Shallow into ARP

How the 1.ARP works

The core function of IP layer protocol ARP is to obtain the host's hardware address through the destination host IP address, and then communicate through the hardware address. Like many technologies in a computer network, the ARP protocol also uses the idea of building a cache table. It requires each host to maintain an ARP cache, which is the map of the IP address and MAC address in this network and the table is updated dynamically. Obviously when the host needs a MAC address, it looks for the ARP cache first, and if it does, constructs a Mac frame directly as the MAC address, otherwise it runs the ARP protocol to look for the MAC address. First ARP in this LAN broadcast an ARP request datagram, which contains its own source Mac, source IP, destination IP, want to get the destination Mac. This broadcast packet is based on Mac frames, which is the MAC frame format, where the address is set to full F in the destination Mac and broadcast, and the ARP request message is placed in the Mac frame as the data portion of the Mac frame. Next, all hosts in this network receive ARP requests, and if the host is the same as the destination IP in the packet, it receives the packet and returns a response packet containing its own MAC address. Note that the response packet is unicast instead of broadcast, and the sender receives a response packet from the receiving party and adds the map to the ARP cache, which is also added by the receiving party. The sender then finds the corresponding MAC based on the resulting IP-MAC mapping table, sets the destination Mac to the MAC address found in the MAC layer and encapsulates the data packets sent out, and if the mapping table does not change, it will communicate with this MAC address.

2. Why ARP is required

Through the introduction of the above ARP working principle we found that not only through the MAC address to communicate, the MAC address itself is the use of IP address. In other words, the IP address can be used for the data forwarding of this network, the result of the IP to get Mac and then communicate through the Mac, so it is not superfluous? Take a look at this process, when the packet arrives at the router, the router knows to forward from a port after parsing the packet, but the router does not know the destination host's MAC address, so it broadcasts the ARP request to get the destination Mac. Suppose the router now does not look for the MAC address, but instead routes the forwarding over IP. After reaching the switch, we assume that the switch is not forwarded based on the mac-port, but instead is forwarded through the ip-port. This hypothetical exchange opportunity learns ip-ports instead of mac-port mappings, and packets can be forwarded through the routing port table after they reach a special switch. Then look at the network layer in the Internet, I would like to not remove the second layer of direct use of all routers. However, because of the subnetting, a router port corresponds to a network segment, there is no need to be in a small network is also zoned molecular network, so the speed will be slow, so still need to set up the switch on the second layer. We know that in the third layer of route forwarding when the router will modify the source Mac and the destination Mac, now the IP packet format unchanged, the source IP and destination IP in the same as the original, and in the two-layer frame, you can use the change of source IP and destination IP to replace the original source Mac and destination Mac. That is, an Ethernet packet, there are 4 IP addresses, three layers have 2 unchanging source IP and destination IP, and the second layer is the source IP and destination IP changed with the route forwarding time. So I think it can be replaced if we just talk about whether IP is able to achieve normal network communication instead of Mac.

Of course, the use of three-layer IP two-tier Mac is also a reason, because the Internet has evolved today to form the use of Ethernet +TCP/IP mode. When the MAC address was used to point to dot Communication, the Mac was more difficult to remember, and the simple IP address could meet the needs of communication and memory. And there have been a variety of other network interface layer protocols, because different networks may use different hardware addresses, so that these heterogeneous network communication will be very cumbersome. As seniors continue to explore the importance of the idea that they are becoming more layered. The use of IP can mask the complexity of the falling layer, while the lower level can use different network protocols, as long as the upper IP protocol is guaranteed to be unified or the router can be converted based on the use of other network layer protocol. This is equivalent to the presentation layer takes the business Layer object when it is obtained through the business layer interface, and the implementation class can have different functions.

3. Attacks against ARP

　　Because the host receives no restrictions in the ARP protocol, any time an attacker can send an ARP request or an ARP response packet to the host. ARP attacks in the local area network are mainly divided into 2 categories, one is to send a large number of packets caused flooding, a class is ARP spoofing. To review the process of ARP parsing, assume that A and B communication establishes the correct ARP cache. There is now an attacker C, which sends a spoofed ARP response packet to B, where the destination IP is b, the source IP is a, and the source Mac is the MAC address of C. This will update the ARP cache when B is received, and change the original mapping relationship to the IP address of a and the MAC address of C. As shown, a can normally send data to B, but the data sent by B to a will be received by C. If an attacker also sends a spoofed packet to a, then C becomes the middleman between A and B, and C can receive communication data between A and B. ARP spoofing also has an attack in which an attacker can send a large number of erroneous ARP response packets to the Router gateway. In this packet the data Link layer source Mac is the attacker C's Mac, the destination MAC is the router Mac (this Mac can be obtained through Router ARP broadcast), in the network layer, the attacker can forge any IP address in the network, However, the source Mac of the ARP packet is set to any MAC address that is not in the network. This will result in a large number of incorrect IP and Mac mapping entries in the ARP cache in the router. When a packet destined for host D arrives at the router, as the ARP table after the attack can be seen, the router parses the packet to locate the forwarded port through the destination IP and encapsulates the data link layer. At this point the router will go to find the ARP cache, it found that host D corresponds to the Mac for Mach, so the source Mac Mac for the router Mac for Mach. After encapsulating the packet to the switch, the switch looks for the destination Mac to discover that there is no port corresponding to the Mach hardware address. Next the switch broadcasts this packet to ABCD, but since there is no Mach at all, the ABCD four hosts will discard the packet so that the entire network is unavailable. If an attacker does not continuously send a response packet, the paralyzed network will revert to a normal state when the router updates the ARP cache, and the entire network will still be paralyzed if the attacker continues to send packets. From the attack process we found that an attacker would need to send a large number of ARP request packets, which can be used to find the host that launched the attack. In order to prevent ARP spoofing, the most essential thing is to ensure that the ARP cache is correct, we can set a static IP-MAC mapping table to achieve this purpose, many protection software is based on this principle to set the static mapping table, so as to achieve the purpose of defending ARP attacks.

I am a novice, some places are their own thinking, if there are errors please also point out!

Shallow into ARP