Address Resolution Protocol

ARP and RARP Address Translation

Address Resolution Protocol (ARP) provides a completely different function to the network than Reverse Address Resolution Protocol (RARP). ARP is used to resolve the ethernet address of a NIC from an IP address in order to construct an ethernet packet around an IP data packet. This must happen in order to send any data across the network. Reverse address resolution protocol (RARP) is used for diskless computers to determine their IP address using the network.

Address Resolution Protocol (ARP)

In an earlier section, there was an example where a chat program was written to communicate between

two servers. To send data, the user (Tom) would type text into a dialog box, hit send and the following

happened:

1. The program passed Tom's typed text in a buffer, to the socket.

2. The data was put inside a TCP data packet with a TCP header added to the data. This header

    contained a source and destination port number along with some other information and a

    checksum.

3. The TCP packet was be placed inside an IP data packet with a source and destination IP address

    along with some other data for network management.

4. The IP data packet was placed inside an ethernet data packet. This data packet includes the

    destination and source address of the network interface cards (NIC) on the two computers. The

    address here is the hardware address of the respective cards and is called the MAC address.

5. The ethernet packet was transmitted over the network line.

6. With a direct connection between the two computers, the network interface card on the intended

     machine, recognized its address and grabbed the data.

7. The IP data packet was extracted from the ethernet data packet.

8. The TCP data packet was extracted from the IP data packet.

9. The data was extracted from the TCP packet and the program displayed the retrieved data (text) in

     the text display window for the intended recipient to read.

In step 4 above, the IP data was going to be placed inside an ethernet data packet, but the computer

constructing the packet does not have the ethernet address of the recipient's computer. The computer that is sending the data, in order to create the ethernet part of the packet, must get the ethernet hardware (MAC) address of the computer with the intended IP address. This must be accomplished before the ethernet packet can be constructed. The ethernet device driver software on the receiving computer is not programmed to look at IP addresses encased in the ethernet packet. If it did, the protocols could not be independent and changes to one would affect the other. This is where address resolution protocol (ARP) is used. Tom's computer sends a network broadcast asking the computer that has the recipient's IP address to send it's ethernet address. This is done by broadcasting. The ethernet destination is set with all bits on so all ethernet cards on the network will receive the data packet. The ARP message consists of an ethernet header and ARP packet. The ethernet header contains:

1. A 6 byte ethernet destination address.

2. A 6 byte ethernet source address.

3. A 2 byte frame type. The frame type is 0806 hexadecimal for ARP and 8035 for RARP

The encapsulated ARP data packet contains the following:

1. Type of hardware address (2 bytes). 1=ethernet.

2. Type of protocol address being mapped( 2 bytes). 0800H (hexadecimal) = IP address.

3. Byte size of the hardware address (1 byte). 6

4. Byte size of the protocol address (1 byte). 4

5. Type of operation. 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply.

6. The sender's ethernet address (6 bytes)

7. The sender's IP address (4 bytes)

8. The recipient's ethernet address (6 bytes)

9. The recipient's IP address (4 bytes)

When the ARP reply is sent, the recipient's ethernet address is left blank.

In order to increase the efficiency of the network and not tie up bandwidth doing ARP broadcasting, each computer keeps a table of IP addresses and matching ethernet addresses in memory. This is called ARP cache. Before sending a broadcast, the sending computer will check to see if the information is in it's ARP cache. If it is it will complete the ethernet data packet without an ARP broadcast. Each entry normally lasts 20 minutes after it is created. RFC 1122 specifies that it should be possible to configure the ARP cache timeout value on the host. To examine the cache on a Windows, UNIX, or Linux computer type "arp -a".

If the receiving host is on another network, the sending computer will go through its route table and determine the correct router (A router should be between two or more networks) to send to, and it will substitute the ethernet address of the router in the ethernet message. The encased IP address will still have the intended IP address. When the router gets the message, it looks at the IP data to tell where to send the data next. If the recipient is on a network the router is connected to, it will do the ARP resolution either using it's ARP buffer cache or broadcasting.

Reverse Address Resolution Protocol (RARP)

As mentioned earlier, reverse address resolution protocol (RARP) is used for diskless computers to determine their IP address using the network. The RARP message format is very similar to the ARP format. When the booting computer sends the broadcast ARP request, it places its own hardware address in both the sending and receiving fields in the encapsulated ARP data packet. The RARP server will fill in the correct sending and receiving IP addresses in its response to the message. This way the booting computer will know its IP address when it gets the message from the RARP server.

Network Devices

The Network Devices are Repeaters, Bridges, Routers, and Gateways.

