Skip to content

ARP — Trivia & Interesting Facts

Surprising, historical, and little-known facts about the Address Resolution Protocol.

ARP predates the modern Internet

RFC 826, which defined ARP, was published by David Plummer in November 1982 — before the TCP/IP switchover on ARPANET (January 1, 1983). ARP was designed so that Ethernet could work with IP at all, solving the fundamental "how do I find who owns this IP on my wire" problem before the Internet even officially existed.

ARP has no authentication whatsoever

ARP was designed with zero security. Any device on a LAN can claim to own any IP address by sending a gratuitous ARP reply. This design choice made ARP spoofing (also called ARP poisoning) one of the oldest and most reliable LAN-based attacks in existence, and it remains exploitable on flat networks to this day.

Gratuitous ARP was an accident turned feature

A "gratuitous ARP" is an ARP request where a host asks for its own IP address. Originally this was a side effect of hosts probing for duplicate addresses during boot. It was later formalized and is now used deliberately for failover scenarios — VRRP and HSRP routers send gratuitous ARPs to hijack traffic to the new active gateway within milliseconds.

ARP tables are tiny by design

Most operating systems default to ARP cache sizes of a few hundred to a few thousand entries with short timeouts (typically 20 minutes on Linux, 2 minutes for incomplete entries). This means a host on a /16 subnet with 65,534 possible neighbors can never cache them all, and ARP storms on large flat networks were a real operational problem that drove the adoption of VLANs.

ARP is not IP-specific

RFC 826 was designed as a generic protocol — the hardware type and protocol type fields allow ARP to map any Layer 2 address to any Layer 3 address. In practice, Ethernet-to-IPv4 is the only combination anyone uses. IPv6 replaced ARP entirely with Neighbor Discovery Protocol (NDP), which runs over ICMPv6.

Proxy ARP once held the Internet together

Before subnetting was widely understood, proxy ARP (RFC 1027, 1987) let routers answer ARP requests on behalf of hosts on other networks. This made misconfigured subnets "just work" by having the router pretend to be every remote host. Cisco routers still enable proxy ARP by default on interfaces, and turning it off is a common hardening step that catches people off guard.

The ARP table overflow attack is devastatingly simple

An attacker can flood a switch's ARP table (CAM table) by generating thousands of fake MAC addresses. When the table fills, many switches fail open — they start broadcasting all frames to all ports, turning the switch into a hub. This attack, called MAC flooding, can be executed with a single command using tools like macof, and it is why port security and Dynamic ARP Inspection exist.

Inverse ARP was invented for Frame Relay

Inverse ARP (RFC 2390) does the opposite of ARP: given a Layer 2 address, it finds the Layer 3 address. It was created specifically for Frame Relay and ATM networks where the data-link identifier was known but the IP wasn't. With Frame Relay nearly extinct, Inverse ARP is mostly a historical footnote and a certification exam question.

ARP requests are the noisiest protocol on most LANs

On a busy enterprise LAN, ARP traffic can account for a surprising percentage of broadcast frames. Studies of large flat networks in the early 2000s found ARP responsible for 5-15% of all broadcast traffic. This "ARP tax" was one of the practical drivers behind micro-segmentation and the push toward smaller broadcast domains.

The Linux ARP cache is controlled by three obscure sysctl knobs

Linux manages ARP table size with gc_thresh1, gc_thresh2, and gc_thresh3 in /proc/sys/net/ipv4/neigh/default/. The defaults (128, 512, 1024) are far too small for modern cloud environments with thousands of containers. Kubernetes clusters routinely hit ARP table exhaustion, and tuning these values is a rite of passage for cluster operators.