Arp; Overview; Arp In Netdefendos; Arp Cache - D-Link NetDefend DFL-210 User Manual

3.4. ARP

3.4. ARP

3.4.1. Overview

Address Resolution Protocol (ARP) is a protocol, which maps a network layer protocol address to a
data link layer hardware address and it is used to resolve an IP address into its corresponding Ether-
net address. It works at the OSI Data Link Layer (Layer 2 - see Appendix D, The OSI Framework)
and is encapsulated by Ethernet headers for transmission.
A host in an Ethernet network can communicate with another host, only if it knows the Ethernet ad-
dress (MAC address) of that host. A higher level protocols like IP uses IP addresses which are fun-
damentally different from a lower level hardware addressing scheme like the MAC address. ARP is
used to get the Ethernet address of a host from its IP address. When a host needs to resolve an IP ad-
dress to its Ethernet address, it broadcasts an ARP request packet. The ARP request packet contains
the source MAC address and the source IP address and the destination IP address. Each host in the
local network receives this packet. The host with the specified destination IP address, sends an ARP
reply packet to the originating host with its MAC address.

3.4.2. ARP in NetDefendOS

NetDefendOS provides not only standard support for ARP, but also adds a number of security
checks on top of the protocol implementation. As an example, NetDefendOS will by default not ac-
cept ARP replies for which the system has not sent out a corresponding ARP query for. Without this
type of protection, the system would be vulnerable to "connection hijacking".
NetDefendOS supports both dynamic ARP as well as static ARP, and the latter is available in two
modes; Publish and XPublish.
Dynamic ARP is the main mode of operation for ARP, where NetDefendOS sends out ARP requests
whenever it needs to resolve an IP address to an Ethernet address. The ARP replies are stored in the
ARP cache of the system.
Static ARP is used for manually lock an IP address to a specific Ethernet address. This is explained
in more detail in the sections below.

3.4.3. ARP Cache

The ARP Cache is the temporary table in NetDefendOS for storing the mapping between IP and
Ethernet addresses. The ARP cache is empty at system startup and will be populated with entries as
needed.
The contents of a typical (minimal) ARP Cache looks similar to the following table:
Type
Dynamic
Dynamic
Publish
The first item in this ARP Cache is a dynamic ARP entry which tells us that IP address 192.168.0.10
is mapped to an Ethernet address of 08:00:10:0f:bc:a5. The second item dynamically maps the IP
address 193.13.66.77 to Ethernet address 0a:46:42:4f:ac:65. Finally, the third item is a static ARP
entry binding the IP address 10.5.16.3 to Ethernet address 4a:32:12:6c:89:a4.
The third column in the table, Expire, is used to indicate for how much longer the ARP entry will be
valid. The first item, for instance, has an expiry value of 45, which means that this entry will be
rendered invalid and removed from the ARP Cache in 45 seconds. If traffic is going to be sent to the
192.168.0.10 IP address after the expiration, NetDefendOS will issue a new ARP request.
The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be
changed by modifying the Advanced Setting ARPExpire. The setting ARPExpireUnknown spe-
IP Address
192.168.0.10
193.13.66.77
10.5.16.3
47
Ethernet Address
08:00:10:0f:bc:a5
0a:46:42:4f:ac:65
4a:32:12:6c:89:a4
Chapter 3. Fundamentals
Expire
45
136
-