provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.
Address resolution protocol works at the Data Link Layer.It is also used for IP over other LAN technologies, such as Token Ring, FDDI, or IEEE 802.11, and for IP over ATM.

Address resolution is the process to find an address of a computer in a network. For instance, Host B intends to send information to Host A but has not the MAC address of Host A in its cache. Host B sends a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the request, and Host A responds with its MAC address.

An Ethernet network uses two hardware addresses which identify the source and destination of each frame sent by the Ethernet. The destination address (all 1′s) may also identify a broadcast packet (to be sent to all connected computers). The hardware address is also known as the Medium Access Control (MAC) address, in reference to the standards which define Ethernet. Each computer network interface card is allocated a globally unique 6 byte link address when the factory manufactures the card (stored in a PROM). This is the normal link source address used by an interface. A computer sends all packets which it creates with its own hardware source link address, and receives all packets which match the same hardware address in the destination field or one (or more) pre-selected broadcast/multicast addresses.

The Ethernet address is a link layer address and is dependent on the interface card which is used. IP operates at the network layer and is not concerned with the link addresses of individual nodes which are to be used.The address resolution protocol () is therefore used to translate between the two types of address. The client and server processes operate on all computers using IP over Ethernet. The processes are normally implemented as part of the software driver that drives the network interface card.

Four types of messages :

1. request
2. reply
3. RARP request
4. RARP reply

The format of an message is shown below:

ARP.jpg

Inverse and Reverse
The Inverse Address Resolution Protocol, also known as Inverse or InARP, is a protocol used for obtaining Layer 3 addresses (e.g., IP addresses) of other nodes from Layer 2 addresses (e.g. the DLCI in Frame Relay networks). It is primarily used in Frame Relay and ATM networks, where Layer 2 addresses of virtual circuits are sometimes obtained from Layer 2 signaling, and the corresponding Layer 3 addresses must be available before these virtual circuits can be used.

translates Layer 3 addresses to Layer 2 addresses, therefore InARP can be viewed as its inverse. In addition, InARP is actually implemented as an extension to . The packet formats are the same; only the operation code and the certain field values differ.

Reverse (RARP), like InARP, also translates Layer 2 addresses to Layer 3 addresses. However, RARP is used to obtain the Layer 3 address of the requesting station itself, while in InARP the requesting station is querying the Layer 3 address of another node. RARP was obsoleted by BOOTP which itself has been superseded by the Dynamic Host Configuration Protocol (DHCP).

Spoofing Attacks

spoofing attacks and cache poisoning can occur because allows a gratuitous reply from a host even if an request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

An spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.

Understanding DAI and Spoofing Attacks

DAI is a security feature that validates packets in a network. DAI intercepts, logs, and discards packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.

DAI ensures that only valid requests and responses are relayed. The switch performs these activities:

Intercepts all requests and responses on untrusted ports

Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local cache or before forwarding the packet to the appropriate destination

Drops invalid packets

DAI determines the validity of an packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

DAI can validate packets against user-configured access control lists (ACLs) for hosts with statically configured IP addresses.

You can configure DAI to drop packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the packets do not match the addresses specified in the Ethernet header.

Popularity: 2% [?]