DHCP Snooping

© 2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .

1

Mini Primer on DHCP (RFC 2131 and 2132)
• C e n tra • S u p e rs • T e m p o b a s e d • T ra n s p a n d 6 8 • L e a s e liz e d a d m in is tr a tio n o f IP e t o f B o o tP C lie n t/S e r v e r a r y a llo c a tio n o f IP a d d o n M A C , C lie n t ID , o r s u o rt: U D P , p o rt 6 7 (s e rv e ( c lie n t lis te n s o n th is p o re n e w a l e ffo rts o c c u r a t a d d r e s s c o n fig r p ro to c o l r e s s a n d o p tio n s b n e t (G IA D D R ) r lis te n s o n th is p o r t) rt) tw o in te r v a ls :

–T 1 –1 /2 o f th e le a s e h a s b e e n u s e d –T 2 –7 /8 o f th e le a s e h a s b e e n u s e d
© 2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .

2

2

DHCP A d d res s A c q u is it ion
DHCP Client DHCP S er v er

DHCP Dis c o v er DHCP O f f er DHCP R eq u es t DHCP A c k ( o r Dec line, N a c k )

Lease renewal ( T 1 o r T 2 t i m er)

DHCP R elea s e

© 2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .

3

DHCP Discover: b roa d ca st

sen t ou t a s L a y er2

DHCP O f f er: S erver resp on d s w it h a p rop osa l of p a ra m et ers DHCP A CK : a d d ress

DHCP R eq u est : t h e cl ien t b roa d ca st s t o t h e p ref erred server. A n im p l icit d ecl in e t o ot h ers. t h e server a ssig n s a n I P t h e server rej ect s t h e DHCP N A CK : req u est f rom t h e cl ien t DHCP Decl in e: a d d ress

DHCP R el ea se: t h e cl ien t ret u rn s t h e a ssig n ed a d d ress b ef ore l ea se ex p ires

t h e cl ien t rej ect s t h e of f ered

NOTE: T h e rep l y f rom server m a y con t a in n ot on l y t h e cl ien t ’s L a y er3 a d d ress ( I P A d d ress) b u t a l so ot h er im p ort a n t con f ig u ra t ion p a ra m et ers su ch a s t h e su b n et m a sk , d ef a u l t rou t er a n d Dom a in N a m e S y st em ( DN S ) server. T h e DHCP A CK con t a in s t h e a l l n ecessa ry I P/ L ea se p a ra m et ers ( DN S server, W I N S server, N et B I O S N od e t y p e, d om a in n a m e, T 1 / T 2 t im ers, G a t ew a y , et c.) .

3

DHCP Discover (client-to-server)

© 2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .

4

DHCP O f f er (server-to-client)

© 2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .

5

6 . In c . C is c o S y s t e m s . A ll r ig h t s r e s e r v e d .DHCP R eq u est (client-to-server) © 2 0 0 9 .

7 .Du p lica te p a ck ets? ? • Why do you think my laptop was sent T WO D H C P O f f er s? © 2 0 0 9 . C is c o S y s t e m s . In c . A ll r ig h t s r e s e r v e d .

DHCP A CK (server-to-client) © 2 0 0 9 . 8 . A ll r ig h t s r e s e r v e d . In c . C is c o S y s t e m s .

