Posted by: Richard @ Configureterminal.com | May 21, 2008

An excerpt from my ‘Layer 2 Security’ notes

Layer 2 Security – “Use either Dynamic ARP Inspection (DAI) or private VLANs to prevent frame sniffing”

 

Introduction to DAI:

DAI prevents man-in-the middle attacks that misuse IP ARP (gratuitous ARPs)
DAI checks at ingress only
When DAI is enabled, all ports are untrusted by default, ports configured as being trusted bypass DAI checks

General Configuration (DHCP Snooping binding database used):

ip arp inspection vlan ‘vlan-range’
!
interface GigabitEthernet0/1
 ip arp inspection trust


The DHCP snooping database is usually the primary source of information to be entered into the DAI database
à therefore, DHCP snooping should be enabled before DAI, however it isn’t a pre-requisite à static MAC to IP mappings can be added using an ARP ACL (takes precedence):

arp access-list host1
 permit ip host 1.1.1.1 mac host 1111.2222.3333
 exit
!
ip arp inspection filter host1 vlan 1
!
interface GigabitEthernet0/1
 no ip arp inspection trust


In this example the uplink to a switch that doesn’t run/support DAI is untrusted to prevent a security hole from being opened by trusting the interface (this is the primary reason why an ARP ACL would sometimes be preferred)

Security Hole Details: DAI ensures that hosts on untrusted interfaces connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts connected to a switch running DAI (downstream from a trusted interface)

 

Optional Additional DAI Checks:

>1 supported – you need to add them on the same configuration line

1) Check the source MAC address in the Ethernet header against the sender MAC address in the ARP body à performed on both ARP requests and responses à packets with different MAC addresses are classified as invalid and are dropped, to enable this DAI check (“step 3”):

ip arp inspection validate src-mac


2) Check the destination MAC address in the Ethernet header against the target MAC address in ARP body
à performed on ARP replies à packets with different MAC addresses are classified as invalid and are dropped, to enable this DAI check (“step 4”):

ip arp inspection validate dst-mac


3) Check the ARP body for invalid and unexpected IP addresses
à addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses à sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses, to enable this DAI check (“step 5”):

ip arp inspection validate ip

 

DAI Logging:

DAI Packet drop = entry in the log buffer (a log-buffer entry can represent more than one packet) à then generate system messages on a rate-controlled basis à clear the entry from the log buffer.  Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses
DAI Logging Defaults:
The number of entries in the log is 32
The number of system messages is limited to 5 per second
The logging-rate interval is 1 second

DAI Logging Configuration:

ip arp inspection log-buffer {entries ‘0-1024’ | logs ‘0-1024’ interval ‘0-86400’}

“interval” no. must be >“logs” no.
0 for “logs” = entry but no message
0 for “interval” = entry + immediate message (1 for 1)

By default, all denied/dropped packets are logged (“logged” = an entry is placed in the log buffer and a system message is generated).  To control the type of packets which are logged on a per-VLAN basis:

ip arp inspection vlan ‘vlan-range’ logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}}


DAI causes a switch to work harder (CPU used), this opens-up another possible attack
à a DoS attack using large numbers of ARP messages à default protection = a limit of 15 ARP messages per-port per-second on untrusted interfaces à >15 messages = ‘errdisable’ (recovery option is available).  To change the threshold on a per-interface basis:

ip arp inspection limit {rate ‘0-2048 pps’ [burst interval ‘1-15 secs’] | none}

 

General DAI Commands:

show arp access-list
show ip arp inspection interfaces
show ip arp inspection log
show ip arp inspection vlan
show ip arp inspection statistics
clear ip arp inspection statistics


On a side note.
You may have noticed the grey config/output boxes in my posts had stopped displaying borders around them and now they have re-appeared in this post.  Editing a post within wordpress is limited, so I copy and paste a word document – this method gives its own troubles such as having to hold the shift key when moving down a line (otherwise html = default of 2) and bullet points are a nightmare.  Anyway, back to the point, originally the borders copied across OK, but then suddenly stopped, I have finally gone to the effort of finding the html code that needs editing to get them to re-appear, I hope it’s worth the effort
J

Advertisements

Responses

  1. […] A post to do with DIA can be found at Richard Bannisters CCIE Blog […]

  2. […] recorded first by obeone on 2008-10-13→ An excerpt from my ‘Layer 2 Security’ notes […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: