Wednesday, June 2, 2010

DAI (Dynamic Arp Inspection)

First, if anyone doesn't know about DHCP snooping, you may want to read the previous post about it, although all you need to know in regard to DAI is that you need to turn DHCP snooping on, and it will collect a database of IP/MAC/Interface/Leasetime/etc. of all DHCP requests it sees. You can also statically add addresses for static IP'd devices.

Next, I'll quickly explain ARP and CAM tables. Every switch stores a copy of what mac address(es) are located off each interface in a CAM table (content addressable memory). If the host hasn't sent or received a packet in a while (or is unplugged), the mac address will time-out and be removed from the cam table. To find that mac address next time a packet comes, the switch must broadcast (flood) out packets to all switch ports and wait for a response.

ARP is the address resolution protocol. Routers keep an ARP table, or a list of what IP addresses match what mac addresses. (view with the command: show IP arp) The router is then able to rewrite the destination mac address on incoming packets to the matching IP/MAC entree so that the layer 2 edge switches can find the host (since layer 2 switches ONLY understand mac addresses, know your OSI model).

For example: The diagram describes a regular ARP request. The router must flood out an ARP request to find the destination host's mac address, re-write the packet header and then is able to send the packet. (This ARP request/cam table fill, is why the first ping of a host that hasn't sent packets lately or is new to the network will always fail. The second or third will work correctly.)





Now, what if people didn't play so nicely. What if a malicious host on port 2 of the layer 2 switch responded to the ARP request before the real client saying THEY had mac address bbbb.1111.bbbb and IP address 192.168.5.3. The router would update it's ARP table to match 192.168.5.3 with mac bbbb.1111.bbbb, and the switch would include the mac in it's cam table for port 2. Any new packets sent to 192.168.5.3 would be sent to the malicious host, who can then forward it to the real host after assessing it's contents if it wishes. This attack is known as ARP spoofing or ARP poisening.

Enter Dynamic ARP inspection. DAI works similar to DHCP snooping, in that all ports need to be set as either trusted or untrusted. All packets entering an untrusted port are intercepted and checked, while trusted ports (switch uplinks) pass traffic without DAI checking anything. If a packet enters an untrusted port but doesn't match the information gathered either statically or in the DHCP snooping database, the packet is dropped and a log message created.

Commands: (Assuming you already have DHCP snooping running) turn on DAI on client vlans.

Switch(config)#ip arp inspection vlan vlan range

All switch ports in those vlans are now considered un-trusted. Make any switch uplinks or explicitly trusted ports trusted with the interface command

switch(config-if)#ip arp inspection trust

For static IPs that are not included in the DHCP snooping database, you can use an access-list. (Note that this is not a regular ACL as it includes a mac address and only the sender information. This is specifically an arp ACL)

arp access-list aclName
permit ip host senderIP mac host sender Mac Address [log]
(repeat this as needed for more static entrees)
exit
ip arp inspection filter aclName vlan Vlan range



One further thing you can do. By default this only checks the ARP reply's message body, you can also verify the ARP reply's packet header for further security.

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

No comments: