2101 Ch09: ARP Basics and Functionality

Questions and Answers

What must occur again after an entry has been removed from the ARP table?

• Send an ARP reply
• Initiate a TCP handshake
• Send an ARP request (correct)
• Establish a UDP connection

What is a potential security risk associated with the ARP process?

• UDP flooding
• IP hijacking
• ARP spoofing (correct)
• DNS poisoning

Which ICMPv6 message is used for address resolution in the Neighbor Discovery protocol?

• Router Advertisement
• Router Solicitation
• Redirect Message
• Neighbor Advertisement (correct)

What mechanism does enterprise-grade switches use to mitigate ARP attacks?

Dynamic ARP inspection (DAI) (B)

Which message is NOT part of the five ICMPv6 messages used in Neighbor Discovery?

ARP Request (C)

What service does the redirect message in ICMPv6 Neighbor Discovery provide?

Better next-hop selection (C)

What could occur if many devices are powered up simultaneously on a network?

Reduced performance temporarily (A)

What happens after a device sends an ARP request?

Only the device with the matching IPv4 address replies. (A)

What is a characteristic of the ARP reply?

Only the originating device receives the ARP reply. (A)

What is ARP spoofing primarily used for?

Performing ARP poisoning attacks. (D)

Which ICMPv6 message is NOT used by Neighbor Discovery?

Fake advertisement (A)

Which of the following services does the Neighbor Discovery protocol provide for IPv6?

Address resolution (D)

Which factor determines the removal of ARP table entries?

An ARP cache timer. (A)

What do IPv6 devices use to resolve MAC addresses instead of ARP?

Neighbor Discovery protocol (C)

What is a consequence of broadcasting an ARP request on a local network?

The network may slow down. (C)

Which ICMPv6 message is responsible for soliciting router information?

Router solicitation (C)

What is the purpose of the ARP type field set to 0x806?

It informs the NIC to pass data to the ARP process. (A)

What happens to packets if no device responds to an ARP request?

The packets are dropped as a frame cannot be created. (D)

What is a characteristic of static ARP entries?

They are manually entered and do not expire. (D)

Which message types does ICMPv6 Neighbor Discovery rely on?

Neighbor solicitation and neighbor advertisement messages. (A)

When a source device needs to send a frame to an IPv4 address on another network, what is used?

The MAC address of the default gateway. (D)

What is one of the main risks associated with ARP spoofing?

Incorrect routing of packets in the network. (A)

Why is dynamic ARP inspection recommended in networks?

It prevents unauthorized MAC address changes. (A)

How frequently does the ARP cache timer remove inactive entries in a device?

Between 15 and 45 seconds for newer Windows OS. (B)

What initial step does a host take when creating a packet for a destination IP address?

It compares the destination IP with its own IP. (D)

Flashcards

What is ARP?

ARP is a protocol used to map IPv4 addresses to MAC addresses.

What is an ARP table used for?

Devices use ARP tables to store mappings between IPv4 addresses and MAC addresses.

How is an ARP table updated?

ARP tables are updated when a device receives a packet from a new device, or when an entry expires.

What happens when a device wants to send a packet?

When a device sends a packet, it checks its ARP table for the MAC address corresponding to the destination IPv4 address.

What happens if the MAC address isn't found in the ARP table?

If the destination IPv4 address is not found in the ARP table, the sending device broadcasts an ARP request.

What is an ARP request?

An ARP request queries for the MAC address corresponding to a specific IPv4 address.

How are ARP requests responded to?

Devices with the matching IPv4 address respond with their MAC address.

What happens after the sending device receives the ARP reply?

The ARP reply updates the sender's ARP table with the new mapping.

What happens if no device responds to an ARP request?

If no device responds to the ARP request, the packet is dropped.

What is ARP poisoning?

ARP poisoning attacks exploit ARP by sending forged replies to manipulate the ARP table.

How does ARP poisoning work?

An attacker can send a forged ARP reply with its own MAC address, causing the target device to map the intended IPv4 address to the attacker's MAC address.

How does IPv6 handle address resolution?

IPv6 Neighbor Discovery Protocol (ND) replaces ARP for IPv6.

How does ND work?

ND uses ICMPv6 messages to resolve IPv6 addresses to MAC addresses.

What services does ND provide?

ND provides services like address resolution, router discovery, and route optimization.

What are the types of ICMPv6 messages used in ND?

ND uses five types of ICMPv6 messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, and Redirect.

What are Neighbor Solicitation and Neighbor Advertisement messages for?

Neighbor Solicitation and Neighbor Advertisement messages are used for device-to-device communication.

What are Router Solicitation and Router Advertisement messages for?

Router Solicitation and Router Advertisement messages are used for device-to-router communication.

What is the Redirect message for?

The Redirect message is used to optimize routing paths.

How does ND request a MAC address?

ND uses Neighbor Solicitation messages to request the MAC address of a specific IPv6 address.

How does ND respond to Neighbor Solicitation messages?

Neighbor Advertisement messages are used to respond to Neighbor Solicitation messages, providing the device with the MAC address.

How does ND improve security?

ND is designed to be more secure than ARP, helping to mitigate security risks.

Why is ND important?

ND is the essential protocol used to resolve IPv6 addresses to MAC addresses in IPv6 networks.

Study Notes

ARP

• ARP is essential for mapping IPv4 addresses to MAC addresses
• Devices use ARP tables to store mappings of IPv4 addresses and corresponding MAC addresses.
• An ARP table entry has a timestamp and is removed if no traffic is received from the device before the timestamp expires.
• When a device needs to send a packet, it checks its ARP table for the destination IPv4 address and corresponding MAC address.
• If the address is in the ARP table, it uses the MAC address to create a frame.
• Otherwise, the sending device sends an ARP request, a broadcast frame, to find the MAC address associated with the destination IPv4 address.
• Devices that have the same target IPv4 address will respond with the matching MAC address.
• The reply is sent as a unicast frame to the device that sent the request.
• The device adds the mapping to its ARP table and can now send a frame to the destination.
• If no device responds to the ARP request, the packet is dropped.
• An ARP request is sent when the sender wants to determine the MAC address associated with an IPv4 address but doesn't have this mapping in its ARP table.
• Both ARP requests and replies are encapsulated in Ethernet frames—no IPv4 headers are used.

ARP Poisoning Attacks

• ARP poisoning attacks target the ARP table.
• An attacker can send a forged ARP reply that contains its MAC address rather than the legitimate device's MAC address, causing the receiving device to map the target IPv4 address to the attacker's MAC address.

IPv6 Neighbor Discovery Protocol

• IPv6 uses the Neighbor Discovery protocol (ND) to resolve IPv6 addresses to MAC addresses.
• ND is similar to ARP but uses ICMPv6 messages.
• It provides services like address resolution, router discovery, and redirection.
• ND uses five types of ICMPv6 messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, and Redirect.
• Neighbor Solicitation and Neighbor Advertisement messages are used for device-to-device communication.
• Router Solicitation and Router Advertisement messages are used for device-to-router communication.
• The Redirect message is used for route optimization.