. DHCPDISCOVER Client broadcast to locate av ailable serv ers. . DHCP Client S er v er A S er v er B Client messages: – selecting – r enew – r eb ind – I nit/ R eb o o t • Discover • R eq u est ( 4 k in d s) : S er v er messages: • O f f er • A C K • N A K • Decl in e • R el ea se • I n f orm © 2 0 0 9 . g . ( b) conf irm ing correctness of p rev iou sly allocated address af ter. DHCPA CK Serv er to client w ith conf ig u ration p aram eters. I n c .S ev era l DHCP mes s a g e t y p es …. 9 DHCPOF F ER Serv er to client in resp onse to DHCPDISCOVER w ith of f er of conf ig u ration p aram eters. e. inclu ding com m itted netw ork address. g . client h as m ov ed to new su bnet) or client' s lease as ex p ired DHCPDECL IN E Client to serv er indicating netw ork address is already in u se. 9 . Ex am p le: self -A RP detects of f ered IP address is already in u se. C is c o S y s t e m s . sy stem reboot. Message: U se: DHCPREQ U EST Client m essag e to serv ers eith er ( a) req u esting of f ered p aram eters f rom one serv er and im p licitly declining of f ers f rom all oth ers. or ( c) ex tending th e lease on a p articu lar netw ork address. DHCPN A K Serv er to client indicating client' s notion of netw ork address is incorrect ( e. A ll r ig h t s r e s e r v e d . DHCPREL EA SE Client to serv er relinq u ish ing netw ork address and cancelling rem aining lease.

. R el a y a g en t I P a d d ress. u sed b y t h e cl ien t a n d server t o a ssocia t e m essa g es a n d resp on ses b et w een a cl ien t a n d a server. 2 F la g s secs 2 F il l ed in b y cl ien t . on l y f il l ed in if cl ien t is or R E B I N DI N G st a t e a n d ca n resp on d t o A R P ' y ou r' ( cl ien t ) I P a d d ress.1 0 1 6 3 2 OP Co d e (1 ) H TY P E (1 ) SE CONDS (2 ) TRANSACTION ID (4) H L E N (1 ) H OP S (1 ) CL IE NT IP ADDRE SS (4) Y OU R IP ADDRE SS (4) U NU SE D (2 ) T h eG IA D D R is “st u f f ed ” wi t h I P ad d ress b y I P H elp er f eat u re t o I D su b net o f c li ent GATEWAY IP ADDRESS (Gi ADDR) (4) SE RV E R H OST NAM E (6 4) B OOT F IL E NAM E (1 2 8 ) SE RV E R IP ADDRE SS (4) V E NDOR-SP E CIF IC OP TIONS (3 1 2 ) © 2 0 0 9 . y ia d d r 4 f la g s Cl ien t I P a d d ress. e. ret u rn ed in DHCPO F F E R . h op s 1 Cl ien t set s t o z ero.1 . Ha rd w a re a d d ress t y p e. op t ion a l l y u sed b y rel a y a g en t s w h en b oot in g via a rel a y a g en t . n u l l .1 . 1 0 D esc r i p t i o n o f f i el d s i n a D H C P m essage F I EL D op OC TETS 1 D ES C R I P TI ON M essa g e op cod e / m essa g e t y p e. 2 = B O O T R E PL Y N u m b ers" R F C.2 S er v er Client-C DHCP Client-B .2 . see A R P 1 = B O O T R E Q U E S T . ch a d d r 1 6 Cl ien t h a rd w a re a d d ress. 4 T ra n sa ct ion I D.0 /2 4 . I n c . x id et h ern et .g . g ia d d r 4 via a rel a y a g en t .1 . C is c o S y s t e m s . a ra n d om n u m b er ch osen b y t h e cl ien t . DHCPA CK b y server. O p t ion a l server h ost n a m e. S ia d d r 4 I P a d d ress of n ex t server t o u se in b oot st ra p .1 .0 /2 4 I P H elp er 1 0 . cia d d r 4 in B O U N D. R E N E W req u est s.DHCP Mes s a g e F orma t Client-A 1 0 . A ll r ig h t s r e s e r v e d . u sed in b oot in g 10 sn a m e 6 4 t erm in a t ed st rin g .g . secon d s el a p sed sin ce cl ien t b eg a n a d d ress a cq u isit ion or ren ew a l p rocess. ' 1 ' = 1 0 m b Ha rd w a re a d d ress l en g t h ( e. ' 6 ' f or h ty p e 1 sect ion in " A ssig n ed h l en 1 1 0 m b et h ern et ) .

