Different layers of the networking stack have different functions, as can be read in another blog of this series. Introduction in Networking: The OSI model and TCP IP model explored. Layer 2 in networking is responsible for local communication. Layer 3 is responsible for global communication. Both layers have their own specific addressing schema. ARP is the protocol that enables network devices to create a translation between the layer 3 address and the layer 2 address.
Any device connected on an ethernet network will have a network interface card (NIC). This NIC will have a specific address. These addresses are configured by the factory who made the NIC. This address is called the MAC address. MAC stands for Media Access Control. It is also called the physical address or the BIA (Burned In Address). The MAC address is what is used to send data on locally connected networks. That means that when you send something on an ethernet network you will use the MAC address. You can see that happening in the screenshot below. This is part of a traffic capture of traffic on my Apple iMac.
Something you should also notice in that screenshot is that the capture actually says it’s an Apple device. It is sending the traffic to a device called Arcadyan, which is my home router. You can see the frame (on layer 2 we talk about frames instead of packets) has a source and destination address. The first three octets can be used to figure out the manufacturer of the device. There are many sites where you can do this. I often use the wireshark website to do this. These first three octets are also called the Organisationally Unique Identifier (OUI). Try it out for your computer. If you have a Windows machine use the command “ipconfig /all” in a cmd window. On a Mac and Linux system you can use the “ifconfig” command in a terminal window.
The word octet in networking refers to 8 bits. You might wonder why it’s not just called a byte then. Well, that’s because of history. Historically a byte refers to the smallest addressable unit in computer memory. Some systems had bytes that were either smaller or bigger than 8 bits. An octet is always, per definition, 8 bits.
MAC addresses are in hexadecimal format. That means each character represents 4 bits. So a single octet consists of two characters. When looking at the mac address 4c:09:d4:cd:dc:3c all octets are separated by colons.
How does ARP work?
So, let’s zoom in to ARP a bit more. What does it do and how does it do it? To be able to send something to somebody you need to know its address. ARP is there to help you get that address. A device uses arp to ask about the address of another device. It knows the IP address it wants to send something to, but it doesn’t know the hardware address. Because of that it will ask around who has a specific IP address. The device owning that IP address will respond to the request. That way the requestor will get its answer and be able to send traffic to the intended destination.
But wait, how can we ask who owns a specific IP address if we don’t have a physical address to begin with? Don’t we need one? Yes we do, we need a physical address. But the address used in this instance is the broadcast address. Aside from listening to its own address, a NIC will also listen to the broadcast address. That means that when it sees a frame addressed to the broadcast address it will process it as if it was addressed to that specific NIC.
Let’s look at the actual packets being sent. In the wireshark overview we can already see clearly that somebody asks ‘who has 192.168.2.11? Tell 192.168.2.3’. This is actually what ARP is all about. Ask who has the address and give the information who to tell.
When we zoom in a bit further we can see several fields defined in the request. The most important for now is the Target MAC address. Which is all zeroes. The all zero MAC address is the broadcast MAC address. Here’s a list of all fields and what they represent.
- Hardware Type: The predominant hardware type is Ethernet. ARP was created to support multiple hardware types, but since ethernet is virtually the only remaining L2 protocol, you will likely only see Ethernet here. The idea however was that the upper layer protocols would be able to interpret the other fields based on the layer 2 protocol defined in this field.
- Protocol Type: This will likely also always be IPv4 as it is in this example. IPv6 could have used ARP, but for IPv6 the Neighbor Discovery (ND) protocol was defined.
- Hardware size: This defines the amount of octets that are needed to describe a hardware address. If ever they introduce longer hardware addresses like 64 bits instead of 48 the idea is that ARP can cater to that. This also works for protocols other than Ethernet. Maybe some other protocol uses a different physical address size.
- Protocol size: This is exactly the same, but for the higher level protocol. If they were to use ARP for IPv6 the size would be listed as 16 instead of 4.
- Opcode: This is the operation requested of ARP. In these examples we will see opcodes 1 and 2 (request and reply). Most other opcodes aren’t used anymore, but special note goes to code 3 and 4 which are reverse ARP request and Replies. We will go into reverse ARP shortly.
- Sender MAC address, Sender IP address, Target MAC address and Target IP address: These fields are the most important, but also the most self explanatory fields. This is what makes ARP ARP.
The ARP reply is exactly the same message. The only difference between the two is that the sender and receiver are reversed. Of course, this time no broadcast MAC address is used because the actual MAC addresses are known.
Reverse ARP
ARP itself was defined in 1982, almost 40 years ago. At that time there was no way to automatically assign IP addresses to devices. All devices needed to be statically configured. In the years after the introduction of IP people started noticing this was cumbersome. What they needed was a way to automatically (not necessarily dynamically) assign IP addresses. The first attempt at that was Reverse ARP. That way a system, knowing its own MAC address could send out a reverse ARP request to get the IP address that belonged to that MAC address.
Reverse ARP was defined in 1984, but since it was very limited it was quickly succeeded by the BOOTP protocol, which in its turn was eventually replaced by DHCP.