What is ARP?
ARP stands for Address Resolution Protocol and is a network protocol that translates an IP address into a MAC address, enabling communication within a local network (LAN).
ARP is essential in Ethernet-based networks — without ARP, a device with an IP address cannot send data over Layer 2 (MAC-based) communication.
🧠 How does ARP work?
- A device wants to communicate with an IP address within the local subnet
- The device first checks whether the MAC address is known in its ARP cache
- If not, it sends an ARP request (broadcast): “Who has IP x.x.x.x?”
- The device with that IP address sends an ARP reply containing its MAC address
- The sending device uses this MAC address to transmit an Ethernet frame
ARP only operates within the local subnet; a router is required for external networks.
🏭 Use of ARP in industrial networks
- Support for BOOTP/DHCP: ARP enables communication once an IP address has been assigned
-
Diagnostics: tools such as
arp -a, Wireshark or SCADA logs use ARP to identify devices - Management of HMIs, PLCs and IO modules that communicate over Ethernet
- Switches and Firewalls use ARP tables to route traffic correctly
In OT networks, an ARP resolution failure can lead to connectivity issues between critical devices.
🔍 ARP vs. DNS
| Aspect | ARP | DNS |
|---|---|---|
| Purpose | IP → MAC (Layer 2 identification) | Name → IP (Layer 3 identification) |
| Scope | Within the local network (LAN) | For communication inside and outside the LAN |
| Protocol type | Network protocol (OSI Layer 2/3) | Application protocol (OSI Layer 7) |
| Caching | ARP cache on each host | DNS cache per system or server |
| Vulnerabilities | Spoofing, poisoning | Spoofing, cache poisoning |
🔐 Security considerations
- ARP Spoofing / ARP poisoning is an attack in which a malicious actor sends forged ARP replies to redirect traffic
- Can lead to Man-In-The-Middle attacks or network outages
- Use static ARP entries on critical devices (such as Safety PLCs)
- Implement Port Security, VLAN isolation and IDS to detect and limit ARP attacks
- Monitoring with tools such as Wireshark or SIEM is essential in sensitive OT networks
ARP is simple and powerful, but also vulnerable without additional security measures.