• A dd tex t 11 .122 DHCP Di s c o v e r y B ro a d c a s t V ic tim 192. A ll r ig h t s r e s e r v e d .1.168.11.1.1 DHCP Of f e r IP: 10.168. I n c .2. m e t r o E t he r n e t H ow : – A tta D is c a n d B og D N S c k e r In ov e r y R e p lie u s G a t A d d re te rc e p ts B r oa d c a s t s Wi t h e w a y a n d s s e s 192.1.1. C is c o S y s t e m s .122 A tta c k e r © 2 0 0 9 .1.1/24 I P H e l p e r 195 .16 8 .20/24 G W : 10.DHCP Spoofing Attack Who: – M a l i c i ou s u s e r : p r e t e n d t o b e t he n e t w or k D H C P s e rv e r – M i s -c on f i g u r e d u s e r : f i r e u p D H C P s e r v e r i n c or r e c t l y Whe r e : – C om m on l y s e e n i n hi g he r e d u c a t i on .1 D N S : 19 2.1.1.

C is c o S y s t e m s .Do I Trust You? DHCP Snooping relies on correct identification of Trusted and Untrusted ports. S w itc h e s R outer( config-if) # ip dh cp snooping trust untrusted untrusted untrusted untrusted T r u s t e d © 2 0 0 9 . Default = A ll Ports Untrusted R o u te rs S e rv e rs Trust O N L Y th ose ports for w h ich y ou h av e direct control of th e end-dev ice. DHCP S e rv e r 12 . In c . A ll r ig h t s r e s e r v e d .

I f network DHCP serv er not local to the switch. All other types of DHCP traffic from untrusted access ports dropped. 13 . In c . trust the uplink port O ptional insertion and remov al of DHCP option 8 2 data into/ from DHCP messag es B uilding a DHCP b inding tab le containing client I P address.DH C P A tta c k S ol uti on : DH C P S n oop i n g DHCP Snooping – discarding attack er’s b ogus DHCP offer m essages b y intercepting DHCP m essages w ith in a sw itch Switch forwards DHCP requests from untrusted access ports only to T rusted ports. C is c o S y s t e m s . A ll r ig h t s r e s e r v e d . V L AN numb er… DoS attack on DHCP serv er is prev ented b y rate limiting DHCP pack ets per access port DHCP Snooping DHCP Offer u nt r u s t e d © 2 0 0 9 . client MAC address. port.

C is c o S y s t e m s .DH C P B i n d i n g Ta b l e Contains binding entries for local u ntru sted p orts only I nclu des both static entries and dy nam ic entries learned v ia D H CP gleaning 6 bytes 4 bytes 2 bytes 4 bytes 4 bytes M A C A ddress L ease Tim er Port B inding Ty pe © 2 0 0 9 . I P A ddress V L A N Id 4 bytes 14 . In c . A ll r ig h t s r e s e r v e d .

C is c o S y s t e m s . DHCP S e rv e r 15 . In c . A ll r ig h t s r e s e r v e d .What is allowed to pass (client-to-ser v er ) ? DHCP Di s c o v e r DHCP R e q u e s t DHCP De c l i n e DHCP R e le a s e untrusted untrusted untrusted untrusted trusted © 2 0 0 9 .

C is c o S y s t e m s . A ll r ig h t s r e s e r v e d . In c .What is allowed to pass (ser v er -to-client) ? DHCP O f f e r DHCP Ac k DHCP N a c k DHCP L e a s e Q u e r y untrusted untrusted untrusted untrusted t r u s t e d © 2 0 0 9 . 16 .

A ll r ig h t s r e s e r v e d . In c . AN Y DHCP m e s s a g e untrusted untrusted untrusted untrusted trusted © 2 0 0 9 . DHCP S e rv e r 17 . C is c o S y s t e m s .W h a t i s p re v e n te d ( un truste d -to-un truste d ) .

