ARP protocol in TCP/IP protocol suite

[[355450]]

1. Introduction to ARP protocol

In the "IP Protocol" we explained the IP address related content. The IP protocol contains the destination IP address and the source IP address. However, when a host sends an Ethernet data frame to another host on the same LAN, the destination interface is determined based on the 48-bit Ethernet address. The device driver never checks the destination IP address in the IP datagram.

Do you remember that in the Ethernet protocol of the data link layer, each data packet has a MAC address header? We know that each Ethernet card has a MAC address, which is unique. So how does the IP packet know this MAC address? This is the work of the ARP protocol.

In the OSI model, the ARP protocol belongs to the link layer; in the TCP/IP model, the ARP protocol belongs to the network layer. Different sources have different opinions on which layer the ARP protocol data belongs to, so we will not discuss it in detail here.

ARP (Address Resolution) protocol is a resolution protocol. Originally, the host has no idea which host's interface this IP corresponds to. When the host wants to send an IP packet, it will first check its own ARP cache (that is, an IP-MAC address correspondence table cache). If the queried IP-MAC value does not exist, the host will send an ARP protocol broadcast packet to the network. This broadcast packet contains the IP address to be queried, and all hosts that directly receive this broadcast packet will query their own IP addresses. If a host that receives the broadcast packet finds that it meets the conditions, it will prepare an ARP packet containing its own MAC address and send it to the host that sent the ARP broadcast. After receiving the ARP packet, the broadcast host will update its own ARP cache (that is, the place where the IP-MAC correspondence table is stored). The host that sends the broadcast will use the new ARP cache data to prepare the data link layer for data packet sending.

2. ARP protocol structure

From the previous article "Ethernet Packet Structure", we can see that the figure represents the data structure of the ARP protocol.

Here we first look at the composition structure of a typical ARP packet.

The first 12 bytes are the MAC address, which has been explained in the article "Ethernet Packet Structure". The next is the frame type, where 0806 indicates an ARP protocol frame. Next is the ARP packet part. The first hardware type field indicates the hardware interface type that the sender wants to know. For an Ethernet MAC address, its value should be 1. The protocol type field indicates the type of protocol address to be mapped. When its value is 0x0800, it means that it is to be mapped to an IP address. It can be seen that this value uses the same set of values ​​as the type field in the Ethernet data frame header.

The next two single-byte fields are called the hardware address length and the protocol address length. They indicate the length of the hardware address and the protocol address respectively, in bytes. For ARP requests or replies on Ethernet, their values ​​are 6 and 4, respectively, representing the length of the MAC address and the length of the IP address. Leaving the hardware address length field and the protocol address length field in the ARP protocol packet allows the ARP protocol to be used in any network, not just in Ethernet.

The operation field op indicates the type of ARP packet, which can be ARP request (value 1), ARP reply (value 2), RARP request (value 3) and RARP reply (value 4). Here we only care about the first two types. RARP is the Reverse Address Resolution Protocol. Let me briefly explain here that RARP is used to obtain its own IP address when the host starts. The process is very simple: when the host starts, it broadcasts a RARP request packet, which contains its own MAC address, and then waits for a response. Another host in the network must be set to listen to the RARP request state, and after receiving the request, it assigns an IP address to the host and returns a RARP reply to the host. Once the reply is received, the host has an IP address and can use it in the future.

The next four fields are the sender's Ethernet MAC address, the sender's IP address, the destination's Ethernet MAC address, and the destination's IP address.

For more information about PAD bytes, please refer to "Ethernet Data Packet Structure".

Note: The Ethernet MAC address of the sender is included in the Ethernet data frame header and the ARP data packet. For an ARP request packet, all fields except the receiver's Ethernet address should be filled with corresponding values. When the receiving host receives an ARP request message for itself, it fills in its own hardware address, then swaps the source host information and the destination host information of the request packet, sets the operation field op to 2, and finally sends the newly constructed packet back. This is the ARP reply.

3. Wireshark packet capture analysis

Assume that the query IP is 192.168.0.103 MAC address, use the following command

 arp -a 192.168.0.103

Packet capture analysis

Here is the packet capture file of wireshark

Link: https://pan.baidu.com/s/1AWPj85Jb4nmLY8h2yJucUA Extraction code: bxjq

4. ARP protocol classification

There are two types of ARP packets:

One is the ARP request packet, which is sent via Ethernet broadcast and is used to send a request to a host with a certain IP address, hoping that the host will return its MAC address;

The second is the ARP reply packet. The host that receives the ARP request will compare the IP address in the packet with its own IP address. If so, the host will return an ARP reply packet to the source host and report its MAC address to the source host. The source host updates the ARP cache table by extracting the relevant fields in the ARP reply packet.

