Skip to content

Page188

ARP and RARP

ARP is the Address Resolution Protocol, used to translate between Layer 2 MAC addresses and Layer 3 IP addresses. ARP resolves IPs to MAC addresses by asking, “Who has IP address 192.168.2.140, tell me.” An example of an ARP reply is “192.168.2.140 is at 00:0c:29:69:19:66.”

arp who has 192.168.2.140 tell 192.168.2.4

arp reply 192.168.2.140 is-at 00:0c:29:69:19:66

Note Protocols such as ARP are very trusting: attackers may use this to their advantage in hijacking traffic by spoofing ARP responses. Any local system could answer the ARP request, including an attacker. This can lead to ARP cache poisoning attacks, where victim systems cache bogus ARP entries that point to malicious systems. ARP cache poisoning is often used in Man-in-the-Middle (MitM) attacks, where an attacker frequently poisons the ARP entry for a critical system (such as the default gateway), redirecting traffic to the attacker's system.

Secure networks should consider hard-coding ARP entries for this reason.

RARP was used by legacy diskless workstations to determine their IP addresses. A node asks “Who has MAC address at 00:40:96:29:06:51, tell 00:40:96:29:06:51.”

ARP, Reverse Request who-is 00:40:96:29:06:51 tell 00:40:96:29:06:51

In other words, RARP asks: “Who am I? Tell me.” A RARP server answers with the node’s IP address.

Unicast, Multicast, and Broadcast Traffic

Unicast is one-to-one traffic, such as a client surfing the Web. Multicast is one-to-many, and the “many” is preselected. Broadcast is one-to-all on a LAN.

Multicast traffic uses “Class D” addresses when used over IPv4. Nodes are placed into multicast groups. A common multicast application is streaming audio or video. Sending 1000 audio streams via unicast would require a large amount of bandwidth, so multicast is used. It works like a tree: the initial stream is the trunk, and each member of the multicast group a leaf. One stream is sent from the streaming server, and it branches on the network as it reaches routers with multiple routes for nodes in the multicast group. Multicast typically uses UDP.

Limited and Directed Broadcast Addresses

Broadcast traffic is sent to all stations on a LAN. There are two types of IPv4 broadcast addresses: limited broadcast and directed broadcast. The limited broadcast address is 255.255.255.255. It is “limited” because it is never forwarded across a router, unlike a directed broadcast.

The directed (also called net-directed) broadcast address of the 192.0.2.0/24 network is 192.0.2.255 (the host portion of the address is all “1”s in binary, or 255). It is called “directed” because traffic to these addresses may be sent from remote networks (it may be “directed”).

Layer 2 Broadcast Traffic

Layer 2 broadcast traffic reaches all nodes in a “broadcast domain.” Devices on the same LAN (or VLAN) are in the same broadcast domain. The Ethernet broadcast address is MAC address “FF:FF:FF:FF:FF ”: traffic sent to that address on an Ethernet switch is received by all connected nodes.