1. What is ARP?
-
Address Resolution Protocol maps an IP address (logical) to a MAC address (physical) in a local network.
-
Example:
192.168.1.10 → 00:1A:2B:3C:4D:5E
.
2. On which layer does ARP work?
-
ARP operates between Layer 2 (Data Link) and Layer 3 (Network) of the OSI model.
3. How does ARP work?
-
A host needs the MAC for an IP (e.g., sending data in LAN).
-
It broadcasts an ARP Request: “Who has IP 192.168.1.10?”
-
The owner replies with an ARP Reply: “I am 192.168.1.10, my MAC is xx:xx:xx:xx:xx.”
-
The sender caches the result in its ARP table.
4. What are ARP request and ARP reply?
-
ARP Request → Broadcast asking for the MAC of an IP.
-
ARP Reply → Unicast response with the MAC address.
5. What is an ARP table?
-
A cache maintained by devices that stores IP ↔ MAC mappings.
-
Example:
IP Address MAC Address 192.168.1.1 00:11:22:33:44:55
6. What are the types of ARP?
-
Normal ARP – Standard request/reply.
-
Gratuitous ARP – A host announces its own IP ↔ MAC (used for updating tables, duplicate IP detection, failover).
-
Proxy ARP – A router replies on behalf of another host (used in some special network setups).
-
Reverse ARP (RARP) – Used by a device to discover its IP when it only knows its MAC (mostly obsolete).
7. What is Gratuitous ARP? Why is it used?
-
An ARP reply sent without a request.
-
Used for:
-
Checking duplicate IPs.
-
Updating ARP tables after IP/MAC change.
-
Failover in high availability setups.
-
8. What is ARP spoofing/poisoning?
-
A security attack where a malicious device sends fake ARP replies to associate its MAC with another host’s IP (e.g., the gateway).
-
Allows MITM (Man-in-the-Middle) attacks, traffic interception.
9. How do you prevent ARP spoofing?
-
Use Dynamic ARP Inspection (DAI) on switches.
-
Use static ARP entries for critical systems.
-
Implement port security / DHCP snooping.
-
Use encrypted protocols (SSH, HTTPS) to protect data.
10. Does ARP exist in IPv6?
-
No
-
IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP.
Quick Recap for Interviews:
-
ARP = maps IP → MAC.
-
Works on LAN (broadcasts).
-
Types: Normal, Gratuitous, Proxy, RARP.
-
Weak point: ARP spoofing.
-
IPv6 replaces it with NDP.
1. What is ARP and what is its primary purpose?
ARP stands for Address Resolution Protocol. Its primary purpose is to resolve an IP address (Layer 3) to a physical MAC address (Layer 2) on a local network. This is essential for a device to be able to send data to another device on the same local network, as data-link layer communication requires a physical MAC address.
2. Why is ARP necessary?
ARP is necessary because different layers of the networking model use different addressing schemes. The IP address is used for routing and identifying devices on a network (Layer 3), but the data-link layer (Layer 2) uses MAC addresses to physically transport frames between devices on the same segment. A host needs to know the destination's MAC address to properly encapsulate an IP packet into an Ethernet frame.
3. Describe the ARP process. How does a device find a MAC address for a given IP address?
The ARP process involves two main steps: the ARP request and the ARP reply.
ARP Request: When a device (Device A) needs to send a packet to another device (Device B) on the same network but doesn't know Device B's MAC address, it sends an ARP request. This request is a broadcast message sent to all devices on the local network. The request contains the source IP and MAC address, and the target IP address.
ARP Reply: All devices on the network receive the broadcast. Device B recognizes that the target IP address in the request is its own. It then sends an ARP reply (or ARP response), which is a unicast message directly back to Device A. The reply contains Device B's MAC address.
Once Device A receives the ARP reply, it stores the IP-to-MAC mapping in its ARP cache for future use.
4. What is an ARP cache or ARP table?
The ARP cache (or ARP table) is a table that a host or a router maintains to store recent IP-to-MAC address mappings. When a device needs to send data, it first checks its ARP cache. If an entry for the destination IP exists, it uses the stored MAC address. This prevents the need for an ARP broadcast for every new packet, making communication more efficient.
The entries in the ARP cache are temporary and expire after a certain amount of time.
5. What is the difference between static and dynamic ARP entries?
Dynamic ARP Entries: These are created automatically when a device learns a new IP-to-MAC mapping from an ARP reply. They have a timeout period and will be removed if not used within that time. This is the most common type of ARP entry.
Static ARP Entries: These are manually configured by a network administrator. They are permanent and do not expire. Static entries are often used for security purposes or for critical servers to prevent spoofing attacks.
6. What is a "gratuitous ARP"?
A gratuitous ARP is an ARP reply that is not prompted by an ARP request. A device sends a gratuitous ARP to the broadcast address of the network to announce its own IP and MAC address. This is typically done for two main reasons:
To update the ARP caches of other devices on the network after a device's MAC address has changed (e.g., after a failover in a high-availability setup).
To detect duplicate IP addresses on the network. If another device responds to the gratuitous ARP, it means that IP address is already in use.
7. What is an ARP spoofing attack?
An ARP spoofing (or ARP poisoning) attack is a malicious technique where an attacker sends falsified ARP messages over a local network. This allows the attacker to associate their own MAC address with the IP address of another device, such as a router or another host. By doing so, all traffic intended for the legitimate device is redirected to the attacker's machine, allowing the attacker to intercept, view, or modify the data.
No comments:
Post a Comment