18 . C is c o S y s t e m s . DR O PPE D! ! DHCP O f f e r DHCP Ac k DHCP N a c k DR O PPE D! ! DHCP O f f e r DHCP Ac k DHCP N a c k DHCP L e a s e Q u e r y untrusted U ntrusted ( p o rt i nc o rrec tl y i denti f i ed) DHCP L e a s e Q u e r y untrusted untrusted trusted DHCP S e rv e r © 2 0 0 9 .What is pr ev ented (U ntr u sted S er v er P ack ets) . A ll r ig h t s r e s e r v e d . In c .

S R C M AC = BB AA S R C M AC = AA © 2 0 0 9 . 19 .AA = port 3 / 3 U ntrusted p o rt 3/ 3 untrusted trusted Ha c im p r e le a d d k e e r a s re r s o e s s a tte m p ts to n a te y o u a n d y o u r IP . C is c o S y s t e m s .What is pr ev ented (Who do y ou think Y O U ar e? ? DR O PPE D! ! DHCP De c l i n e DHCP R e le a s e U ntrusted p o rt 3/ 1 DHCP B inding Datab ase: MAC. A ll r ig h t s r e s e r v e d . In c .

A ll r ig h t s r e s e r v e d . © 2 0 0 9 . •Th is is not allow ed if arriv ing on an untrusted port. In c . 20 .W h a t i s p re v e n te d ( N o re l a y f or YO U ! ! ) . C is c o S y s t e m s . DR O PPE D! ! DHCP p a c k e t w i t h n o n -z e r o g ia d d r fie ld . U ntrusted p o rt 3/ 1 U ntrusted p o rt 3/ 3 trusted •N orm al DHCP-R elay operation populates “giaddr” field in DHCP m essages.

3. Th e Solution: © 2 0 0 9 . A ll r ig h t s r e s e r v e d .3 2 /1 S w i t c h -B V l a n-3 3 /2 5 Ag g r e g a t i o n S w D H C P S no o p i ng D H C P S erv er D H C P D i sc o v er U ntrusted Interf a c e Cu s t o m e r -B •A ggregation Sw itch w ith DHCP Snooping enab led drops DHCP pack et on untrusted port w ith non-z ero giaddr field. 21 .3 D H C P D i sc o v er G i a ddr = 3. In c .3.DH C P R e l a y p a c k e t d rop p e d ! ! D H C P R el a y A g ent Int v l a n 3 i p a dd 3. C is c o S y s t e m s .3.3.

© 2 0 0 9 . C is c o S y s t e m s . 22 . In c . A ll r ig h t s r e s e r v e d . Co n f i g u r e t h i s o n p o r t s l e a d i n g t o t r u s t e d DHCP S e r v e r s …o r o n u p l i n k p o r t s t o Ag g r e g a t i o n S w i t c h e s .DH C P S n oop i n g .C on f i g ura ti on D H C P D i sc o v er 2 /1 E d g e S w itc h R e l a y Ag e n t R e l a y Ag e n t D H C P S erv er D H C P D i sc o v er Cu s t o m e r -B E nsure th at DHCP Serv er and th e R elay A gent ( if it ex ists) are already fully functional b efore y ou configure DHCP Snooping.

C is c o S y s t e m s . A ll r ig h t s r e s e r v e d . 23 . DHCP Snooping can also b e configured on Priv ate V L A N s. In c . © 2 0 0 9 . M ust configure only on th e Prim ary V L A N …w ill b e dy nam ically propagated to all Secondary V L A N s. N o w ay ( currently ) to h av e different DHCP Snooping configurations applied to Secondary V L A N s all residing under th e sam e Prim ary V L A N .D H C P S nooping – A dditional C onf ig O ptions D H C P D i sc o v er 2 /0 /1 E d g e S w itc h R e l a y Ag e n t R e l a y Ag e n t D H C P S erv er D H C P D i sc o v er Cu s t o m e r -B Sw itch ( config) # interface gigab iteth ernet2 / 0 / 1 Sw itch ( config-if) # ip dh cp snooping lim it rate 10 0 Pr e v e n t s DHCP Do S a t t a c k s t h a t w o u l d o v e r w h e l m t h e DHCP S e r v e r .

