Understand ARP and RARP - Windows Server Tutorial

- [Instructor] When using IPv4 addressing and one device is trying to determine how to send information to another device on the same Layer 2 network based on a Layer 3 IP address, a process needs to be performed to look up the MAC of the receiving host. This is facilitated by the Address Resolution Protocol or ARP. ARP was created in 1986 as RFC 826. ARP maps Layer 3 IP addresses to Layer 2 MAC addresses. If a host wants to send packets to a neighbor on the same Layer 2 segment, it will need to use ARP to determine the neighbor's MAC address. If a router needs to forward packets to another router, the same ARP process will commence. By nature, ARP is a request and respond system. If host one needs to send information to host two, it will first consult its ARP cache. This is a table that temporarily holds IP to MAC information. If the MAC address is available in the cache, it will encapsulate the packet into a frame destined for host two's MAC address, encapsulate it into bits and send it on the wire. If, however, the cache doesn't hold an entry, it will send out a broadcast ARP request listing host one's MAC and IP address and the IP of host two. The destination of a Layer 2 broadcast will always be a MAC address of all F's. Host two will hear the request for its IP and send a response ARP message directed to host one's MAC containing its MAC address. Host one will then add this entry to its cache and then complete communication. ARP is also used for duplicate IP detection. An ARP probe can be sent, which has the source IP set to all zeros, requesting resolution on the IP it wants to verify. If it gets a positive response, then a host has been detected. If nothing comes back, then the host knows it's clear to use the IP. There's also a process known as Gratuitous ARPing. It's where a host proactively sends out ARP packets, informing hosts of its IP to MAC mapping without being asked. It is now considered a best practice to filter Gratuitous ARPs as they can pose a potential security risk. Malicious hosts can send out Gratuitous ARPs announcing themselves as another host or gateway, effectively making themselves a transit point for unsuspecting hosts. This kind of attack is known as a man-in-the-middle attack. ARP can sometimes be bypassed by creating static map to IP mappings inside of your hosts, but this process can become quite tedious to maintain. ARP was deprecated in IPv6 in favor of using special ICMPv6 messages. ARP makes the IPv4 ecosystem function and is used extensively when troubleshooting Layer 1 to Layer 3 issues.