Address Resolution Protocol (ARP) Overview

(1)

/ Address Resolution Protocol / Address Resolution Protocol Summary



Address Resolution Protocol Summary

8.4.1

What Did I Learn in this Module?

MAC and IP

There are two primary addresses that are assigned to a device on an Ethernet LAN; the IP address, which is logically assigned, and the MAC address which is physically assigned and is unique to the network interface. IP addresses are used to identify the address of the original source device and the nal destination device. The destination IP address may be on the same IP network as the source or may be on a remote network. Layer 2 or physical addresses, such as Ethernet MAC addresses, have a dierent purpose. These addresses are used to deliver the data link frame with the encapsulated IP packet from one NIC to another NIC on the same network. If the destination IP address is on the same network, the destination MAC address will be that of the destination device.

ARP

When using IPv4 for network communication, ARP is used to map the logical IPv4 address with the Layer 2 MAC address. In order to build an Ethernet frame, the destination MAC address must be known. When the destination IPv4 address is on the same network as the source, the ARP process sends the IPv4 address to all hosts on the network so that the host with the matching IPv4 address can reply with the corresponding MAC address. The sending device now has all of the information that is necessary to build the Layer 2 Ethernet frame. ARP provides two basic functions: resolving IPv4 addresses to MAC

addresses and maintaining a table of IPv4 to MAC address mappings. The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC address. If the packet’s destination IPv4 address is on the same network as the source IPv4 address, the device will search the ARP table for the destination IPv4 address. If it does not have an entry for the IPv4 address in its ARP table, the

sending device sends out an ARP request to determine the destination MAC address. Only the device with the target IPv4 address associated with the ARP request will respond with an ARP reply. The ARP reply is encapsulated in an Ethernet frame using the following header information: the destination MAC address of the requesting host, the source MAC address of the replying host, and the type, which is a code that identies the data as being for the ARP process. ARP messages have a type eld value of 0x806. If the destination IPv4 address is on a dierent network than the source IPv4 address, the device will search the ARP table for the IPv4 address of the default gateway. IPv6 uses a similar process to ARP in IPv4. It is known as ICMPv6 Neighbor Discovery (ND). IPv6 uses neighbor solicitation and neighbor advertisement messages, similar to IPv4 ARP requests and ARP replies.

ARP Issues

As a broadcast frame, an ARP request is received and processed by every device on the local network.

On a typical business network, these broadcasts would probably have minimal impact on network performance. If a large number of devices were to be powered up and all start accessing network

services at the same time, there could be some reduction in performance for a short period of time. After the devices send out the initial ARP broadcasts and have learned the necessary MAC addresses, any impact on the network will be minimized. Since the ARP request is a broadcast there is are potential security risks imposed. A threat actor can use ARP spoong to perform an ARP poisoning attack by replying to an ARP request for an IPv4 address belonging to another device, such as the default gateway.

The receiver of the ARP reply will add the wrong MAC address to its ARP table and send these packets to the threat actor.

8.4.2



8.3 ARP Issues 

8.4 Address Resolution Protocol

Summary 

8.4.1 What Did I Learn in this Module?

8.4.2 Module 8: Address Resolution Protocol Quiz

8

Address Resolution Protocol 

9

The Transport Layer 

10

Network Services 

11

Network Communication

Devices 

12

Network Security

Infrastructure 

13

Attackers and Their Tools 

14

Common Threats and

Attacks 

15

Network Monitoring and

Tools 

16

Attacking the Foundation 

17

Attacking What We Do 

18

Understanding Defense 

19

Access Control 

20

Threat Intelligence 

21

Cryptography 

22

Endpoint Protection 

23

Endpoint Vulnerability

Assessment 

24

Technologies and Protocols 

25

Network Security Data 

(2)

1.

2.

3.

How does the ARP process use an IP address?

