Embed Size (px)
DESCRIPTION
dai
Citation preview
DAI (Dynamic ARP Inspection)Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack ike ARP poisoning.
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t matter, it will be dropped. In this lesson I’ll show you how to configure DAI. Here’s the topology we will use:
Above we have four devices, the router on the left side called “host” will be a DHCP client, the router on the right side is our DHCP server and on top we have a router that will be used as an attacker. The switch in the middle will be configured for dynamic ARP inspection.
Configuration
We’ll start with the switch, first we need to make sure that all interfaces are in the same VLAN:
SW1(config)#interface range fa0/1 - 3SW1(config-if-range)#switchport mode accessSW1(config-if-range)#switchport access vlan 123SW1(config-if-range)#spanning-tree portfast
Now we can configure DHCP snooping:
SW1(config)#ip dhcp snooping SW1(config)#ip dhcp snooping vlan 123SW1(config)#no ip dhcp snooping information option
The commands above will enable DHCP snooping globally, for VLAN 123 and disables the insertion of option 82 in DHCP packets. Don’t forget to make the interface that connects to the DHCP server trusted:
SW1(config)#interface FastEthernet 0/3SW1(config-if)#ip dhcp snooping trust
The switch will now keep track of DHCP messages. Let’s configure a DHCP server on the router on the right side:
DHCP(config)#ip dhcp pool MY_POOLDHCP(dhcp-config)#network 192.168.1.0 255.255.255.0
That’s all we need, let’s see if the host is able to get an IP address:
HOST(config)#interface FastEthernet 0/0HOST(config-if)#ip address dhcp
A few seconds later we see this message:
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname HOST
Let’s check if our switch has stored something in the DHCP snooping database:
SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:1D:A1:8B:36:D0 192.168.1.1 86330 dhcp-snooping 123 FastEthernet0/1Total number of bindings: 1
There it is, an entry with the MAC address and IP address of our host. Now we can continue with the configuration of DAI. There’s only one command required to activate it:
SW1(config)#ip arp inspection vlan 123
The switch will now check all ARP packets on untrusted interfaces, all interfaces are untrusted by default. Let’s see if this will work or not…I’ll configure the IP address of our host on our attacker:
ATTACK(config)#interface FastEthernet 0/0ATTACK(config-if)#ip address 192.168.1.1 255.255.255.0
Now let’s see what happens when we try to send a ping from the attacker to our DHCP router:
ATTACK#ping 192.168.1.254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:.....Success rate is 0 percent (0/5)
The ping is failing…what does our switch think of this?
SW1#%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:08 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
Above you can see that all ARP requests from our attacker are dropped. The switch checks the information found in the ARP request and compares it with the information in the DHCP snooping database. Since it doesn’t match, these packets are discarded. You can find the number of dropped ARP packets with the following command:
SW1#show ip arp inspection
Source Mac Validation : DisabledDestination Mac Validation : DisabledIP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 123 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging ---- ----------- ------------ ------------- 123 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 123 0 5 5 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures ---- ------------ ----------- ------------- ------------------- 123 0 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 123 0 0 0
Above you see the number of drops increase. So far so good, our attacker has been stopped. We still have one problem though, let me first shut the interface on our attacker before we continue:
ATTACK(config)#interface FastEthernet 0/0ATTACK(config-if)#shutdown
Let me show you what happens when we try to send a ping from the host to our DHCP router:
HOST#ping 192.168.1.254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:.....Success rate is 0 percent (0/5)
This ping is failing but why? We are not spoofing anything…here’s what the switch tells us:
SW1#%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:48 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:50 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:52 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:54 UTC Tue Mar 2 1993])%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:56 UTC Tue Mar 2 1993])
Our switch is dropping ARP replies from the DHCP router to our host. Since the DHCP router has no idea how to reach the host, the ping is failing:
HOST#show ip arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 192.168.1.1 - 001d.a18b.36d0 ARPA FastEthernet0/0Internet 192.168.1.254 0 Incomplete ARPADHCP#show ip arp
Protocol Address Age (min) Hardware Addr Type InterfaceInternet 192.168.1.1 0 001d.a18b.36d0 ARPA FastEthernet0/0Internet 192.168.1.254 - 0016.c7be.0ec8 ARPA FastEthernet0/0
Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a static IP addresses. DAI checks the DHCP snooping database for all packets that arrive on untrusted interfaces, when it doesn’t find a match…the ARP packet is dropped. To fix this, we need to create a static entry for our DHCP router:
SW1(config)#arp access-list DHCP_ROUTERSW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
First we create an ARP access-list with a permit statement for the IP address and MAC address of the DHCP router. Now we need to apply this to DAI:
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123 ? static Apply the ACL statically
We use the ip arp inspection filter command for this but you have to be careful…if you use the “static” parameter then we tell the switch not to check the DHCP snooping database. It will only check our ARP access-list and when it doesn’t find an entry, the ARP packet will be dropped. Make sure you add the filter without the static parameter:
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123
There we go. The switch will now check the ARP access-list first and when it doesn’t find a match, it will check the DHCP snooping database. Let’s try that ping again:
HOST#ping 192.168.1.254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Excellent our ping is now working because of the static entry for the DHCP router. Another way to deal with this issue is to configure the interface as trusted. DAI will allow all ARP packets on trusted interfaces:
SW1(config)#interface FastEthernet 0/3SW1(config-if)#ip arp inspection trust
Anything else we can do with DAI? There are some additional security checks you can enable if you want:
SW1(config)#ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address
Here’s what these options mean:
dst-mac: checks the destination MAC address in the Ethernet header against the target MAC address in the ARP packet. This check is performed for ARP replies. ARP replies with different MAC addresses will be dropped.
ip: checks for invalid and unexpected IP addresses. For example 0.0.0.0, 255.255.255.255 and multicast addresses.
src-mac: checks the source MAC address in the Ethernet header against the sender’s MAC address in the ARP packet. This check is performed for both ARP requests and replies. ARP packets with different MAC addresses will be dropped.
You can only enable one of these options at the same time. Here’s an example how to enable the dst-mac check:
SW1(config)#ip arp inspection validate dst-mac
Last but not least, we can also configure ARP rate-limiting. By default there is a limit of 15 pps for ARP traffic on untrusted interfaces. Here’s how you can change it:
SW1(config)#interface FastEthernet 0/1SW1(config-if)#ip arp inspection limit rate 10
This interface now only allows 10 ARP packets per second.
Conclusion
That’s all we have for DAI (Dynamic ARP Inspection). It’s a nice security feature but make sure that you have ARP access-lists in place for all devices with static IP addresses before you enable this. You don’t want to block most of your traffic after enabling this.
