Editing ARP spoofing (section)

==ARP vulnerabilities==
The [[Address Resolution Protocol]] (ARP) is a widely used [[communications protocol]] for resolving [[Internet layer]] addresses into [[link layer]] addresses.

When an [[Internet Protocol]] (IP) [[datagram]] is sent from one host to another in a [[local area network]], the destination IP address must be resolved to a [[MAC address]] for transmission via the [[data link layer]]. When another host's IP address is known, and its MAC address is needed, a [[broadcast packet]] is sent out on the local network. This packet is known as an ''ARP request''. The destination machine with the IP in the ARP request then responds with an ''ARP reply'' that contains the MAC address for that IP.<ref name="Lockhart-2007-p184" />

ARP is a [[stateless protocol]]. Network hosts will automatically [[Cache (computing)|cache]] any ARP replies they receive, regardless of whether network hosts requested them. Even ARP entries that have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can [[authenticate]] the peer from which the packet originated. This behavior is the vulnerability that allows ARP spoofing to occur.<ref name="Ramachandran-2005-p239" /><ref name="Lockhart-2007-p184" /><ref name="GRC">{{cite web | url = http://www.grc.com/nat/arp.htm | author = Steve Gibson | title = ARP Cache Poisoning | publisher = [[Gibson Research Corporation|GRC]] | date = 2005-12-11}}</ref>