Every IP device on an Ethernet network has a unique Ethernet MAC address. Device destination IPv4 and IPv6 addresses are either known or resolved by device name. However, MAC addresses must be discovered.
The process that a source host uses to determine the destination MAC address associated with an IPv4 address is known as Address Resolution Protocol (ARP), and ICMPv6 Neighbor Discovery (ND) for IPv6 packets.
Understanding IPv4 Address Resolution Protocol (ARP)
Devices are assigned two primary addresses:
- Physical address (the MAC/media access control address) – Used for NIC-to-NIC communications on the same network.
- Logical address (the IP address) – Used to send the packet from the source device to the destination device.
Most network applications rely on the logical destination IP address to identify the location of the servers and clients. A device automatically obtains an IP address through Dynamic Host Configuration Protocol (DHCP).
The destination IP address may be on the same IP network as the source or on a remote network.
When a host creates a packet for a destination, it compares the destination IP address and its own IP address to determine if the two IP addresses are located on the same Layer 3 network.
On the same local network, the device sending the frame will use the MAC address of the destination device.
Layer 2 physical addresses (MAC addresses) are used to deliver the data link frame with the encapsulated IP packet from one network interface controller (NIC) to another NIC. On a local Ethernet network, a NIC only accepts a frame if the destination address is either the broadcast MAC address or corresponds to the MAC address of the NIC.
The ARP protocol has two main functions:
- To resolve an IPv4 address to a MAC address.
- To maintain an ARP table.
The ARP cache prevents the host from needlessly broadcasting ARP requests. The MAC address to IPv4 address association stays in memory for a short period of time (from 15 to 45 seconds). With the MAC address of the destination host in its ARP table, the host can send frames directly to the destination without needing an ARP request.
To see these entries:
- On a Cisco router, use the show ip arp command to display the ARP table.
- On a Windows 10 PC, use the arp –a command to display the ARP table.
To dynamically discover the MAC address of a known destination, the source device broadcasts an ARP request on the local network. The device configured with the destination IPv4 address responds to the request with an ARP reply, and the MAC address is recorded in the ARP cache.
When only the IPv4 address of the host is known, the address resolution protocol (ARP) uses a three-step process to discover and store the MAC address of a host on the local network:
- The sending host creates and sends a frame addressed to a broadcast MAC address (FFFF.FFFF.FFFF - 48 ones). The frame has a message with the IPv4 address of the intended destination host.
- Each host on the network receives the broadcast frame and compares the IPv4 address inside the message with its configured IPv4 address. If the IP address in the ARP request matches its own IP address a host will send an ARP reply with its IP and MAC address.
- The sending host receives the message and stores the MAC address and IPv4 address information in an ARP table.
The ARP request is encapsulated in an Ethernet frame using the following header information:
- Destination MAC address – a broadcast address FF-FF-FF-FF-FF-FF requiring all Ethernet NICs on the LAN to accept and process the ARP request.
- Source MAC address – This is MAC address of the sender of the ARP request.
- Type - ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process.
Only the device with the target IPv4 address associated with the ARP request will respond with an ARP reply.
The ARP reply is encapsulated in an Ethernet frame using the following header information:
- Destination MAC address – This is the MAC address of the sender of the ARP request.
- Source MAC address – This is the MAC address of the sender of the ARP reply.
- Type - ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process.
If no device responds to the ARP request, the packet is dropped because a frame cannot be created.
When the destination IP address (IPv4 or IPv6) is on a remote network, the destination MAC address will be the address of the host default gateway (i.e., the router interface).
The IP address of the default gateway is stored in the IP configuration of the hosts.
If the destination host is not on its same network, the source checks its ARP table for an entry with the IP address of the default gateway. If there is not an entry, it uses the ARP process to determine a MAC address of the default gateway.
To determine the best path to forward the IPv4 packet, routers:
- Examine the destination IPv4 address of the Ethernet frame;
- De-encapsulates the Layer 2 information;
- Using the destination IPv4 address, determine the next-hop device;
- Encapsulates the IPv4 packet in a new data link frame for the outgoing interface.
Along each link in a path, an IP packet is encapsulated in a frame. The frame is specific to the data link technology that is associated with that link. If the next-hop device is the final destination, the destination MAC address will be that of the device Ethernet NIC.
ARP poisoning attack
In some cases, the use of ARP can lead to a potential security risk. A threat actor can use ARP spoofing to perform an ARP poisoning attack.
This technique involves a threat actor replying to an ARP request for an IPv4 address that belongs to another device, such as the default gateway. The threat actor sends an ARP reply with its own MAC address. The receiver of the ARP reply will add the wrong MAC address to its ARP table and send these packets to the threat actor.
Enterprise level switches include mitigation techniques known as dynamic ARP inspection (DAI).
IPv6 Neighbor Discovery: Address Resolution Explained
Much like ARP for IPv4, IPv6 devices use IPv6 Neighbor Discovery (ND) to determine the MAC address of a device that has a known IPv6 address.
When an IPv6 host needs to initiate a communications with other hosts on the same network, it sends a neighbor solicitation message via multicast to start the address resolution process.
The sending host creates an Ethernet frame and add a multicast MAC address in the Destination MAC address field. This multicast MAC address maps the special solicited-node multicast address derived from the destination IPv6 address.
When an IPv6 host receives an ICMPv6 neighbor solicitation message for MAC address resolution, the host returns a neighbor advertisement message to provide the MAC address.
ICMPv6 neighbor solicitation messages are sent using special Ethernet and IPv6 multicast addresses. This allows the Ethernet NIC of the receiving device to determine whether the neighbor solicitation message is for itself without having to send it to the operating system for processing.
The multicast address is set with the link-local scope so the message can transmit only within the same link.