 Topic 8.2.0 - The ARP process is used to complete the necessary mapping of IP and MAC addresses that are stored in the ARP table that is maintained by each node on a LAN. When the

destination device is not on the same network as the source device, the MAC address of the Layer 3 device on the the source network is discovered and added to the ARP table of the source node.

to determine the MAC address of a device on the same network

to determine the MAC address of the remote destination host

to determine the amount of time a packet takes when traveling from source to destination

to determine the network number based on the number of bits in the IP address

What will a host do rst when preparing a Layer 2 PDU for transmission to a host on the same Ethernet network?

 Topic 8.2.0 - In order to encapsulate a Layer 3 PDU into a frame, the sending host needs to know the MAC address of the destination host. The

sending host rst checks the ARP table. If a match is found in the table, the host uses the MAC address as the destination MAC in the frame. Otherwise, it will initiate an ARP request to obtain the destination MAC.

It will search the ARP table for the MAC address of the destination host.

It will send the PDU to the router directly connected to the network.

It will initiate an ARP request to nd the MAC address of the destination host.

It will query the local DNS server for the name of the destination host.

Refer to the exhibit. Which protocol was responsible for building the table that is shown?

 Topic 8.2.0 - The table that is shown corresponds to the output of the arp -a command, a command that is used on a Windows PC to display the ARP table.

ARP DNS ICMP DHCP

8.3 ARP Issues 

Summary 

8

9

10

11

Devices 

12

Network Security

Infrastructure 

13

14

Common Threats and

Attacks 

15

Tools 

16

17

18

19

Access Control 

20

21

Cryptography 

22

23

Assessment 

24

25

26

Evaluating Alerts 

27

Working with Network

Security Data 

(3)

4.

5.

6.

When an IP packet is sent to a host on a remote network, what information is provided by ARP?

 Topic 8.1.0 - When a host sends an IP packet to a destination on a dierent network, the Ethernet frame cannot be sent directly to the destination host

because the host is not directly reachable in the same network. The Ethernet frame must be sent to another device known as the router or default gateway in order to forward the IP packet. ARP is used to discover the MAC address of the router (or default gateway) and use it as the destination MAC address in the frame header.

the MAC address of the switch port that connects to the sending host

the IP address of the default gateway the IP address of the destination host

the MAC address of the router interface closest to the sending host

A host is trying to send a packet to a device on a remote LAN segment, but there are currently no mappings in the ARP cache. How will the device obtain a destination MAC address?

 Topic 8.2.0 - When sending a packet to a remote destination, a host will need to send the packet to a gateway on the local subnet. Because the gateway will be the Layer 2 destination for the frame on this LAN segment, the destination MAC address must be the address of the gateway. If the host does not already have this address in the ARP cache, it must send an ARP request for the address of the gateway.

It will send the frame with a broadcast MAC address.

It will send an ARP request to the DNS server for the destination MAC address.

It will send the frame and use the device MAC address as the destination.

It will send an ARP request for the MAC address of the destination device.

It will send an ARP request for the MAC address of the default gateway.

What is the aim of an ARP spoong attack?

 Topic 8.3.0 - In an ARP spoong attack, a

malicious host intercepts ARP requests and replies to them so that network hosts will map an IP address to the MAC address of the malicious host.

to ood the network with ARP reply broadcasts

to ll switch MAC address tables with bogus addresses to associate IP addresses to the wrong MAC address to overwhelm network hosts with ARP requests

8.3 ARP Issues 

Summary 

8

9

10

11

Devices 

12

Network Security

Infrastructure 

13

14

Common Threats and

Attacks 

15

Tools 

16

17

18

19

Access Control 

20

21

Cryptography 

22

23

Assessment 

24

25

27

Security Data 

  CyberOps Associate

^v1.0

    

(4)

7.

8.

9.

A host needs to reach another host on a remote network, but the ARP cache has no mapping entries. To what destination address will the host send an ARP request?

 Topic 8.2.0 - ARP requests are sent when a host does not have an IP to MAC mapping for a

destination in the ARP cache. ARP requests are sent to the Ethernet broadcast of FF:FF:FF:FF:FF:FF. In this example because the address of the remote host is unknown, an ARP request is sent to the Ethernet broadcast to resolve the MAC address of the default gateway that is used to reach the remote host.

the unicast IP address of the remote host the subnet broadcast IP address

the broadcast MAC address

the unicast MAC address of the remote host

Refer to the exhibit. PC1 issues an ARP request because it needs to send a packet to PC2. In this scenario, what will happen next?