DH C P S n oop i n g – V e ri f i c a ti on U ntrusted interfaces don’t display. C is c o S y s t e m s . A ll r ig h t s r e s e r v e d . In c . © 2 0 0 9 . 24 .

and RCP –If sw itch crashes or reloads. –C P U –If stored locally in flash/b ootflash. Can also use F T P. © 2 0 0 9 . T h e ra ng e i s f ro m 15 to 8 6 4 0 0 sec o nds. 25 . intensiv e…can lock u p the sw itch. all entries / lease info lost and can k ill the D H C P S noop ing p rocess. 1. Sw itch ( Config) # ip dh cp snooping datab ase tftp: / / 19 2 . • F eatu re to do th is is cal l ed “DHCP S nooping Database A gent”. dh cp Sw itch ( Config) # ip dh cp snooping datab ase w rite-delay 15 S p ec i f y th e dura ti o n f o r w h i c h th e tra nsf er sh o ul d b e del a y ed a f ter th e b i ndi ng da ta b a se c h a ng es. 16 8 . A ll r ig h t s r e s e r v e d . T h e def a ul t i s 30 0 sec o nds ( 5 m i nutes) .DH C P R e l a y A g e n t • Best practice is to store DHCP Binding Database ex ternal l y to th e sw itch . 1/ Snoop-data. datab ase m u st b e erased and re-w ritten for ev ery new entry. C is c o S y s t e m s . In c . HT T P.

C is c o S y s t e m s . ” W hat will you see if you DO N ’T hav e a 0 -b yte file to start with?? Cat3750# show ip d hc p sn oopin g d a t a b a se A g e n t U R L : tf tp : / / 1 9 2 . d h c p th e Cat3 7 5 0 Configuration G uide: M e a n in g –T h e s w itc h c a n n o t c r e a te th is file fr o m s c r a tc h .DH C P R e l a y A g e n t C a v e a t F rom • “F or network -b ased U RL s ( such as T F T P and F T P) . T h e s e r v e r m u s t a lr e a d y c o n t a i n a 0 -b y t e f i l e w i t h t h i s n a m e f o r t h i s t o w o r k . In c . A ll r ig h t s r e s e r v e d . • © 2 0 0 9 . See the documentation for your T F T P serv er to determine whether you must first create an empty file on the serv er. some T F T P serv ers cannot b e config ured this way. 26 . 1 / S n o o p -d ata. 1 6 8 . you must create an empty file at the config ured U RL b efore the switch can write b inding s to the b inding file at that U RL . 1 .

2 . “H ow c a n I en sure th a t ea c h sw i tc h i s on l y a l l oc a ted a ma x i mum of “X” a d d resses f rom my D H CP P ool ? ” “H ow c a n I en sure th a t p ort 2 / 1 on S w i tc h -B f rom my D H CP P ool ? ” i s on l y a l l oc a ted a ma x i mum of “X” a d d resses “W h a t i f someon e i n Customer-C’s n etw ork i s a ttemp ti n g a D H CP D oS a tta c k ( sen d i n g mul ti p l e D H CP D i sc ov er/ R eq uest messa g es to c omp l etel y ex h a ust th e D H CP A d d ress P ool ) ? H ow c a n I p rev en t th a t? ” Ag g r e g a t i o n S w DHCP S e rv e r S w i t c h -A Cu s t o m e r -A S w i t c h -B 4 /1 2 /1 Cu s t o m e r -B S w i t c h -C Cu s t o m e r -C S w i t c h -D Cu s t o m e r -D a. DHCP Relay Agent Option (RFC 3046) © 2 0 0 9 .k.R e stri c ti n g A l l oc a te d A d d re sse s Customer’s Ch a l l en g e: 1 . In c . A ll r ig h t s r e s e r v e d . C is c o S y s t e m s .a. 3 . Th e Solution: DHCP O ption-8 2 27 .

