If we select the 'most insecure protocol' in the TCP/IP protocol stack, I will not hesitate to vote for the ARP protocol. The terms such as 'network scanning', 'internal network penetration', 'man-in-the-middle attack', 'LAN flow control' and 'traffic spoofing' are all related to ARP. However, a large number of security tools, such as Cain, Ettercap and P2POver, are implemented based on ARP.
In fact, the technical principle of such a powerful protocol is quite simple. For example, the entire interaction process of ARP requires only two packets: a request and a reply. However, the ARP also may confuse beginners by its extended concepts such as proxy ARP, free ARP, inverse ARP and reverse ARP. Different types of ARP are used in different scenarios. As beginners, we must remember the following sentences before we get to the technical principle:
1. ARP is used to map IP addresses to MAC addresses, that is, to discover the MAC address associated with a given IP address.
2. In network communication, the data packets sent between hosts need to be encapsulated from top to bottom according to the OSI model. After the data is encapsulated completely, a data packet can be sent. Therefore, in LAN communication, the encapsulation of the source and destination IP addresses and the encapsulation of the source and destination MAC addresses are required.
3. Generally, upper-layer applications pay more attention to IP addresses rather than MAC addresses. Therefore, the MAC address of the destination host needs to be obtained through the ARP to complete data encapsulation.
Request-reply process
In the same LAN, when PC1 needs to communicate with PC2, what does PC1 do?
According to the OSI data encapsulation sequence, the sender encapsulates data from top to bottom (from the application layer to the physical layer) and then sends the data. The following uses the PC1-ping-PC2 process as an example.
When PC1 encapsulates data and sends data to external devices, 'failed' is displayed in the preceding figure, indicating that data encapsulation fails. Why?
When the ping ip2 command is executed on PC1, the destination IP address is notified. In this way, PC1 has the source and destination IP addresses required for communication, but does not have the required destination MAC address. A similar scenario: When we want to deliver a package, if only the recipient's name (IP address) is written on the delivery ticket, but the recipient's address (MAC address) is not written, the package cannot be delivered because the information is incomplete.
Now, PC1 already has the IP address of PC2. How can PC1 obtain the MAC address of PC2? The ARP can be used. The following figure shows the process.
In step 3 and step 4, PC1 and PC2 exchange an ARP request and reply. Through this interaction, PC1 has the MAC address of PC2.
What will PC1 do then? Before the communication, PC1 adds the MAC address of PC2 to the local cached ARP table. The table contains the mapping between IP addresses and MAC addresses, for example, IP2<->MAC2. Next, PC1 re-encapsulates the data and starts the ping communication.
Summary
After the preceding six steps, PC1 finally sends the data packet and then the communication is normal. The ARP implementation process is so simple - when the sender requires the destination MAC address, they use the request-reply mode to obtain the MAC address corresponding to the given IP address and then stores the MAC address in the local cached ARP table for future use.
Since the ARP table is cached, the table is cleared if the computer or communication device is restarted. That is, if the communication needs to be performed next time, the host needs to send an ARP request again. On Windows and MacOS, you can run the arp -a command to view the details.
