At which layer is the arp protocol located?

The arp protocol belongs to the IP layer (network layer) in the TCP/IP model and the link layer in the OSI model. arp is the address resolution protocol. It is a TCP/IP protocol that obtains the physical address based on the IP address. It is used to convert the computer's network address (IP address 32 bits) into a physical address (MAC address 48 bits); the ARP protocol is a link Layer protocol, in Ethernet, the data frame from one host to another host in the network determines the interface based on the 48-bit Ethernet address.

The operating environment of this tutorial: Windows 7 system, Dell G3 computer.

What is arp protocol? On which floor?

The arp protocol, also known as the address resolution protocol, is a TCP/IP protocol that obtains a physical address based on an IP address. It can solve the mapping problem of IP address and MAC address of the host or router in the same LAN. The arp protocol belongs to the IP layer (network layer) in the TCP/IP model and the link layer in the OSI model.

In the LAN, what is actually transmitted in the network is "frame", and the frame contains the MAC address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is this target MAC address obtained? It is obtained through the Address Resolution Protocol. The so-called "address resolution" is the process in which the host converts the target IP address into the target MAC address before sending the frame. The basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

ARP (AddressResolutionProtocol) Address Resolution Protocol is used to convert the computer's network address (IP address 32 bits) into a physical address (MAC address 48 bits) [RFC826]. The ARP protocol is a link layer protocol. In the Ethernet, the data frame from one host to another host in the network determines the interface based on the 48-bit Ethernet address (hardware address). , rather than based on the 32-bit IP address. The kernel (such as a driver) must know the hardware address of the destination in order to send data. Of course, point-to-point connections do not require the ARP protocol.

Function of arp protocol

Using arp protocol, according to the network layer IP data packet header The IP address information parses out the target hardware address (MAC address) information to ensure smooth communication.

The OSI model divides network work into seven layers. The IP address is on the third layer of the OSI model, and the MAC address is on the second layer. They do not interact directly with each other. When sending IP data packets through Ethernet, it is necessary to encapsulate the headers of the third layer (32-bit IP address) and the second layer (48-bit MAC address). However, since only the target IP address is known when sending, its MAC address is not known. , and cannot span the second and third layers, so the address resolution protocol needs to be used. Using the address resolution protocol, the target hardware address (MAC address) information can be parsed out based on the IP address information in the network layer IP packet header to ensure smooth communication.

ARP protocol example

In order to explain the role of the ARP protocol, it is necessary to understand the data transmission process on the network. Here is a simple PING example.

Assume that our computer IP address is 192.168.1.1, and we need to execute this command: ping192.168.1.2. This command will send ICMP packets through the ICMP protocol.

This process requires the following steps:

1. The application constructs a data packet. This example generates an ICMP packet and submits it to the kernel (network driver);

2. The kernel checks whether it can convert the IP address to a MAC address, that is, check the IP-MAC correspondence table in the local ARP cache;

3. If the IP-MAC correspondence exists, then jump to Step 9; If the IP-MAC correspondence does not exist, then continue with the following steps;

　4. The kernel performs ARP broadcast, and the destination MAC address is FF-FF-FF-FF-FF-FF. The ARP command type is REQUEST (1), which contains its own MAC address;

5. When the 192.168.1.2 host receives the ARP request, it sends an ARP REPLY (2) command, which contains Own MAC address;

6. Obtain the IP-MAC address correspondence of the 192.168.1.2 host locally and save it to the ARP cache;

7. The kernel will convert the IP into a MAC address , then encapsulate it in the Ethernet header structure, and then send the data out;

Use the arp-a command to view the contents of the local ARP cache. Therefore, after executing a local PING command, the ARP cache will There is a record of the destination IP. Of course, if your data packet is sent to a destination on a different network segment, then there must be a record corresponding to the IP-MAC address of the gateway.

Knowing the role of the ARP protocol, you can clearly know that the outward transmission of data packets relies heavily on the ARP protocol, and of course, relies on the ARP cache. You should know that all operations of the ARP protocol are automatically completed by the kernel and have nothing to do with other applications. At the same time, it should be noted that the ARP protocol is only used on this network.

Extended knowledge: ARP spoofing (security risk)

The arp protocol is based on mutual trust between hosts in the network. Hosts on the network You can send ARP reply messages autonomously. When other hosts receive the reply message, they will not check the authenticity of the message and record it in the local ARP cache. From this, the attacker can send a fake ARP reply message to a certain host. text, so that the information sent cannot reach the expected host or reaches the wrong host, which constitutes an ARP spoofing.

ARP spoofing can cause the target computer to fail to communicate with the gateway, and can also cause communication to be redirected. All data will pass through the attacker's machine, so there is a huge security risk.

How to defend?

● Don’t build the network security trust relationship based on IP or MAC (RARP also has the problem of spoofing). The ideal relationship should be based on IP MAC.

● Set up a static MAC-->IP correspondence table, and do not let the host refresh the set translation table.

● Unless necessary, stop using ARP and save ARP as a permanent entry in the corresponding table.

● Use ARP server. Use this server to look up its own ARP translation table to respond to other machines' ARP broadcasts. Make sure this ARP server is not hacked.

● Use "proxy" to proxy IP transmission.

●Use hardware to shield the host. Set up the routing to ensure that the IP address can reach the legal path (statically configure routing ARP entries). Note that using switching hubs and bridges cannot prevent ARP spoofing.

● The administrator periodically obtains a RARP request from the response IP packet, and then checks the authenticity of the ARP response.

● The administrator polls regularly to check the ARP cache on the host.

●Use a firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause trap packets to be lost. [6]

●If you are infected with ARP virus, you can solve it by clearing the ARP cache, specifying ARP correspondence, adding routing information, and using anti-virus software.

For more related knowledge, please visit the FAQ column!

The above is the detailed content of At which layer is the arp protocol located?. For more information, please follow other related articles on the PHP Chinese website!