Chapter 9: Address Resolution
For each device, an ARP cache timer removes ARP entries that have not been used for a specified period of time. The times differ depending on the operating system of the device. For example, newer Windows operating systems store ARP table entries for how long?
15-45 seconds
What will a router do with an ARP request?
A router will not forward broadcast to other interfaces so the ARP will be processed but then it will not be sent out the other interfaces.
How can ARP be a potential security risk?
A threat actor an use ARP spoofing to perform an ARP poisoning attack.
What two protocols are used to determine the MAC address of a known destination device IP address (IPv4 and IPv6)? DHCP ARP DNS ND
ARP ND
Which statement is true about ARP? An ARP cache cannot be manually deleted ARP entries are cached permanently ARP entries are cached temporarily
ARP entries are cached temporarily
If your network is using the IPv4 communications protocol, what protocol is used to map IPv4 addresses to MAC addresses?
ARP or Address Resolution Protocol
What is an attack using ARP? ARP broadcasts ARP hopping attacks ARP poisoning ARP starvation
ARP poisoning
What services does Neighbor Discovery provide?
Address resolution Router Discovery Redirection services for IPv6 using ICMPv6
After the ARP reply is received the the device that originally sent the ARP request will do what with the information?
After the ARP reply is received, the device will add the IPv4 address and the corresponding MAC address to its ARP table. Packets destined for that IPv4 address can now be encapsulated in frames using its corresponding MAC address.
If the device locates the IPV4 address, its corresponding MAC address is used as the destination MAC address in the frame. If there is no entry found, the device sends what?
An ARP request
When is an ARP request sent by a device?
An ARP request is sent when a device needs to determine the MAC address that is associated with an IPv4 address, and it does not have an entry for the IPv4 address in its ARP table.
Router Solicitation and Router messages are used for what?
Are for messaging between devices and router. Typically router discovery is used for dynamic address allocation and stateless address autoconfiguration (SLAAC)
The ARP reply is encapsulated in an Ethernet frame using the following header information:
Destination MAC address Source MAC address Type
The ARP request is encapsulated in an Ethernet frame using the following header information:
Destination MAC address Source MAC address Type
This broadcast address FF-FF-FF-FF-FF-FF requiring all Ethernet NICs on the LAN to accept and process the ARP request
Destination MAC address for ARP request
This is the MAC address of the send of the ARP request
Destination MAC address of an ARP reply
What header information is contained in an ARP request?
Destination MAC- which is a broadcast Source MAC- which is the devices mac address Target IPv4 address- This will be the destination device IP address. It is used to compare target IP address devices Target MAC address- this will be unknown and needs to be identified
How do we mitigate ARP spoofing?
Enterprise level switches include mitigation techniques known as dynamic ARP inspection (DAI)
What headers does a ICMPv6 Neighbor Advertisement message contain?
Ethernet Hader Destination Unicast MAC address Source MAC address IPv6 Header Source IPV6 Address Destination Unicast Address ICMPv6 Neighbor Advertisement Header Target IPv6 address Target MAC address
What headers does a ICMPv6 Neighbor Solicitation message contain?
Ethernet Header with Trailer Destination Multicast MAC address Source MAC address IPv6 Header Source IPv6 Address Destination IPv6 Solicitated Node Multicast Address ICPMPv6 Neighbor Solicitation Message Header Target IPv6 Address is the Same IPv6 address as the IPv6 packet on hold
Which destination address is used in an ARP request frame? 01-00-5e-00-aa-23 255.255.255.255 0.0.0.0 127.0.0.1 FFFF.FFFF.FFFF.FFFF
FFFF.FFFF.FFFF.FFFF
How are the IP addresses of the IP packets in a data flow associated with the MAC addresses on each link along the path to the destination?
For IPv4 packets, this is done through a process called Address Resolution Protocol (ARP). ForIPv6 packets, the process is ICMPv6 Neighbor Discovery (ND)
IPv6 uses a similar process to ARP for IPv4, known as what?
