21 Nov: Address Resolution Protocol - How ARP Works

ARP exists to translate an IPv4 logical address, used by applications, to a MAC address - the physical address respresenting a network interface. ARP might either directly identify the MAC address that corresponds to a target device on the local network, or it might identify the address of a gateway if the target is on a seperate network. An ARP request message might look something like this:

• Hardware type: Ethernet
• Protocol type: IP
• Hardware address length: 6 bytes (Ethernet MAC address)
• Protocol address length: 4 bytes (IPv4 address)
• Opcode: Request (1)
• Sender hardware address: 00:00:0c:2f:a0:91
• Sender protocol address: 10.4.116.9
• Target hardware address: (empty)
• Sender protocol address: 10.4.116.20

And here's how it works. The sender wants to communicate with another device, the target. It'll first check to see if its local cache already contains the MAC address corresponding to the IP address of the target. Here's how you could check yourself what's in the cache:

$ ip neigh
10.2.116.1 dev enp0s31f6 lladdr 00:00:0c:9f:f0:01 REACHABLE

This is a shortening of "ip neighbour" (the US spelling also works) - see also ip-neighbour(8)

We want to talk (i.e. send some IP packets) to target IP 10.4.116.20 and there's nothing in the cache for that. So we'll send the ARP request message filled out as above. We include our own hardware and IP (protocol) address, the target IP, and the target hardware address is blank because we don't know that yet. We'll send out this ARP request message to target hardware address FF:FF:FF:FF:FF:FF - the broadcast address. The switch will receive this, see it's addressed to the broadcast address, and send it out on all ports except the port the message arrived from. So all devices on the network receive the message. The one who's IP address matches will then send an ARP reply - the same format message with Opcode "2" (reply) and all the protocol and hardware addresses are filled out. As we know where we're sending things, it goes straight (unicast) to the original sender (no need to broadcast). The original sender can now add this mapping of IP to MAC address to it's cache, and construct the stream of Ethernet frames containing the IP packets we began all this with.

Another look at the cache will show we now know about this neighbour:

$ ip neigh
10.4.116.20 dev enp0s31f6 lladdr 18:db:f2:f0:7b:4a REACHABLE
10.2.116.1 dev enp0s31f6 lladdr 00:00:0c:9f:f0:01 REACHABLE

Now if you want change the IP address, you can see that it would be useful to let other servers on the local network know so they don't try to send frames to the wrong place because of their ARP cache. This is done with a "gratuitous ARP" message - this is simply an ARP reply message with no target address and sent to the link broadcast address (similar to a normal ARP request). Receiving devices will update their ARP cache, but they don't need to send any reply.

Its worth noting that ARP is specific to IPv4. IPv6 uses Neighbor Discovery Protocol (NDP or just ND).