O ption-8 2 allow s trusted access dev ices to insert th is option into ( and rem ov e from ) DHCP Pack ets. C is c o S y s t e m s . A ll r ig h t s r e s e r v e d . 2 .DH C P O p ti on -8 2 Ag g r e g a t i o n S w D C H P p a c k et w / O p ti o n-8 2 i nserted D C H P p a c k et w / O p ti o n-8 2 i nserted D H C P S erv er S w i tc h -C Customer-C S w i tc h -D Customer-D S w i t c h -A O p ti o n-8 2 S w i t c h -B 4 /1 2 /1 Cu s t o m e r -B O p ti o n-8 2 Cu s t o m e r -A 1. Th is option giv es descriptiv e inform ation ab out th e dev ice/ port th at receiv ed th e DHCP m essage. In c . 28 . © 2 0 0 9 .

In c . • • Circuit-I D default is port identifier in th e form at “v lan-m od-port” © 2 0 0 9 . in th e f orm at v l a n -m o d -po r t . ( Op tional) Conf ig u re th e circu it-ID su bop tion f or th e sp ecif ied interf ace. A ll r ig h t s r e s e r v e d . 29 . u sing a VL A N ID in th e rang e of 1 to 4 0 9 4 .DH C P O p ti on -8 2 0 2-a a -11-11-22-11 O p ti o n-8 2 R em o te-i d = 0 2-a a -11-11-22-11 C i rc ui t-i d = 3-2-1 D H C P D i sc o v er O p ti o n-8 2 2 /1 S w i t c h -B Ag g r e g a t i o n S w D H C P D i sc o v er -3 D H C P S erv er ed to a l l o c a te a 10 0 -a ddresses to ti o n o f R em o te-ID !! I’m Cu s t o m e r -B o nl y a l l o w m a x i m um o f th a t c o m b i na a nd C i rc ui t-ID 1. T h e def au lt circu it ID is th e p ort identif ier. R em ote-I D default is sw itch M A C address 2 . Y ou can conf ig u re th e circu it ID to be a string of 3 to 6 3 A SCII ch aracters ( no sp aces) . Th ese fields are configurab le to use A SCI I strings if y ou prefer • ip d h c p s n o o pin g v l a n vlan in f o r m a t io n o pt io n f o r m a t t y pe c ir c u it -id s t r in g A S C I I -s t r i ng Sp ecif y th e VL A N and p ort identif ier. Sw itch adds “R em ote-I D” and “Circuit-I D” sub -options into O ption8 2 data. C is c o S y s t e m s .

• Circuit-I D 0 x 1 = S u b o p t i o n t y p e s p e c i f y i n g C i r c u i t -I D 0 x 6 = T o t a l L e n g t h o f C i r c u i t -I D 0 x 0 = C i r c u i t -I D T y p e f ie ld in f o rm a tio n : 0 x 4 = L e n g t h o f t h e C i r c u i t -i d ( V L A N 0 x 0 = F i r s t B y t e o f C i r c u i t -I D ( u n u s e d i n t h i s c a s e s i n c e V L A N -1 w i l l b e c o n t a i n e d i n t h e s e c o n d b y t e b u t t h i s f i e l d w o u l d b e a n o n -z e r o n u m b e r i f r e p r e s e n t i n g a n y V L A N a b o v e V L A N -2 5 5 ) 0 x 1 = V L A N -1 0 x 3 = S l o t -3 0 x 6 = P o r t -6 • R e m o te -I D in f o rm a tio n im m e d ia te l y f o l l o w s : S u b o p t io n a d d r e s s b y d e fa u lt) M A C + M o d u le + P o r t ) 0 x 2 = S u b o p t i o n T y p e f o r R e m o t e -I D 0 x 0 = R e m o t e -i d T y p e 0 x 8 = T o t a l L e n g t h ( i n b y t e s ) o f R e m o t e -I D 0 x 6 = R e m o t e -i d L e n g t h ( L e n g t h o f M A C M A C A d d r e s s = 0 0 -13-5 f -1d -7 f -8 0 ( t a k e n f r o m I n t e r f a c e V L A N -1) A d d re s s o f 30 . C is c o S y s t e m s . In c . A ll r ig h t s r e s e r v e d .DH C P O p ti on -8 2 – Te c h n i c a l De ta i l s D eb ug i p dh c p sno o p i ng p a c k et © 2 0 0 9 .