ICMPv6 Neighbor Discovery Neighbor Discover (ND)
Why is a ICMPv6 Neighbor Solicitation message better than an ARP request?
ICMPv6 Neighbor Solicitation message uses a multicast MAC address that determines whether the device it is looking for is the one. ARP request requires all device accept the request and take it up the stack to see if the message is for them. ICMPv6 Neighbor Solicitation message does this right at layer 2.
What type of information is contained in an ARP table? routes to reach destination networks switch ports associated with destination MAC Addresses domain name to IPv4 address mappings IPv4 address to MAC address mappings
IPv4 address to MAC address mappings
What addresses are mapped by ARP? IPv4 address to destination MAC address destination IPv4 address to the source MAC address destination AMC address to the source IPv4 address destination IPv4 address tot he destination host name
IPv4 address to destination MAC address
Why can ARP requests be a problem?
If a large number of devices were to be powered up and all start accessing network services at the same time, there could be some reduction in performance for a short period of time.
How will the ARP table be used by a device if the destination IPv4 address is on a different network than the source IPv4 address?
If the destination IPv4 address is on a different network than the source IPv4 address, the device will search the ARP table for the IPv4 address of the default gateway.
Once a device destined for an ARP request receives the request, what does it do?
If the device the does not have the matching IPv4 address the device does not reply to the ARP request. Only one device on the LAN will have an IPv4 address that matches the target IPv4 address in the ARP request.
How will the ARP table be used by a device if the packet's destination IPv4 address is on the same network as the source IPv4 address?
If the packet's destination IPv4 address is on the same network as the source IPv4 address, the device will search the ARP table for the destination IPv4 address.
The fifth ICMPv6 ND message is used for what?
Is a redirect message which is used for better next-hop selection.
Why does a receiving device of a ICMPv6 Neighbor Solicitation message save the the sending devices IPv6 address and its MAC address to its neighbor cache?
It does this in order to send back a ICMPv6 Neighbor Advertisement Message.
What will a Layer 2 switch do when the destination MAC address of a received frame is not in the MAC table? It broadcasts the frame out of all ports on the switch It notifies the sending host that the frame cannot be delivered It initiates an ARP request It forwards the frame out of all ports except for the port at which the frame was received
It forwards the frame out of all ports except for the port at which the frame was received
What is an ARP table/ ARP cache?
It is a table used during layer 2 encapsulation to find the MAC address mapped to the IPv4 address of a device
What action is taken by a Layer 2 switch when it receives a Layer 2 broadcast frame? It sends the frame to all ports It sends the frame to all ports that are registered to forward broadcasts It sends the frame to all ports except the port on which it received the frame it drops the frame
It sends the frame to all ports except the port on which it received the frame
During the encapsulation process, If a packet has no matching destination IPv4 address in the ARP table, what does the device do with that packet that needs to be encapsulated with layer 2 addressing?
It will put the packet on hold and create an ARP request.
What addresses are used to deliver the data link frame with the encapsulated IP packet from one NIC to another NIC that is on the same network?
Layer 2 physical address or Ethernet MAC ADDRESS
Used to send the packet from the source device to the destination device. The destination IP address may be on the same IP network as the source or it may be on a remote network.
Logical Address (the IP address)
What two functions are provided by ARP? Maintains a table of IPv4 address to domain names Maintains a table of I Pv4 to MAC address mappings Maintains a table of IPv6 to MAC address mappings Resolves IPv4 address to domain names Resolves IPv4 addresses to MAC addresses Resolves IPv6 addresses to MAC addresses
Maintains a table of I Pv4 to MAC address mappings Resolves IPv4 addresses to MAC addresses
What type of message is a Neighbor Solicitation frame?
Multicast Frame
In IPv6, what advertisement messages are similar to IPv4 ARP reply ?
