TCP/IP protocol--arp detailed

This paper mainly describes the function of ARP, ARP packet format, ARP cache, free ARP and proxy ARP.

1. Learn what to learn before ARP establish the relationship between TCP connection and ARP

The application accepts user-submitted data, triggers TCP to establish a connection, and TCP's first SYN message arrives at the IP layer via the Connect function, and the IP layer is queried by the routing table:

If the destination IP and itself are in the same network segment:

When the IP layer's ARP cache table has a destination IP corresponding to the MAC address, then call the network interface send function (parameter for IP packet and destination MAC)) to submit data to the network interface, network interface complete Ethernet Header + IP + CRC package, and send out ；

When the IP layer of the ARP cache table does not exist in the destination IP corresponding to the MAC address, the IP layer will be TCP SYN cache down, send ARP broadcast request destination IP Mac, after receiving the ARP reply, will answer the <IP address, corresponding mac> To the cache in the local ARP cache table, and then complete the TCP SYN IP encapsulation, call the network interface send function (parameter for IP packet and destination MAC)) to submit the data to the network interface, the network interface completes the Ethernet Header + IP + CRC encapsulation, and send it out;.

If the destination IP address is not the same network segment as yourself, you need to send packets to the default gateway, which requires knowing the MAC address of the default gateway:

When the MAC address of the default gateway exists in the ARP cache table for the IP layer, the network interface send function (Mac with the IP packet and default gateway) is invoked to submit the data to the network interface, and the network interface completes the Ethernet Header + IP + CRC

When the IP layer's ARP cache table does not have the corresponding MAC address of the default gateway, then the IP layer will cache syn TCP, send ARP broadcast request default Gateway Mac, after receiving ARP reply, will answer the < default gateway address in the corresponding mac> For caching in the local ARP cache table, and then completing the IP encapsulation of the TCP SYN, call the network interface send function (the Mac with the IP packet and default gateway) to submit the data to the network interface, the network interface completes the Ethernet Header + IP + CRC encapsulation, and send it out. Location of ARP

The OSI model has seven layers, TCP is on the 4th Transport layer, IP is on the 3rd layer of the network, and ARP is at the 2nd layer of the Data link layer. The upper layer is strongly dependent on the lower layer, so the TCP must be requested and answered before it is established.

The ARP cache table is used at the IP layer. If an ARP request is sent each time a TCP connection is established, the efficiency is reduced, so there is an ARP cache table on the host, switch, and router. When the TCP connection is established, the ARP cache table is queried, and if it is valid, the content of the ARP table entry is sent directly to the second layer packet, and only when the table fails, the ARP request and reply are taken for MAC address to establish the TCP connection.

The role of ARP

To understand the role of ARP, the first thing to distinguish between two "address":

(1) 32bit IP address of TCP/IP. Only knowing the IP address of the host does not allow the kernel to send data frames to the host.

(2) The hardware address of the network interface, which is a 48bit value used to identify different Ethernet or Token Ring network interfaces. At the hardware level, the data exchange must have the correct interface address, the kernel must know the destination end of the hardware address to send data.

In short, the device driver must know the Ethernet address to send data when a host sends a data frame to another host on the same LAN in an Ethernet network. And we only know the IP address, then we need to use the ARP protocol to map the IP address to an Ethernet address.

Note that the ARP protocol is generally considered to be suitable only for local area networks.

2.ARP grouping format

The format of the ARP grouping is as follows:

First of all, it is generally said that the Ethernet address refers to the MAC address .

Field 1 is the destination Ethernet address for the ARP request, and all 1 o'clock represents the broadcast address.

Field 2 is the Ethernet address that sends the ARP request.

The field 3 Ethernet frame type represents the subsequent data type, and the ARP request and ARP reply values are 0x0806.

Field 4 indicates the type of hardware address, and the hardware address is not just Ethernet, which is the Ethernet type when this value is 1.

Field 5 represents the type of protocol address to map, and the IPV4 address is mapped to a value of 0x0800.

Fields 6 and 7 represent the hardware address length and protocol address length, the MAC address is 6 bytes, and the IP address accounts for 4 bytes.

Field 8 is the action Type field with a value of 1 indicating an ARP request, a value of 2 for an ARP reply, a value of 3 for the RARP request, and a value of 4 for the rarp reply.

Field 9 is the hardware address of the send-side ARP request or answer, here is the Ethernet address, and Field 2 is the same.

Field 10 is the IP address that sends the ARP request or answer.

Fields 11 and 12 are the hardware address and protocol address of the destination.

The following is a captured ARP packet that can be understood against the instructions above.

The red frame circled in the figure is a pair of ARP requests and ARP replies.

The following two images are the packet format for ARP requests and corresponding ARP responses, respectively.

In the ARP Request group, the field 11 destination MAC address is unknown and is populated with all 0.

In the ARP reply packet, the source and destination address in the ARP request is exchanged, and in addition, the field 8 Opcode is changed. The remaining field contents do not change.

So how do we differentiate between ARP requests and ARP reply groupings?

The Address field in the grouping cannot be differentiated by the same field as the other, when the opcode field works, depending on the value of opcode, whether it is a request or an answer, ARP or RARP.

3.ARP Cache

Defined

The ARP cache is a buffer that is used to store the IP address and MAC address, which is essentially the <IP address, the MAC address > the corresponding table. An entry in the table records the IP address of a host on the network and its corresponding MAC address.

Each Ethernet or Token Ring network adapter has its own separate table.

When the address Resolution Protocol is queried for the MAC address of a known IP address node, it is first viewed in the ARP cache and, if present, directly returns the corresponding MAC address and, if not present, sends an ARP request to the LAN.

Time-to-live TTL for ARP cache table entries

The ARP cache contains both dynamic and static items:

Dynamic items are automatically added and deleted over time, each dynamic ARP cache entry has a TTL (Time to Live), and TTL is 0 o'clock this item is removed from the table, and the TTL in Windows is typically less than 10 minutes.

Static ARP cache entries are permanent and can be added and removed manually using the TCP/IP tools. Static ARP cache entries are used to prohibit the node from sending ARP requests to commonly used local IPV4 addresses (such as routers and server IPV4 addresses).

Use of the ARP cache

When the host sends an ARP request, first look at the ARP cache table, if there is a corresponding entry, then directly return the MAC address, otherwise send ARP request broadcast to the LAN.

Advantages and disadvantages of ARP cache

Advantage: From the use of ARP cache can be seen, ARP cache can reduce the amount of broadcast, thereby reducing network traffic, improve the communication efficiency between computers.

Cons: Cause security risks (see the role of free ARP below).

4. Free ARP

Defined

Free ARP refers to the host sending ARP to find its own IP address, which usually occurs when the interface is configured during system boot.

The difference from standard ARP is that the destination IP address field of the free ARP packet encapsulates its own IP address, that is, requesting its own MAC address from the network where it resides.

Role

the functions of free ARP are:
1) A host can use it to determine whether another host has the same IP address set.

Normally, sending a free ARP request does not receive an ARP reply, and if an ARP reply is received, an address conflict occurs on the network where there is a host with the same IP address as the native.

2) Update the old hardware address in the other host cache.

if send free arp< The host of span class= "FONTSTYLE0" has just changed the hardware address, such as replacing the interface card.

When other hosts receive this ARP request, they find that the corresponding IP address exists in their ARP cache table, but the MAC address does not match, then it is necessary to update the local ARP cache table entry with the received ARP request.

3) gateways prevent ARP attacks with free ARP

Some gateway devices actively send free ARP messages to the network within a certain time interval, allowing other hosts in the network to update the gateway MAC address information in the ARP table entries to prevent or mitigate the effect of ARP attacks.

4) ARP attack with free ARP

The ARP protocol does not only receive ARP replies when an ARP request is sent, but whenever the computer receives an ARP reply packet, the local ARP cache is updated with the IP and MAC addresses in the answer.

The host can construct a false free ARP response, set the source MAC address of the ARP as the wrong MAC address, and send this false free ARP reply to the network, then all hosts receiving this free ARP reply will update the MAC address corresponding to the corresponding IP address in the local ARP table entry. Once the update is successful, the data packets of these hosts are forwarded to the wrong MAC address, thus enabling an ARP spoofing attack.

5. Proxy ARP

Defined

Proxy ARP uses its own MAC address to respond to ARP requests from another device by using a host (typically router) as the specified device.

Why do I need proxy arp?

First of all, one of the important functions of routers is to limit the LAN broadcast packets to the network, to prevent its proliferation, or it will cause network storms.

The ARP request is a broadcast packet, and the object it asks for will receive an answer if it is within the same LAN. But what if the queried object is not on the same LAN? The proxy ARP provided by the router provides a solution to this problem.

Work process

When two hosts A and B are in the same network segment but different broadcast segments, when host A sends ARP request Host B's MAC address, the ARP request can only reach the router because the router does not forward the broadcast packet. If the router has proxy ARP enabled and knows that Host B belongs to the network it is connected to, then the router uses the MAC address of its own interface instead of Host B's MAC address to perform an ARP response to host A. Host a receives an ARP reply, but does not know the presence of proxy ARP.

Advantages and disadvantages of proxy ARP

Advantage: Proxy ARP can add a new router without affecting the routing table, making the subnet transparent to the host. General proxy ARP should be used on a network where the host does not have a default gateway configured or no routing policy.

Cons: From work engineering can be seen, this is actually a kind of ARP spoofing. Furthermore, the proxy ARP function of routers between two physical networks actually hides the physical network from each other, which leads to the inability to generalize network topologies. In addition, proxy ARP increases the ARP traffic for the network that uses it, the host needs a larger ARP cache space, and does not work on the network that does not use ARP for address resolution.

Reprinted from: https://www.cnblogs.com/songwenlong/p/6103406.html

TCP/IP protocol--arp detailed