 |
Each client on a network sends ARP packets to inform the network equipment of its MAC address. Each switch maintains a table of bindings between IP addresses, MAC addresses, and ports through which this information was learned. This table of bindings is the ARP table.
» Return to top
When a packet from a client on the subnet is destined for a machine on another system, it is sent to the MAC address of its default gateway. The MAC address is supposed to be unique to each network inerface, but in reality it can be modified easily.
An attacker begins by determining the IP address of the default gateway. This is comparatively easy to do—the attacker simply plugs in a laptop on an open port and obtains an IP address from the DHCP server. The attacker then
sends to the network an ARP packet with a fake binding between its own MAC address and the IP address of the
default gateway. Network switches include this wrong information in their ARP tables and transmit it to clients. Then
when a client attempts to reach the default gateway, or any resource located behind it in another subnet or on the
Internet, the information is sent to the attacker instead. This type of attack is known as ARP spoofing.
Consequences of ARP spoofing can include:
- Loss of connectivity to other subnets or the Internet, effectively denying service to users on the subnet.
- Compromising of confidential information, such as passwords, which are sent directly to the attacker and
stolen.
With the new dynamic ARP protection on ProCurve ProVision switches, you can now configure the switches to verify
all ARP packets coming in via untrusted ports, and to drop packets containing bad bindings.
» Return to top
4.2 Configure dynamic ARP protection
To configure dynamic ARP protection on ProCurve ProVision switches:
- You first enable DHCP snooping.
- Then you activate dynamic ARP protection globally.
- You define which VLANs you want to use this feature.
- You configure trusted ports.
- Optionally, you can define additional checks (mac-source, mac-destination, ip).
Before configuring dynamic ARP protection, you must first enable DHCP snooping, because ARP protection uses the
binding table from DHCP Snooping to determine which bindings are correct.
Here is an example of configuring dynamic ARP protection on a ProCurve Switch 3500yl:
» Return to top
4.3 How dynamic ARP protection works
Figure 2 shows an example of dynamic ARP protection in action. In the illustration, port 1 on the ProCurve Switch
3500yl has been configured as a trusted port. In dynamic ARP protection, any port that connects to another switch
must be defined as a trusted port using the arp-protect trust command. The switch does not check the ARP requests
and responses that it receives on the trusted port.
Figure 2. Configuring dynamic ARP protection causes ARP messages from an untrusted port to be checked, and dropped if the binding is bad
Untrusted ports are the ports on which users connect. By default, all ports are untrusted in the context of ARP
protection. This means that the switch will check the ARP requests and responses received on all ports that are
members of the ARP-protected VLANs.
If a port is untrusted, an intelligent edge switch such as the 3500yl:
- Intercepts all ARP requests and responses received on that port
- Verifies that each of the intercepted packets has a valid IP-to-MAC address binding
The switch verifies the IP-to-MAC address binding by checking the information it has stored in its DHCP snooping
table. So typically you will enable DHCP snooping as part of configuring ARP protection.
If you are not using DHCP, you can configure static IP-to-MAC address bindings, and the switch will use this
information to verify ARP packets. In fact, even if you are using DHCP snooping, you may want to add static IP-to-
MAC address bindings to the DHCP snooping table so that the switch can verify IP-to-MAC bindings for any devices
that have been assigned static IP addresses.
Packets from untrusted ports are routed according to the bindings check:
- If the binding is valid, the switch updates its local ARP cache or forwards the packet to the appropriate
destination.
- If the binding is invalid, the switch simply drops the packets, preventing other devices from receiving them and
being tricked by the faulty information.
In addition to verifying IP-to-MAC address bindings, you can optionally configure the switch to perform three additional
checks. The switch can be configured to verify:
- The source MAC address
- The destination MAC address
- The IP address.
» Return to top
4.4 Repelling an attack
In an attack, the attacker sends an ARP message to the switch, supplying it with an ARP entry that resolves the IP
address of the default gateway to the MAC address of the attacker. If ARP protection is not configured on the switch,
the switch updates its ARP table with this new information, which means that it now has in its ARP table a false ARP
entry, and all packets destined to the default gateway IP address (10.1.10.1) will be sent to the MAC address of the
attacker. The consequences are that the users trying to access resources on other networks cannot reach them any
more, and that the attacker can intercept the packets sent to these resources on other networks.
With dynamic ARP protection configured, however, only those packets that come in via a trusted port, or whose IP-to-
MAC bindings are valid, are allowed to continue. All others are dropped. The result is that packets sent to other
subnets or the Internet will indeed go out the default gateway and not to the attacker.
Note that in this illustration, you would need to configure dynamic ARP protection separately on both the 3500yl and
the 5406zl switches.
» Return to top
|