A typical arp cache information is as follows, using the "arp -a" command in any system:

This is the result. Such caches are time-limited, usually 20 minutes (Berkeley derivatives).

5. ARP protocol application

Basic knowledge: There are two devices under the router. They know each other's IP and MAC, but they cannot communicate directly. The router is needed for forwarding. If the two devices are directly connected with a network cable, they can communicate directly.

For example

There are two devices under the router. First of all, each device (including the router) has its own ARP cache table. Device A communicates with device B under the LAN (device A knows the IP address of device B)

Case 1: A knows B's MAC address, that is, device B is in its ARP cache table. It can directly encapsulate the packet and hand it over to the router.

Case 2: A does not know B's MAC address, that is, there is no device B in its ARP cache table. Unfortunately, this is the case and data transmission needs to be delayed. First, device A will send an ARP request packet to the gateway (that is, the router) (the Ethernet destination address is FF-FF-FF-FF-FF-FF). At this time, there are cases A and B.

Case A: The router knows the MAC of device B, that is, its ARP cache table has device B, and returns the IP and MAC of device B to device A. Device A updates its own ARP cache table and handles it according to Case 1.

Case B: The router does not know the MAC address of device B, so it sends an ARP request packet in its own LAN to ask for the MAC address of device B. After getting the MAC address, it sends it to A. After A gets the MAC address, it handles it according to Case 1.

The above situation shows that if you want the network devices to communicate smoothly for the first time, all devices in the LAN must know their MAC addresses. In the development of network devices, we usually broadcast our address information to the LAN after the network device is first connected to the network, which is called a gratuitous ARP request. Such an ARP packet will tell other hosts about their own information, and other hosts will update their ARP table entries according to the ARP packets they receive. In the derivative system of the Berkeley system mentioned above, the ARP cache table is generally stored for 20 minutes. If it is not updated in time, the host will delete the ARP table of the "offline" device, because the host ARP cache table has limited memory and it is impossible to store unlimited ARP table information. In view of this situation, we develop network devices that need to broadcast their address information every once in a while to indicate that they are "still alive". However, it cannot be sent too frequently, as frequent sending will be considered a virus by some models of routers.

6. ARP Attack

The ARP protocol has a big loophole. If all users in the network behave properly, there will be no problem using ARP according to the above process. However, if a malicious device receives an ARP request packet (ARP request packets are sent in broadcast form and can be received by all hosts in the LAN), it will generate an ARP reply packet regardless of whether the IP address in the packet is the same as its own, telling the requesting user: the MAC address of my host is the MAC address that matches the destination IP address you requested. On the other hand, since the source host that sends the ARP request does not have any fault tolerance or authentication functions (the ARP protocol does not provide any mechanism to implement these functions), it will easily believe this ARP reply and add it to its own ARP cache table. The consequences of doing so can be imagined. The source host will send data packets with the destination IP address to the malicious host in the future. In this way, it can easily eavesdrop on data, which is the basic principle of the ARP attack we often hear about.

When PC1 sends an ARP protocol to inquire about PC2's MAC address, PC3 also receives the ARP request packet because it is broadcast. PC3 receives the broadcast packet that does not belong to it and responds with a false response packet, telling PC1 that it is PC2. In this way, PC1 will receive two response packets (a correct IP2-MAC2 and a false IP2-MAC3), but PC1 does not know which one is the real one, so PC1 will make a judgment and the one that arrives after the judgment is the real one. So how to make the false response packet arrive later? PC3 can send such response packets continuously, and always cover the correct response packet.

PC1 will then create an ARP cache entry such as IP2-MAC3. When PC1 sends information to PC2 in the future, PC1 will encapsulate the data with a packet header with the destination IP as IP2 at the network layer from top to bottom according to the OSI model, and encapsulate the data frame with the destination MAC as MAC3 by querying the ARP cache table at the link layer, and send it to the switch. According to the query of the CAM table, it is found that the interface corresponding to MAC3 is Port3, and the information is delivered to PC3, completing an ARP attack.

If the ARP attack is serious, malicious network devices can eavesdrop on all address information in the network and monitor multiple network devices by simply reading all broadcast ARP request packets sent to the door.

Prevention methods:

We can use a static ARP cache table to prevent ARP attacks, but the disadvantage is that it violates the dynamic address resolution principle of the ARP protocol.

This article is reprinted from the WeChat public account "Zhixiao Programming", which can be followed through the following QR code. To reprint this article, please contact the WeChat public account "Zhixiao Programming".