 Topic 8.2.0 - When a network device wants to communicate with another device on the same network, it sends a broadcast ARP request. In this case, the request will contain the IP address of PC2.

The destination device (PC2) sends an ARP reply with the PC2 MAC address.

RT1 will send an ARP reply with the RT1 Fa0/0 MAC address.

PC2 will send an ARP reply with the PC2 MAC address.

SW1 will send an ARP reply with the PC2 MAC address.

RT1 will send an ARP reply with the PC2 MAC address.

SW1 will send an ARP reply with the SW1 Fa0/1 MAC address.

In what kind of memory is the ARP table stored on a device?

 Topic 8.2.0 - When a packet is sent to the data link layer to be encapsulated into an Ethernet frame, the device checks the ARP table that is stored in RAM. The ARP table is used to map the destination IPv4 address to a MAC address.

ROM RAM NVRAM

ash

8.3 ARP Issues 

Summary 

8

9

10

11

Devices 

12

Network Security

Infrastructure 

13

14

Common Threats and

Attacks 

15

Tools 

16

17

18

19

Access Control 

20

21

Cryptography 

22

23

Assessment 

24

25

26

27

Security Data 

(5)

10.

11.

12.

13.

What is a characteristic of ARP messages?

 Topic 8.2.0 - Because ARP requests are broadcasts, they are ooded out all ports by the switch except the receiving port. Only the device that originally sent the ARP request will receive the

unicast ARP reply. ARP messages have a type eld of 0x806. ARP messages are encapsulated directly within an Ethernet frame. There is no IPv4 header.

ARP requests are broadcasts, and they are ooded out all ports by the switch.

ARP messages are encapsulated within an IPv4 header.

ARP messages have a type eld of 0x805.

ARP replies are unicast.

What statement describes the function of the Address Resolution Protocol?

 Topic 8.2.0 - When a PC wants to send data on the network, it always knows the IP address of the destination. However, it also needs to discover the MAC address of the destination. ARP is the protocol that is used to discover the MAC address of a host that belongs to the same network.

ARP is used to discover the MAC address of any host on a dierent network.

ARP is used to discover the MAC address of any host on the local network.

ARP is used to discover the IP address of any host on the local network.

ARP is used to discover the IP address of any host on a dierent network.

Why would an attacker want to spoof a MAC address?

 Topic 8.3.0 - MAC address spoong is used to bypass security measures by allowing an attacker to impersonate a legitimate host device, usually for the purpose of collecting network trac.

so that the attacker can capture trac from multiple VLANs rather than from just the VLAN that is assigned to the port to which the attacker device is attached

so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host

so that the attacker can launch another type of attack in order to gain access to the switch

so that a switch on the LAN will start forwarding all frames toward the device that is under control of the attacker (that can then capture the LAN trac)

What important information is examined in the Ethernet frame header by a Layer 2 device in order to forward the data onward?

 Topic 8.1.0 - The Layer 2 device, such as a switch, uses the destination MAC address to determine which path (interface or port) should be used to send the data onward to the destination device.

Ethernet type

Reset Check Show Me

8.3 ARP Issues 

Summary 

8

9

10

11

Devices 

12

Network Security

Infrastructure 

13

14

Common Threats and

Attacks 

15

Tools 

16

17

18

19

Access Control 

20

21

Cryptography 

22

23

Assessment 

24

25

27

Security Data 

(6)

destination IP address

ARP Issues



^8.3 Introduction

9.0



8.3 ARP Issues 

Summary 

8

9

10

11

Devices 

12

Network Security

Infrastructure 

13

14

Common Threats and

Attacks 

15

Tools 

16

17

18

19

Access Control 

20

21

Cryptography 

22

23

Assessment 

24

25

26

27

Security Data 