A computer can be identified by one of two types of addresses. An Internet Protocol (IP) address is assigned to a computer based on its location in a network and is used to route traffic to that computer. A media access control (MAC) address is a permanent, physical address associated with the computer’s networking card.
The Address Resolution Protocol (ARP) is used to map IP addresses — which operate at OSI Layer 2 — to Layer 3 MAC addresses within a subnet. This is essential to routing traffic to the correct computer within a subnet.
When a computer joins a local area network (LAN), it is assigned an IP address. This may be a static IP address that remains unchanging or a dynamic one assigned by a DHCP server. When a packet destined for that computer passes through a network gateway, the gateway needs to determine where to send it, which requires the MAC address. A network gateway will keep a lookup table — called the ARP cache — that lists all known IP/MAC address mappings.
If the desired mapping exists in the ARP cache, then the gateway can send the packet to its destination. However, an IP address may not exist in the cache if it is new or if it has been purged (address mappings are typically cached for only a few minutes). In these cases, the gateway needs to find out which MAC address maps to that IP address.
This is where ARP comes into the picture. A gateway will broadcast an ARP request to all computers on the LAN asking which of them is using that IP address. The computer with that IP address will send back an ARP response that provides its MAC address. When the gateway receives this ARP response, it can send the packet on to its intended destination. It will also record the IP/MAC address mapping in its ARP cache so that it can properly route packets in the future.
ARP maps Layer 2 MAC addresses to Layer 3 IP addresses. This is essential to routing network traffic. Without ARP, IP/MAC address mappings would need to be created and updated manually, which would dramatically decrease the usability of the network.
The core ARP protocol discovers the MAC address associated with an IP address on an as-needed basis. Some other variations of the protocol include:
ARP is a network protocol that works on trust. When a gateway sends out an ARP request, it accepts the first response that it receives. Traffic to that IP address is then routed to the indicated MAC address.
An ARP spoofing or ARP poisoning attack abuses this trust. In this attack, the attacker sends an ARP reply or gratuitous ARP message that maps their MAC address to a target’s IP address. This causes data intended for the victim to be routed to the attacker, which can be used in a man-in-the-middle (MitM) attack to steal sensitive data or a Denial of Service (DoS) attack if the attacker simply drops the received packets.
ARP is a foundational network protocol that is crucial to network routing. Without it, gateways must be manually configured to map IP addresses to MAC addresses, dramatically reducing the usability of a network and the benefits of DHCP and similar protocols.
Check Point’s vast experience in network security and firewall development has provided it with a deep understanding of network protocols, and it uses these protocols in its solutions. For instance, Check Point clustering and dynamic routing technologies use ARP to provide resilient network security. Also, Check Point’s Quantum IoT Security uses device MAC addresses obtained via ARP as part of a device’s overall network fingerprint, then enriches this with cloud AI/ML engines to map IoT devices to a zero trust profile.
Check Point next-generation firewalls provide comprehensive network protection and make full use of available protocols. To learn more about what to look for in an NGFW, check out this buyer’s guide. Then, see the capabilities of Check Point NGFWs for yourself with a free demo.