IPv4 Ethernet networks require a mechanism for nodes to find out which link-layer addresses correspond to which layer three addresses. In other words, how does a machine locate the link-layer address for a given IP address that is on your network? In the vast majority of conventional networks today, this is done using a protocol called ARP, defined in RFC 826.

The protocol works as follows: hosts maintain a table of the link-layer addresses corresponding to IPv4 addresses. When a packet needs to be transmitted, the host checks this table and uses the link-layer address, if it is present. If not, the host broadcasts an ARP request message saying, "Here are my IP and link-layer addresses, who knows the link-layer address for X?" The target host is expected to construct a reply and send it to the requester. Note that the ARP request is a broadcast and contains the information needed to form a table entry for the requesting host. Crucially, this allows the reply to be sent without issuing any further ARP requests.

Although ARP works very well when no-one is fiddling with it, it has a number of key deficiencies when it comes to security. First, when you receive an ARP reply, there is no guarantee that it has actually come from the correct system. Anyone who is on the same medium can fake this reply if desired, and there is nothing that can easily prevent this. Sophisticated attackers, having targeted a key machine, can perform a DoS attack or otherwise disrupt the network interface of that machine. They then can bring up a virtual address or alias on another machine, and ARP will take care of the rest, redirecting new connections to the replacement machine. (This kind of attack is often referred to as ARP poisoning.) If the attackers have replaced key infrastructure servers like DNS or proxy servers it's entirely possible they can begin to use this foothold to obtain more authentication "tokens," whether they be usernames, passwords or off-site accounts.

Second, on most systems, it is possible to specify the mapping from IP address to MAC address in a configuration file, allowing you to hardwire addresses in the ARP table. Although this allows you to mitigate the effects of ARP poisoning, this is a very inflexible configuration, and will eventually cause problems when someone forgets that the old MAC address has been hardcoded into many arbitrary systems within their network. We can't recommend it as a technique in large networks.

Although this is a problem which isn't easy to fix, it's rarely encountered in networks which are under the one administrative control (unlike, say, web site hosting networks) and we therefore note in passing that IPv6 considerably improves on the basic host-to-address mapping mechanism.