintains an independent administrative routing domain database that includes information about available networks, routers, and the cost of each connection. When the state of a network, router, or interface changes, each router that detects it (within an area) enters the information into a local database and then rebuilds its routing maps accordingly. The choice of route is made taking into account the cost of all routes to a specific destination and does not directly depend on the number of transitions. In other words, OSPF uses a “cost vector” algorithm to select optimal routes.

This model provides more opportunities to improve routing (for example, changes are synchronized faster), but requires more processing power and more memory from the participating machines. For this reason, systems that support RIP are much more widely available on the market than OSPF. For example, although many server operating systems have OSPF daemons of some kind, very few network clients or low-end devices support OSPF, since even passive listening requires the device to be equipped with a full-featured OSPF database parsing engine.

The OSPF architecture is based on the concept of administrative areas. Routers operating in the same area exchange detailed information about it, but only general information is sent to routers in remote areas. If there are several areas, then a backbone (core) area is organized to exchange information between them. Through it, edge devices will exchange common information, which means that OSPF has a two-level hierarchy for exchanging routing information between areas (this does not apply to all network traffic, but only to routing protocol messages).

Areas are assigned 32-bit identifiers (usually represented as IPv4 addresses), and the trunk is always numbered 0. Routers can be present in multiple areas at the same time, but they must maintain a separate connection state database for each area. According to OSPF terminology, a router that is present in multiple areas simultaneously is called an ABR (Area Border Router), and a router that communicates with another routing protocol is called an ASBR (Autonomous System Border Router).