1
00:00:00,006 --> 00:00:02,008
- [Instructor] When using IPv4 addressing

2
00:00:02,008 --> 00:00:04,008
and one device is trying to determine

3
00:00:04,008 --> 00:00:07,001
how to send information to another device

4
00:00:07,001 --> 00:00:11,001
on the same Layer 2 network based on a Layer 3 IP address,

5
00:00:11,001 --> 00:00:13,000
a process needs to be performed

6
00:00:13,000 --> 00:00:16,001
to look up the MAC of the receiving host.

7
00:00:16,001 --> 00:00:17,003
This is facilitated

8
00:00:17,003 --> 00:00:20,008
by the Address Resolution Protocol or ARP.

9
00:00:20,008 --> 00:00:25,004
ARP was created in 1986 as RFC 826.

10
00:00:25,004 --> 00:00:29,009
ARP maps Layer 3 IP addresses to Layer 2 MAC addresses.

11
00:00:29,009 --> 00:00:31,008
If a host wants to send packets

12
00:00:31,008 --> 00:00:34,003
to a neighbor on the same Layer 2 segment,

13
00:00:34,003 --> 00:00:35,005
it will need to use ARP

14
00:00:35,005 --> 00:00:37,006
to determine the neighbor's MAC address.

15
00:00:37,006 --> 00:00:40,007
If a router needs to forward packets to another router,

16
00:00:40,007 --> 00:00:43,002
the same ARP process will commence.

17
00:00:43,002 --> 00:00:47,000
By nature, ARP is a request and respond system.

18
00:00:47,000 --> 00:00:50,000
If host one needs to send information to host two,

19
00:00:50,000 --> 00:00:52,005
it will first consult its ARP cache.

20
00:00:52,005 --> 00:00:54,006
This is a table that temporarily holds

21
00:00:54,006 --> 00:00:57,000
IP to MAC information.

22
00:00:57,000 --> 00:00:59,004
If the MAC address is available in the cache,

23
00:00:59,004 --> 00:01:01,009
it will encapsulate the packet into a frame

24
00:01:01,009 --> 00:01:04,002
destined for host two's MAC address,

25
00:01:04,002 --> 00:01:07,008
encapsulate it into bits and send it on the wire.

26
00:01:07,008 --> 00:01:10,008
If, however, the cache doesn't hold an entry,

27
00:01:10,008 --> 00:01:12,009
it will send out a broadcast ARP request

28
00:01:12,009 --> 00:01:15,009
listing host one's MAC and IP address

29
00:01:15,009 --> 00:01:18,005
and the IP of host two.

30
00:01:18,005 --> 00:01:20,006
The destination of a Layer 2 broadcast

31
00:01:20,006 --> 00:01:23,006
will always be a MAC address of all F's.

32
00:01:23,006 --> 00:01:26,003
Host two will hear the request for its IP

33
00:01:26,003 --> 00:01:28,001
and send a response ARP message

34
00:01:28,001 --> 00:01:31,006
directed to host one's MAC containing its MAC address.

35
00:01:31,006 --> 00:01:34,005
Host one will then add this entry to its cache

36
00:01:34,005 --> 00:01:36,008
and then complete communication.

37
00:01:36,008 --> 00:01:40,000
ARP is also used for duplicate IP detection.

38
00:01:40,000 --> 00:01:41,006
An ARP probe can be sent,

39
00:01:41,006 --> 00:01:44,002
which has the source IP set to all zeros,

40
00:01:44,002 --> 00:01:48,004
requesting resolution on the IP it wants to verify.

41
00:01:48,004 --> 00:01:50,003
If it gets a positive response,

42
00:01:50,003 --> 00:01:52,003
then a host has been detected.

43
00:01:52,003 --> 00:01:53,006
If nothing comes back,

44
00:01:53,006 --> 00:01:56,008
then the host knows it's clear to use the IP.

45
00:01:56,008 --> 00:01:59,009
There's also a process known as Gratuitous ARPing.

46
00:01:59,009 --> 00:02:02,009
It's where a host proactively sends out ARP packets,

47
00:02:02,009 --> 00:02:05,006
informing hosts of its IP to MAC mapping

48
00:02:05,006 --> 00:02:07,001
without being asked.

49
00:02:07,001 --> 00:02:09,000
It is now considered a best practice

50
00:02:09,000 --> 00:02:10,005
to filter Gratuitous ARPs

51
00:02:10,005 --> 00:02:13,009
as they can pose a potential security risk.

52
00:02:13,009 --> 00:02:16,008
Malicious hosts can send out Gratuitous ARPs

53
00:02:16,008 --> 00:02:19,009
announcing themselves as another host or gateway,

54
00:02:19,009 --> 00:02:22,008
effectively making themselves a transit point

55
00:02:22,008 --> 00:02:24,007
for unsuspecting hosts.

56
00:02:24,007 --> 00:02:28,009
This kind of attack is known as a man-in-the-middle attack.

57
00:02:28,009 --> 00:02:30,009
ARP can sometimes be bypassed

58
00:02:30,009 --> 00:02:34,009
by creating static map to IP mappings inside of your hosts,

59
00:02:34,009 --> 00:02:38,009
but this process can become quite tedious to maintain.

60
00:02:38,009 --> 00:02:41,001
ARP was deprecated in IPv6

61
00:02:41,001 --> 00:02:45,002
in favor of using special ICMPv6 messages.

62
00:02:45,002 --> 00:02:48,003
ARP makes the IPv4 ecosystem function

63
00:02:48,003 --> 00:02:50,005
and is used extensively when troubleshooting

64
00:02:50,005 --> 00:02:53,000
Layer 1 to Layer 3 issues.