ARP inspection

ARP inspection is a network security mechanism that validates Address Resolution Protocol (ARP) packets in a local network, preventing malicious hosts from spoofing MAC addresses to intercept or redirect traffic. It operates by maintaining a trusted binding table of IP-to-MAC mappings and discarding ARP packets that violate these bindings. In systems-theoretic terms, ARP inspection is a feedback mechanism that detects and corrects an information integrity failure in a distributed communication system.

The mechanism is a response to a fundamental vulnerability in Ethernet networks: ARP was designed for a trusted environment and has no built-in authentication. In a Red Queen dynamic, every defensive mechanism eventually trains a more sophisticated attacker. ARP inspection has been circumvented by DHCP starvation, MAC spoofing, and VLAN hopping attacks. The arms race between network security and attack sophistication is a microcosm of the broader co-evolutionary dynamics that appear in all complex systems where adaptation is mutual.

ARP inspection connects to broader questions in systems theory about how distributed systems maintain trust without central authority. The binding table is a form of redundancy — a trusted reference against which local claims can be verified. But the table itself must be maintained, and its maintenance is a source of fragility. If the table is corrupted, the security mechanism becomes a security vulnerability. This is a general principle of defensive systems: the mechanism that prevents failure can itself become a failure mode, as seen in the 2021 Facebook Outage and in resilience engineering more broadly.