Neighbor Advertisement
Which two ICMPv6 messages are used in to determine the MAC address of a known IPv6 address? Neighbor Advertisement Neighbor Solicitation Router Advertisement Router Solicitation
Neighbor Advertisement Neighbor Solicitation
In IPv6 addressing what table is used to map IPv6 address to a MAC address?
Neighbor Cache
Which ICMPv6 messages are used during the Ethernet MAC address resolution process? (choose two) Router advertisement Router Solicitation Neighbor Solicitation Echo request Neighbor Advertisement
Neighbor Solicitation Neighbor Advertisement
ICMPv6 ND uses five ICMPv6 messages to perform these services:
Neighbor Solicitation messages Neighbor Advertisement messages Router Solicitation messages Router Advertisement messages Redirect Message
In IPv6, what advertisement messages are similar to IPv4 ARP request ?
Neighbor solicitation
Which device on a LAN would receive an ARP reply?
Only the device that originally sent the ARP request will receive the unicast ARP reply.
Which device on a LAN will send back an ARP reply?
Only the device whith the target IPv4 address associated with the ARP request will respond with an ARP reply.
What are the two addresses assigned to a device on an Ethernet LAN:
Physical Address Logical Address
Used for NIC to NIC communications on the same Ethernet network
Physical address (the MAC address)
Where is the ARP table stored on a device?
RAM
Which router component holds the routing table, ARP cache, and running configuration file? RAM FLASH ROM NVRAM
RAM
ARP provides two basic functions:
Resolving IPv4 addresses to MAC addresses Maintaining a table of IPv4 to MAC address mappings
Which two ICMPv6 messages are used in SLAAC? Neighbor Advertisement Neighbor Solicitation Router Advertisement Router Solicitation
Router Advertisement Router Solicitation
This is the MAC address of the send of the ARP reply
Source MAC adders of and ARP reply
This MAC address of the send for the ARP request
Source MAC of the ARP request
What does SLAAC stand for?
Stateless Address Autoconfiguration
What are static map entries?
Static map entries are manually configured ARP table entries
ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process
TYPE for ARP reply
Sometimes a host must send a messaged, but only know the IP address of the destination device. The host needs to know the MAC address of that device, but how can it be discovered?
That is where ARP comes in or Address Resolution Protocol
What destination MAC address would be included in frame sent form a source device to a destination device on the same local network? A broadcast MAC address of FF-FF-FF-FF-FF-FF The MAC address of the destination device The MAC address of the local router interface
The MAC address of the destination device
What destination MAC address would be included in a frame sent from a source device to a destination device on a remote local network? A broadcast MAC address of FF-FF-FF-FF-FF-FF The MAC address of the destination device The MAC address of the local router interface
The MAC address of the local router interface
In a ICMPv6 Neighbor Solicitations message, which addresses are map to each other?
The Target IPv6 address is mapped to the Destination IPv6 Solicitated Node Multicast Address The IPv6 Solicitated Node Multicast Address is then mapped to the Destination MAC Multicast Address
If the destination IP address is on the same network, what will be used to deliver the packets to that device?
The destination MAC address will be that of the destination device
When the destination IP address is on a remote network, what will be the destination MAC address be?
The destination MAC address will that of the default gateway or the router interface
If a map between an IPV6 address and a MAC address is not found in the Neighbor Cache during the encapsulation process, what does the device do to obtain the information?
The device puts the IPv6 packet on hold and creates a ICMPv6 Neighbor Solicitation message. This is similar to an ARP request.
Entries in the ARP table are time stamped. If a device does not receive a frame form a particular device before the timestamp expires, what happens to that entry?
The entry for this device is removed from the ARP table.
If no device responds to the ARP request, what happens to the packet that is waiting for the information form the ARP request?
The packet is dropped because a frame cannot be created.
When a device receives an ICPMv6 Neighbor Solicitation message destined for it, what new entry is created in the device's neighbor cache?
The receiving device adds the sending devices IPv6 address and its MAC address to its neighbor cache. This would be found in the ICMPv6 Neighbor Solicitation message Source MAC address and the Source IPv6 address.
