Access Layer Security Features Part 3: Spoofing Protections

The previous posts I’ve made around access layer security features have been somewhat more focused on protecting the network itself from attack. One of the biggest security issues with Ethernet / IP is that there are no built-in protections against one device “impersonating” another by spoofing an IP address or ARP responses. Without using additional functionality to protect against this, any user on a subnet can trivially intercept traffic from other hosts in that subnet by doing ARP poisoning. Also, there is nothing to prevent a host from sending traffic from a different source address than it is actually assigned, and nothing to prevent someone from manually setting a static address on their device to “squat” on an address or bypass any DHCP restrictions that might be in place.

Fortunately, many modern business class switches have features that can protect against these access layer attacks. I’ll talk about the Cisco IOS features in this blog post. These features are intended for semi-untrusted access networks that end users connect to. Most of these settings will cause problems in a data center environment, and really shouldn’t be necessary there. You should trust the devices that you are placing in a data center.

DHCP Snooping

The DHCP snooping feature allows a switch to inspect DHCP requests and responses.

By itself, DHCP snooping prevents a user from running an unauthorized DHCP server. It will only allow DHCP responses from ports that have been marked as trusted. It also prevents users from flooding the DHCP server with requests, by rate limiting DHCP requests on user facing access ports.

Arguably more importantly though, DHCP snooping builds a database that tracks to IP to MAC to interface associations. This database is used by several other features, like ARP inspection and IP source guard.

DHCP snooping should be enabled globally, and then for each specific VLAN that users connect on:

ip dhcp snooping vlan 3
ip dhcp snooping

Uplink ports that face the DHCP servers should be marked as trusted:

! uplink port
interface GigabitEthernet0/1
  ip dhcp snooping trust

If you wish to rate limit DHCP requests, this can be configured individually on access ports:

! user port
interface GigabitEthernet0/2
  ip dhcp snooping limit rate 1

And you can view the address bindings that the switch has captured:

show ip dhcp snooping bindings

Dynamic ARP Inspection

Dynamic ARP inspection (DAI) uses the information that DHCP snooping gathers to apply several additional critical protections. It checks ARP packets to ensure that they match what the switch knows from the DHCP snooping database. You must have DHCP snooping enabled to use DAI.

DAI rate limits ARP packets. If the limit is exceeded, the port will be error disabled. Secondly, because it verifies the IP address in ARP responses with the DHCP snooping database, it effectively stops someone from manually assigning a static IP address to bypass DHCP. It also will drop bogus gratuitous ARP responses that are seen when someone it attempting an ARP poisoning attack.

DAI should be enabled for specific VLAN’s. Uplink ports must be configured to be “trusted” so that devices with a static IP elsewhere in the network (like the default gateway for the subnet) will continue to work:

ip arp inspection vlan 3

! uplink port
interface GigabitEthernet0/1
 ip arp inspection trust

This is definitely a really useful feature that you should try to use where possible on user facing access layer networks.

Source Guard

IP source guard also uses the information gathered via DHCP snooping. It enforces the IP to port mapping. It can be used along with DAI or separately. Source guard effectively creates an ACL and applies it on the physical port.

So, if a host attempts to send an IP packet from a source IP that is different than the source IP that the DHCP server assigned to the host on that port, IP source guard will block it.
This also prevents a user from using a static IP address.

IP source guard is enabled individually on each user facing port. Don’t enable it on uplinks that go to other network devices.

! user port
int gi0/3
  ip verify source

To show the IP to port bindings that the switch knows about, use:

show ip verify source

Unicast RPF

Unicast reverse path forwarding (URPF) is not really an Ethernet specific feature, and not specific to user facing access networks. It is definitely useful in other parts of the network as well.

URPF works at the IP level to make sure that a packet is received from an interface that has a valid route back to the source IP on the packet. You would enable URPF on the layer 3 interface on the routers on a particular subnet.

URPF has two different modes – strict and loose. Typically most networks will have multiple paths to a given subnet because of redundant connections. Strict mode RPF checks if the interface the packet was received on is the best route for traffic back to the subnet. Loose mode URPF just ensures that there is a valid route in the table back to the originating subnet, regardless of which interface the route references. ¬†Loose mode prevents traffic from being sourced from addresses that aren’t in the routing table at all.

URPF loose mode can be configured on a Layer 3 interface like this:

int vl3
 ip verify unicast source reachable-via any

Strict mode is configured like this:

int vl3
 ip verify unicast source reachable-via rx

IPv6

IPv6 introduces some new challenges for these features. While IPv6 can use central DHCP servers (DHCPv6), IPv6 hosts also can choose an IP address on their own through auto-configuration. IPv6 also uses neighbor discovery (ND) in place of ARP, and has router advertisements (RA’s) that can also be spoofed by hosts to intercept traffic.

Vendors have developed some features for IPv6 that are similar to their counterpart IPv4 access layer security features. RA guard prevents end user ports from transmitting router advertisements. ND inspection works similar to DHCP snooping to build a mapping of IPv6 addresses to ports.

There is also a Secure Neighbor Discovery protocol, called SeND that uses certificates to help secure some of these aspects of IPv6. Using certificates at the Ethernet / IP layer honestly sounds like it would be a nightmare from a support perspective.

Many currently deployed switches and hosts do not support these IPv6 security features yet. I think it’s a little unclear what types of access layer security solutions will be widely deployed with IPv6. If you’re buying new access layer switches today, I would recommend looking at which of these IPv6 security features they support. This is definitely a problematic part of IPv6 deployments. I don’t think there’s a perfect solution for securing IPv6 at the access layer today. Hopefully one will evolve over time.

2 thoughts on “Access Layer Security Features Part 3: Spoofing Protections

  1. hi Oliver:

    Thanks for the blog.

    Could you please explain what would be the impact of using client IP as auto config IP (169.254.x.x)
    while setting up with Dynamic Arp Inspection. Does it match MAC – IP address properly to prevent fake ARP queries.

    if some one sends a fake MAC with auto config IP , what happens ?

    Your response is appreciated.

    • Hey,

      Dynamic ARP inspection relies on DHCP snooping. Hosts aren’t using DHCP when they assign themselves an auto-config address, so dynamic ARP inspection wouldn’t work in that scenario.

      If you were to statically assign addresses in the auto-config range (not sure why anyone would do that but…) you could make DAI work with an ARP inspection filter (see http://ccietobe.blogspot.com/2009/01/dynamic-arp-inspection-with-non-dhcp.html).

      On an unrelated note, I think you are the first person who used IPv6 to make a comment on my blog…excited to see more v6 adoption!

      Thanks,
      Oliver