Network Repeater

A repeater connects two segments of your network cable. It retimes and regenerates the signals to proper

amplitudes and sends them to the other segments. When talking about, ethernet topology, you are probably talking about using a hub as a repeater. Repeaters require a small amount of time to regenerate the signal. This can cause a propagation delay which can affect network communication when there are several repeaters in a row. Many network architectures limit the number of repeaters that can be used in a row. Repeaters work only at the physical layer of the OSI network model.

Bridge

A bridge reads the outermost section of data on the data packet, to tell where the message is going. It reduces the traffic on other network segments, since it does not send all packets. Bridges can be programmed to reject packets from particular networks. Bridging occurs at the data link layer of the OSI

model, which means the bridge cannot read IP addresses, but only the outermost hardware address of the

packet. In our case the bridge can read the ethernet data which gives the hardware address of the destination address, not the IP address. Bridges forward all broadcast messages. Only a special bridge called a translation bridge will allow two networks of different architectures to be connected. Bridges do not normally allow connection of networks with different architectures. The hardware address is also called the MAC (media access control) address. To determine the network segment a MAC address belongs to, bridges use one of:

• Transparent Bridging - They build a table of addresses (bridging table) as they receive packets. If the address is not in the bridging table, the packet is forwarded to all segments other than the one it came from. This type of bridge is used on ethernet networks.

• Source route bridging - The source computer provides path information inside the packet. This is used on Token Ring networks.

Network Router

A router is used to route data packets between two networks. It reads the information in each packet to

tell where it is going. If it is destined for an immediate network it has access to, it will strip the outer packet, readdress the packet to the proper ethernet address, and transmit it on that network. If it is destined for another network and must be sent to another router, it will re-package the outer packet to be received by the next router and send it to the next router. The section on routing explains the theory behind this and how routing tables are used to help determine packet destinations. Routing occurs at the network layer of the OSI model. They can connect networks with different architectures such as Token Ring and Ethernet. Although they can transform information at the data link level, routers cannot transform information from one data format such as TCP/IP to another such as IPX/SPX. Routers do not send broadcast packets or corrupted packets. If the routing table does not indicate the proper address of a packet, the packet is discarded.

Brouter

There is a device called a brouter which will function similar to a bridge for network transport protocols that are not routable, and will function as a router for routable protocols. It functions at the network and data link layers of the OSI network model.

Gateway

A gateway can translate information between different network data formats or network architectures. It can translate TCP/IP to AppleTalk so computers supporting TCP/IP can communicate with Apple brand computers. Most gateways operate at the application layer, but can operate at the network or session layer of the OSI model. Gateways will start at the lower level and strip information until it gets to the required level and repackage the information and work its way back toward the hardware layer of the OSI model. To confuse issues, when talking about a router that is used to interface to another network, the word gateway is often used. This does not mean the routing machine is a gateway as defined here, although it could be.

Network Categories

TDP/IP includes a wide range of protocols which are used for a variety of purposes on the network. The set of protocols that are a part of TCP/IP is called the TCP/IP protocol stack or the TCP/IP suite of protocols.

Considering the many protocols, message types, levels, and services that TCP/IP networking supports, I believe it would be very helpful to categorize the various protocols that support TCP/IP networking and define their respective contribution to the operation of networking. Unfortunately I have never seen this done to any real extent, but believe it would be worthwhile to help those learning networking understand it faster and better. I cannot guarantee that experts will agree with the categorizations that will be provided here, but they should help the reader get the big picture on the various protocols, and thus clarify what the reason or need is for each protocol.

As mentioned previously, there are four TCP/IP layers. They are link, network, transport, and application. The link layer is the hardware layer that provides ability to send messages between multiple locations. In the case of this document, ethernet provides this capability. Below I define several categories some of which fit into the 4 layer protocol levels described earlier. I also define a relative fundamental importance to the ability of the network to function at all. Importance includes essential, critical, important, advanced, useful.

1. Essential - Without this all other categories are irrelevant.
2. Critical - The network, as designed, is useless without this ability.
3. Important - The network could function, but would be difficult to use and manage.
4. Advanced - Includes enhancements that make the network easier to use and manage.
5. Useful - Functionality that you would like to be able to use as a network user. Applications or some       functionality is supported here. Without this, why build a network?

The categories are:

There are exceptions to my categorizations that don't fit into the normal layering scheme, such as IGMP is normally part of the link layer, but I have tried to list these categorizations according to network functions and their relative importance to the operation of the network. Also note that ethernet, which is not really a protocol, but an IEEE standard along with PPP, SLIP, TokenRing, and ArcNet are not TCP/IP protocols but may support TCP/IP at the hardware or link layer, depending on the network topology.