Because ARP requests are broadcasts, they are flooded out all ports by the switch except which port?
The receiving port
Where is the ARP table/ARP cache store?
The table is stored temporarily in RAM
AA PC is configured to obtain an IPv4 address automatically from network 192.168.1.0/24. The network administrator issues the arp -a command and notices an entry of 192.168.1.255 ff-ff-ff-ff-ff-ff. Which statement describes this entry? This is a static map entry This entry refers to the PC iteself This is a dynamic map entry This entry maps to the default gateway
This is a static map entry
A threat actor can use ARP spoofing to perform an ARP poisoning attack.
This is a technique used by a threat actor to reply to an ARP request for an IPv4 address that belongs to another device, such as the default gateway. The threat actor sends an ARP reply with its own MAC address. The receiver of the ARP reply will add the wrong MAC address to its ARP table and send these packets to the threat actor.
True or False: ARP messages are encapsulated directly within an Ethernet frame and there is no IPv4 header
True
True or False: All Ethernet NICs on the LAN process broadcasts and must deliver the ARP request to its operating system for processing. Every device must process the ARP request to see if the target IPv4 address matches its own.
True
True or False: Static map entries do not expire over time
True, the must be manually removed
ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process
Type
What type of message is a Neighbor Advertisement frame?
Unicast Frame
Neighbor Solicitation and Neighbor Advertisement messages are used for what?
Used for device-to-device messaging such as address resolution (similar to ARP for IPv4). Devices include both host computers and routers.
Each entry, or row, of the ARP table binds an IPv4 address with a MAC address, this is known as what?
We call the relationship between the two values a map.
When does a device map an IP address to a MAC address?
When a packet is sent to the data link layer or layer 2 to be encapsulated into an Ethernet Frame, the device refers to table in its memory to fine the MAC address that is mapped to the IPv4 address.
A cybersecurity analyst believes an attacker is spoofing the MAC address of the default gateway to perform a man-in-the-middle attack. Which command should the analyst use to view the MAC address a host is using to reach the default gateway? ipconfig/all route print arp-a netstat-r
arp -a
What command on a windows machine is used to display the ARP table?
arp -a
What command do you use to clear the arp table in windows?
arp -d
How do you remove entries form ICMPv6 Neighbor Discovery maps?
clear ipv6 neighbors
The ARP table in a switch maps which two types of address together? layer 3 address to a layer 4 address layer 2 address to a layer 4 address layer 4 address to a layer 2 address layer 3 address to a layer 2 address
layer 3 address to a layer 2 address
To what type of address are ICMPv6 neighbor solicitation messages sent? unicast multicast broadcast
multicast
What command is used to set the number of pings used on a window machince?
ping -n argument
What is one function of the ARP protocol? obtaining an IPv4 address automatically mapping a domain name to its IP address resolving an IPv4 address to a MAC address maintaining a table of domain names with their resolved IP addresses
resolving an IPv4 address to a MAC address
What command on a Cisco router is used to display the ARP table?
show ip arp
Which command could be used on a Cisco router to view its ARP table?
show ip arp
What command on a Cisco device is used to display ICMPv6 Neighbor Discovery maps?
show ipv6 neighbors
When an IPv4 packet is sent to a host on a remote network, what information is provided by ARP? the ipv4 address of the default gateway the ipv4 address of the destination host the mac address of the switch port that connects to the sending host the mac address of the router interface closest to the sending host
the mac address of the router interface closest to the sending host
How does the ARP process use an IPv4 address? to determine the network number based on the number of bits in the IPv4 address to determine the the MAC address of the remote destination host to determine the amount of time a packet takes when traveling from source to destination to determine the MAC address of a device on the same network
to determine the MAC address of a device on the same network
What is the purpose of ARP in an IPv4 network? to build the MAC address table in a switch from the information that is gathered to forward data onward based o the destination MAC address to forward data onward based on the destination IP address to obtain specific MAC address when an IP address is known
to obtain specific MAC address when an IP address is known
