Address Resolution Protocol(ARP) By:Protogenius

Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP cache RARP ARP Types ARP Attacks ARP Spoofing ARP Denial of Service Defenses S-ARP Conclusion

Introduction low level network protocol operates at Layer 2 of the OSI model which is usually implemented in the device drivers of network operating systems. used by the Internet Protocol (IP), specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.

When ARP is Used For two hosts on the same network and one desires to send a packet to the other on different networks and must use a gateway/router For a router that needs to forward a packet for one host through another router from one host to the destination host on the same network

Types Of Message There are four types of ARP messages: ARP request ARP reply RARP request RARP reply These are identified by four values in the “operation" field of an ARP message.

Format Of Message The format of an ARP message is used to resolve remote MAC address

Example use of ARP The figure below shows the use of ARP on the same LAN (known as "sysa") using the "ping" program

Continuation..

ARP Cache To reduce network traffic; performance comparable to direct mapping. A table- stores mappings between MAC addresses and IP addresses. The entries are dynamically added and removed. Cache timeout - complete entry :20 mins; incomplete (for nonexistent host) entry :3 mins. Eg : to display arp cache enter : $ arp -a

Continuation ARP Cache…. 1) Static ARP Cache Entries: Manually added address resolutions for a device. Permanent basis. ARP s/w utility tool to manage entries. For devices that a given device has to communicate with on a regular basis. Eg.: to add entry enter $ arp –s ip_address mac_address

Continuation ARP Cache…. 2) Dynamic ARP Cache Entries: Added by s/w as a result of successfully- completed past ARP resolutions. Short- lived. Used most often. Automatic and don't require administrator intervention.

Reverse Address Resolution Protocol(RARP) Used by many diskless systems when bootstrapped. Dynamically find IP address when h/w address is known. RARP Request is broadcast to RARP server in the router to send IP address. RARP reply is unicast. RARP packet format is same as ARP packet. Being replaced by BOOTP & DHCP.

ARP types  PROXY ARP :  Process where one system responds to the ARP request of another system.  Advantage : simplicity; Disadvantage: scalability & security.  GRATUITOUS ARP :  Host sends ARP request to resolve its own IP address.  Use : host can determine whether another host is also configured with its IP address.

ARP Attacks ARP Spoofing,ARP Denial of Service Need not send out an ARP Request to receive an ARP Response. If a spoofed response arrives, the cache is updated  Forged ARP replies  Corrupting cache - poisoning

ARP Spoofing Attacker “E” sends 2 ARP messages: – ARP: “A” is at “E” – ARP: “B” is at “E” Traffic between “B” and “A” routed to E” Man in the Middle Attack, Session Hijacking

ARP Denial of Service Attacker “E” sends 1 ARP message: “R” is at “T” All hosts update their caches. Unable to access the internet as traffic routed to “T”

Related Attacks MAC Flooding Send spoofed ARP replies to a switch at an extremely rapid rate to overflow switch’s port/MAC table Storms-Poisoning caches with broadcast address Mac Address Cloning

Defenses No universal defense Static ARP entries-increases overhead, not very practical Port security (Port Binding, MAC Binding) Detection ARPWatch Snort

S-ARP S-ARP(secure ARP) Prevent ARP poisoning attacks. Provides message authentication by using asymmetric cryptography. S-ARP adopts Digital Signature Algorithm (DSA).

Conclusion ARP - fundamental protocol on networks today.  abstraction between IP and MAC addressing  No need to be configure to “know” MAC addresses  Replaced equipment can retain same IP address More changes to come

References urse/inet-pages/arp.html TCP/IP illustrated