The list below gives a brief description of each protocol

• ethernet - Provides for transport of information between physical locations on ethernet cable. Data is passed in ethernet packets
• SLIP - Serial line IP (SLIP), a form of data encapsulation for serial lines.
• PPP - Point to point protocol (PPP). A form of serial line data encapsulation that is an improvement over SLIP.
• IP - Internet Protocol (IP). Except for ARP and RARP all protocols' data packets will be packaged into an IP data packet. Provides the mechanism to use software to address and manage data packets being sent to computers.
• ICMP - Internet control message protocol (ICMP) provides management and error reporting to help manage the process of sending data between computers.
• ARP - Address resolution protocol (ARP) enables the packaging of IP data into ethernet packages. It is the system and messaging protocol that is used to find the ethernet (hardware) address from a specific IP number. Without this protocol, the ethernet package could not be generated from the IP package, because the ethernet address could not be determined.
• TCP - A reliable connection oriented protocol used to control the management of application level services between computers.
• UDP - An unreliable connection less protocol used to control the management of application level services between computers.
• DNS - Domain Name Service, allows the network to determine IP addresses from names and vice versa.
• RARP - Reverse address resolution protocol (RARP) is used to allow a computer without a local permanent data storage media to determine its IP address from its ethernet address.
• BOOTP - Bootstrap protocol is used to assign an IP address to diskless computers and tell it what server and file to load which will provide it with an operating system.
• DHCP - Dynamic host configuration protocol (DHCP) is a method of assigning and controlling the IP addresses of computers on a given network. It is a server based service that automatically assigns IP numbers when a computer boots. This way the IP address of a computer does not need to be assigned manually. This makes changing networks easier to manage. DHCP can perform all the functions of BOOTP.
• IGMP - Internet Group Management Protocol used to support multicasting.
• SNMP - Simple Network Management Protocol (SNMP). Used to manage all types of network elements based on various data sent and received.
• RIP - Routing Information Protocol (RIP), used to dynamically update router tables on WANs or the internet.
• OSPF - Open Shortest Path First (OSPF) dynamic routing protocol.
• BGP - Border Gateway Protocol (BGP). A dynamic router protocol to communicate between routers on different systems.
• CIDR - Classless Interdomain Routing (CIDR).
• FTP - File Transfer Protocol (FTP). Allows file transfer between two computers with login required.
• TFTP - Trivial File Transfer Protocol (TFTP). Allows file transfer between two computers with no login required. It is limited, and is intended for diskless stations.
• SMTP - Simple Mail Transfer Protocol (SMTP).
• NFS - Network File System (NFS). A protocol that allows UNIX and Linux systems remotely mount each other's file systems.
• Telnet - A method of opening a user session on a remote host.
• Ping - A program that uses ICMP to send diagnostic messages to other computers to tell if they are reachable over the network.
• Rlogin - Remote login between UNIX hosts. This is outdated and is replaced by Telnet.

Each protocol ultimately has it's data packets wrapped in an ethernet, SLIP, or PPP packet (at the link level) in order to be sent over the ethernet cable. Some protocol data packets are wrapped sequentially multiple times before being sent. For example FTP data is wrapped in a TCP packet which is wrapped in a IP packet which is wrapped in a link packet (normally ethernet). The diagram below shows the relationship between the protocols' sequential wrapping of data packets.

IEEE 802 Standard

The Data Link Layer and IEEE

When we talk about Local Area Network (LAN) technology the IEEE 802 standard may be heard. This

standard defines networking connections for the interface card and the physical connections, describing how they are done. The 802 standards were published by the Institute of Electrical and Electronics Engineers (IEEE). The 802.3 standard is called ethernet, but the IEEE standards do not define the exact original true ethernet standard that is common today. There is a great deal of confusion caused by this. There are several types of common ethernet frames. Many network cards support more than one type.

The ethernet standard data encapsulation method is defined by RFC 894. RFC 1042 defines the IP to link

layer data encapsulation for networks using the IEEE 802 standards. The 802 standards define the two

lowest levels of the seven layer network model and primarily deal with the control of access to the

network media. The network media is the physical means of carrying the data such as network cable. The

control of access to the media is called media access control (MAC). The 802 standards are listed below:

•  802.1 - Internetworking
•  802.2 - Logical Link Control *
•  802.3 - Ethernet or CSMA/CD, Carrier-Sense Multiple Access with Collision detection LAN *
•  802.4 - Token-Bus LAN *
•  802.5 - Token Ring LAN *
•  802.6 - Metropolitan Area Network (MAN)
•  802.7 - Broadband Technical Advisory Group
•  802.8 - Fiber-Optic Technical Advisory Group
•  802.9 - Integrated Voice/Data Networks
•  802.10 - Network Security
•  802.11 - Wireless Networks
•  802.12 - Demand Priority Access LAN, 100 Base VG-AnyLAN

*The Ones with stars should be remembered in order for network certification testing.

