This is the second piece in a series on security infrastructure that will focus on identifying and mitigating layer 2 attacks. For Dynamic ARP Inspection to work, the DHCP snooping method from the prior article must be used. It is highly suggested that you are familiar with DHCP snooping; if you aren’t, you should check into it.

Background Just what is ARP?

It is the job of Address Resolution Protocol, a layer 2 protocol, to convert IPv4 addresses into MAC addresses.

In contrast to IPv4, which relies on ARP, IPv6 has a separate ICMP-based mechanism called Network Discovery Protocol (NDP). Next time, when we cover IPv6 deployment and security, we’ll get to that.

Just why is ARP necessary?

In order for two devices to exchange data, the first device must know the second device’s media access control (MAC) address. The host to which the connection will next be made could be anywhere within the same subnet, or it could be the network’s primary gateway (if both devices reside on 2 different segments).

Types of ARP Messages:

An IP address is requested by having a host broadcast its own MAC address.

When receiving an ARP request, a host will respond with his MAC address. ARP Varieties

The host’s IP address has been determined, but the layer-2 MAC address is required for ARP.

“RARP” (Reverse ARP)

The client has the MAC address and is now looking for the remote host’s IP. The advent of BOOTP and DHCP rendered them unnecessary.

You can use Frame Relay with InARP (Inverse ARP). The client has the layer 2 address (DLCI) and requires the layer 3 IP address (similar to RARP). The same goal can be achieved by combining InARP and ATM technology. Gratuitous ARP! is another post worth reading on our blog.

The ARP Poisoning and the Middleman

In order to launch a Man in the Middle (MITM) attack, attackers take use of GARP’s ability to change ARP cache entries on other hosts by manipulating (poisoning) those hosts’ ARP cache tables.

When a host joins a network, it sends out an ARP message to discover the MAC address of its default gateway before establishing communications with other networks (for ex., The Internet). An attacker can trick a host into thinking the gateway MAC address has changed by associating his own MAC address with the gateway IP address in a GARP message.

When the victim host receives the GARP, it will update its cache table to reflect the new gateway MAC address and begin forwarding traffic to the attacker’s MAC address at the layer-2 packet level. The switch, being a layer 2 device that routes packets based on MAC addresses, will now send the packets to the attacker’s MAC address.

The attacker then views (or modifies) the packets and sends them on to the legitimate gateway MAC address using his own MAC address as the source. To the gateway, all communication originated from the attacker, thus when it responds, it will do so to the attacker’s MAC address rather than the victim host’s.

The traffic is received by the attacker, who then relays it to the victim until the latter either reboots or clears its ARP cache table.

Inspecting ARP Dynamically (DAI)

With DAI, we can verify ARP packets sent by hosts that are connected to the switch and intercept any malicious ones. To ensure the integrity of the ARP packets, DAI consults the DHCP snooping binding table. Determine which ports may be trusted before proceeding with DAI implementation. DAI will treat all trusted interfaces as forwarding ARP packets without inspection, while all untrusted interfaces will have their packets inspected.

To determine whether or not to allow a packet through, DAI checks the source MAC and IP addresses against the DHCP snooping binding database. If a match is discovered, DAI will allow the packet to proceed; otherwise, it will discard it and record the event. By creating entries in the DHCP snooping binding table whenever a computer obtains an IP address from a DHCP server, ARP can guarantee that only valid packets are allowed through.

Questions to Ask Before Deploying DAI

Since DAI utilizes DHCP snooping to validate ARP packets, it is imperative that the binding table be established before applying DAI. A DHCP lease of same duration must be allowed. As an illustration, if the DHCP lease time is one day, the DHCP snooping window should also be one day before DAI is applied.

It is important to correctly set up both trusted and untrusted ports; All host-connected ports must be set to be untrusted, while all switch-to-switch connections must be set to be trusted.

Create static entries in the snooping binding table for IP addresses that have been assigned to you. IP source guard will be the topic of our future post. Another l2 security method dependent on DHCP Snooping is source guard.