post

ARP Probe and ARP Announcement

This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.
 
Address Resolution Protocol

We finally come to the last iteration of ARP that this article series will discuss. They are the ARP Probe and the ARP Announcement. Both of these are used in a process known as Duplicate Address Detection.

The idea is if a host acquires and puts to use an IP address that happens to already be in use on the network, it will cause connectivity issues for both hosts. As such, it is beneficial for a host to first test an IP address before putting it to use to ensure it is indeed unique.

One such way of determining if an IP address in use is to use ARP. Or specifically, an ARP Probe.

The process is pretty straight forward, send a few ARP Probes (typically 3), and if no one responds, officially claim the IP address with an ARP Announcement.

Pracnet.net - ARP Probe and ARP Announcement

Both the ARP Probes and the ARP Announcements are sent as Broadcast frames – using the destination MAC address of ffff.ffff.ffff in the Ethernet header.

Both are sent without being solicited by a request, which therefore makes them “gratuitous”. But technically, they are not exactly the same as a Gratuitous ARP.

We will look at the packet structures in a moment, and they will reveal exactly how the ARP Announcements and ARP Probes are different from a Gratuitous ARP — despite often being incorrectly referred to as the same.

 

ARP Probe Packet Structure

The ARP Probe serves the purpose of polling the network to validate that an IP address is not already in use.

Pracnet.net - ARP ProbeIt is sent with the Opcode field set to 1, indicating an ARP Request. The idea is if the IP address in question is already in use, the initiator of the ARP Probe will expect a Response from original owner. Hence, this ARP Probe is a request which might prompt a response.

The Sender MAC address is set to the initiator’s MAC address. The Sender IP address is set to 0.0.0.0.

The Target MAC address is set to 0000.0000.0000, and the Target IP Address is set to the IP address being probed.

Notice there is no complete mapping provided in the packet. The Sender IP is set to all zeros, which means it cannot map to the Sender MAC address. The Target MAC address is all zeros, which means it cannot map to the Target IP address.

This is intentional, because the reason for sending the ARP Probe is to prevent an IP conflict. If the target IP address is already in use, it would be very undesirable for other hosts on the network to inadvertently update their ARP cache based upon the contents of the ARP Probe.

This is also the primary difference between an ARP Probe and a Gratuitous ARP. A Gratuitous ARP is meant to update all the ARP caches on the network, where as an ARP Probe deliberately prevents updating of ARP caches to continue protecting against IP address conflicts.

ARP Announcement Packet Structure

If the ARP Probe does not generate a response from whomever might already be using the IP address, the initiating host will consider this IP address unique and will send an ARP Announcement to officially “claim” the IP address on the network.

Pracnet.net - ARP Announcement

The ARP Announcement is very similar to a Gratuitous ARP, with one notable exception:

The Opcode in an ARP Announcement is set to 1, indicating a request. Typical Gratuitous ARP will have an Opcode set to 2.

Otherwise, the packet structure is identical to the ARP Probe above, with the exception that a complete mapping exists. Both the Sender MAC address and the Sender IP address create a complete ARP mapping, and hosts on the network can use this pair of addresses in their ARP table.

Like the Gratuitous ARP, the Target MAC address is ignored, in this example it is set to 0000.0000.0000, some implementations of the ARP Announcement use ffff.ffff.ffff instead.

Finally, the Target IP again confirms the subject of the communication: the IP address who’s uniqueness has now been confirmed.

 

Once again, the ARP Announcement is very similar to the Gratuitous ARP, with their only difference being the Opcode field. They are often both simply referred to as a Gratuitous ARP. For everyday networking, this is a trivial misnomer, and (once again) the principle of Dotan’s razor applies: an insignificant inaccuracy can save a lengthy explanation.

You can download the packet capture of the ARP Probe and ARP Announcement process here. It can be studied using Wireshark.

 

 

Series Navigation<< Gratuitous ARP

Comments

  1. This was completely new to me

    Thank you

Speak Your Mind

*