Network Access Methods

There are various methods of managing access to a network. If all network stations tried to talk at once, the messages would become unintelligible, and no communication could occur. Therefore a method of being sure that stations coordinate the sending of messages must be achieved. There are several methods listed below which have various advantages and disadvantages.

 Contention

1.  Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) - Used by Ethernet
2.  Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)

•  Token Passing - A token is passed from one computer to another, which provides transmission permission.
•  Demand Priority - Describes a method where intelligent hubs control data transmission. A computer will send a demand signal to the hub indicating that it wants to transmit. The hub sill respond with an acknowledgement that will allow the computer to transmit. The hub will allow computers to transmit in turn. An example of a demand priority network is 100VG-AnyLAN (IEEE 802.12). It uses a star-bus topology.
•  Polling - A central controller, also called the primary device will poll computers, called secondary devices, to find out if they have data to transmit. Of so the central controller will allow them to transmit for a limited time, then the next device is polled.

Token passing performs better when the network has a lot of traffic, while ethernet which uses CSMA/CD is generally faster but loses performance when the network has a lot of traffic. CSMA/CD is basically a method that allows network stations to transmit any time they want. They, however, sense the network line and detect if another station has transmitted at the same time they did. This is called a collision. If a collision happened, the stations involved will retransmit at a later, randomly set time in hopes of avoiding another collision.

IP to link layer encapsulation

The requirements for IP to link layer encapsulation for hosts on a Ethernet network

•  All hosts must be able to send and receive packets defined by RFC 894.
•  All hosts should be able to receive a mix of packets defined by RFC 894 and RFC 1042.
•  All hosts may be able to send RDC 1042 defined packets.

Hosts that support both must provide a means to configure the type of packet sent and the default must be

packets defined by RFC 894.

Ethernet and IEEE 802 Encapsulation formats

Ethernet (RFC 894) message format consists of:

1. 6 bytes of destination address.

2. 6 bytes of source address.

3. 2 bytes of message type which indicates the type of data being sent.

4. 46 to 1500 bytes of data.

5. 4 bytes of cyclic redundancy check (CRC) information.

IEEE 802 (RFC 1042) Message format consists of 3 sections plus data and CRC as follows:

•  802.3 Media Access Control section used to coordinate the sending of data between computers.

      1. 6 bytes of destination address.

      2. 6 bytes of source address.

      3. 2 bytes of length - The number of bytes that follow not including the CRC.

•  802.2 Logical Link control establishes service access points (SAPs) between computers.

      1. 1 byte destination service access point (DSAP).

      2. 1 byte source service access point (SSAP).

      3. 1 byte of control.

•  Sub Network Access Protocol (SNAP).

      1. 3 bytes of org code.

      2. 2 bytes of message type which indicates the type of data being sent.

•  38 to 1492 bytes of data.
•  4 bytes of cyclic redundancy check (CRC) information.

Some ethernet message types include:

•  0800 - IP datagram with length of 38 to 1492 bytes. 
•  0806 - ARP request or reply with 28 bytes and pad bytes that are used to make the frame long enough for the minimum length.
•  8035 - RARP request or reply of 28 bytes and pad bytes that are used to make the frame long enough for the minimum length.

These message types are the same for both formats above with the exception of the pad bytes. The pad bytes for the RFC 894 and RFC 1042 datagrams are of different lengths between the two message formats because the RFC 894 minimum message length is 46 bytes and the RFC 1042 minimum message length is 38 bytes. Also the two message formats above are distinguishable from each other. This is because the RFC 894 possible length values are exclusive of RFC 1042 possible type values.

Trailor Encapsulation

This is described in RFC 1122 and RFC 892, but this scheme is not used very often today. The trailer protocol [LINK:1] is a link-layer encapsulation method that rearranges the data contents of packets sent on the physical network. It may be used but only after it is verified that both the sending and receiving hosts support trailers. The verification is done for each host that is communicated with.

RFC 1122 states: "Only packets with specific size attributes are encapsulated using trailers, and typically only a small fraction of the packets being exchanged have these attributes. Thus, if a system using trailers exchanges packets with a system that does not, some packets disappear into a black hole while others are

delivered successfully."

Trailer negotiation is performed when ARP is used to discover the media access control (MAC) address

of the destination host. RFC 1122 states: "a host that wants to speak trailers will send an additional "trailer ARP reply" packet, i.e., an ARP reply that specifies the trailer encapsulation protocol type but otherwise has the format of a normal ARP reply. If a host configured to use trailers receives a trailer ARP reply message from a remote machine, it can add that machine to the list of machines that understand trailers, e.g., by marking the corresponding entry in the ARP cache."