18. ARP Deep Dive
IPv4 address resolution, Linux neighbor states, gratuitous ARP, proxy ARP, ARP spoofing, and switch-level defenses.
1. Overview
ARP is the bridge between IPv4 routing decisions and Ethernet forwarding. After the route lookup says a destination or next hop is reachable on the local link, the kernel needs a destination MAC address before it can emit the frame.
ARP is intentionally simple and trusting: requests are broadcasts, replies are usually unicasts, and hosts cache the resulting IPv4-to-MAC mapping. That simplicity is why ARP is operationally important and easy to abuse.
2. 18.1 - ARP Request and Reply
An Ethernet ARP packet uses EtherType 0x0806. The payload names the hardware address family, protocol family, address sizes, opcode, sender mapping, and target mapping.
A request is broadcast to ff:ff:ff:ff:ff:ff because the requester does not yet know the target MAC. The owner of the target IPv4 address replies directly with its MAC address, and the requester installs a neighbor-cache entry.
| Field | Typical Ethernet / IPv4 value | Purpose |
|---|---|---|
| Hardware type | 1 | Ethernet address family. |
| Protocol type | 0x0800 | IPv4 protocol address family. |
| Hardware size | 6 | MAC address length in bytes. |
| Protocol size | 4 | IPv4 address length in bytes. |
| Opcode | 1 or 2 | Request or reply. |
| Target MAC | zero in request | Filled by the replier in the response. |
Minimal C Demo - ARP Exchange Animator
3. 18.2 - ARP Cache Management
Linux stores ARP entries in the neighbor table and drives them through Neighbor Unreachability Detection states. The important interview point is that a stale entry can still be used briefly; validation happens after traffic proves the entry matters.
Background: A busy host should not broadcast ARP for every packet, but it also cannot trust an old MAC forever. NUD balances fast forwarding with occasional reachability confirmation.
Plan: create an incomplete entry while resolution is pending, mark it reachable after a reply, age it to stale, use it once in delay, then probe by unicast ARP before declaring failure.
Example: Host A resolves 192.168.1.30. The entry is REACHABLE for roughly the randomized reachable time, becomes STALE, is used for one outgoing packet, enters DELAY, then either returns to REACHABLE after a probe reply or becomes FAILED.
Neighbor tables are also garbage-collected. Large flat L2 domains create pressure because every active peer can become a neighbor entry; routers and large hosts commonly tune thresholds to avoid failed allocations.
| State / knob | Meaning |
|---|---|
| INCOMPLETE | Resolution request sent; packet may be queued while waiting for a reply. |
| REACHABLE | Fresh mapping confirmed within the randomized reachable timer. |
| STALE | Mapping is old but usable; next traffic starts validation. |
| DELAY / PROBE | Kernel waits briefly, then sends unicast probes. |
| gc_thresh1/2/3 | Minimum, soft, and hard neighbor-table garbage-collection thresholds. |
Minimal C Demo - ARP Cache State Machine
4. 18.3 - Gratuitous ARP
Gratuitous ARP announces a host's own mapping: sender IP and target IP are the same address. It is used for duplicate address detection, VRRP or HSRP failover, NIC bonding, and VM migration.
RFC 5227 separates probes from announcements. A probe uses sender IP 0.0.0.0 while checking whether an address is already in use; an announcement broadcasts the chosen address after ownership is established.
Minimal C Demo - VRRP Failover with GARP
5. 18.4 - Proxy ARP
Proxy ARP lets a router answer ARP requests on behalf of a host somewhere else. Host A believes the remote IP is directly reachable at the router's MAC, so the router receives the frame and routes the enclosed IP packet onward.
Linux enables this per interface with net.ipv4.conf.<iface>.proxy_arp; proxy_arp_pvlan supports private-VLAN scenarios. It can rescue bad host gateway configuration or sponge stale addresses, but it hides topology and bloats router neighbor state.
6. 18.5 - ARP Spoofing and Defenses
ARP has no built-in authentication. An attacker can send unsolicited replies that claim the gateway IP or a victim IP belongs to the attacker's MAC, poisoning caches and creating a man-in-the-middle or denial-of-service path.
Dynamic ARP Inspection fixes this at the access switch. The switch first learns legitimate IP, MAC, VLAN, and port bindings from DHCP snooping, then validates ARP packets as they enter untrusted ports.
- Static ARP entries are effective for tiny critical pairs, but do not scale.
- ARP watch tools alert when a mapping changes unexpectedly.
- 802.1X plus DHCP snooping plus DAI is the usual enterprise access-layer defense stack.
- IPv6 replaces ARP with NDP; NDP has similar trust issues unless protected by switch features or SEND.
Minimal C Demo - ARP Spoofing MitM
7. Kernel Source Pointers
| Area | Linux files and functions |
|---|---|
| ARP receive | net/ipv4/arp.c: arp_rcv, arp_process |
| ARP transmit | net/ipv4/arp.c: arp_send, arp_create |
| Neighbor core | net/core/neighbour.c: neigh_event_send, neigh_timer_handler |
| Neighbor table | include/net/neighbour.h: struct neighbour, NUD state flags |
| User tools | ip neigh show, ip neigh flush, /proc/sys/net/ipv4/neigh/* |
8. Interview Prep
| Question | Answer checkpoint |
|---|---|
| Why does ARP use broadcast for requests? | The sender does not know the target MAC yet, so every host on the L2 segment must see the query. |
| What happens when a Linux ARP entry becomes STALE? | It can still be used; traffic moves it to DELAY and later PROBE to validate reachability. |
| Why does VRRP send gratuitous ARP after failover? | It refreshes host ARP caches and switch CAM state so traffic moves to the new master immediately. |
| What is proxy ARP's main downside? | It hides missing routing configuration and pushes extra neighbor state and failure coupling onto the router. |
| How does Dynamic ARP Inspection stop spoofing? | It validates ingress ARP packets against DHCP snooping bindings and drops IP/MAC/port mismatches. |