DHCP Serv ers m ust b e configured to recogniz e and respond in som e w ay to DHCP O ption-8 2 oth erw ise pack ets m ay b e dropped. A ll r ig h t s r e s e r v e d . 31 . C is c o S y s t e m s . R e m o v e it if u n s u p p o r te d b y t h e DHCP S e r v e r . In c . S w i t c h ( c o n f i g ) # i p d h c p s n o o p i n g i n f o r m a t i o n o p t i o n a l l o w -u n t r u s t e d © 2 0 0 9 . 2 .DH C P O p ti on -8 2 C a v e a ts D H CP D i sc ov er O p ti on -8 2 02-a a -1 1 -1 1 -22-1 1 O p ti o n-8 2 R e m o t e -i d = 02-a a -1 1 -1 1 -22-1 1 W h a t th e h ec k i s T H A T ? ? C i rc ui t-i d = 3-2-1 A g g reg a ti on S w S w i tc h -B D H CP D i sc ov er Customer-B D H C P S erv er 1. Sw itch es receiv ing DHCP m essages containing O ption-8 2 w ill DR O P THE M if receiv ed on an untrusted interface! ! • Th e solution for aggregation sw itch es: S w itc h (c o n fig )# ip d h c p s n o o p in g in fo r m a tio n o p tio n T h i s i s t h e DE F AU L T s e t t i n g .

32 . In c . A ll r ig h t s r e s e r v e d . C is c o S y s t e m s .Dynamic ARP Inspection (DAI) © 2 0 0 9 .

C is c o S y s t e m s . In c . A ll r ig h t s r e s e r v e d .M IM A tta c k – A tta c k i n g a n oth e r h ost L ay er 3 N etw ork DHCP Serv er AR P Ca c h e AR P Ca c h e Router “R” Host Host “A” Malicious Host “M” © 2 0 0 9 . 33 .

A ll r ig h t s r e s e r v e d . C is c o S y s t e m s . In c .M IM A tta c k – A tta c k i n g a n oth e r h ost L ay er 3 N etw ork DHCP Serv er I PB AR P Ca c h e ? I PA Router “R” AR P Ca c h e MAC Host “A” ARP Request Malicious Host “M” © 2 0 0 9 . Host 34 .

In c . A ll r ig h t s r e s e r v e d .M IM A tta c k – A tta c k i n g a n oth e r h ost L ay er 3 N etw ork DHCP Serv er I PB AR P Ca c h e MACB Router “R” I PA AR P Ca c h e MAC Host “A” ARP Resp o n se Malicious Host “M” Host © 2 0 0 9 . C is c o S y s t e m s . 35 .

In c . A ll r ig h t s r e s e r v e d . Host 36 .M IM A tta c k – A tta c k i n g a n oth e r h ost L ay er 3 N etw ork DHCP Serv er I PB AR P Ca c h e MACB Router “R” I PA AR P Ca c h e MAC Host “A” U ser T r a f f i c Malicious Host “M” © 2 0 0 9 . C is c o S y s t e m s .

A ll r ig h t s r e s e r v e d . 37 .M IM A tta c k – A tta c k i n g a n oth e r h ost L ay er 3 N etw ork DHCP Serv er I PB AR P Ca c h e MACM Router “R” I PA AR P Ca c h e MAC Host “A” U n so l i c i ted ARP Resp o n se Host Malicious Host “M” © 2 0 0 9 . C is c o S y s t e m s . In c .

A ll r ig h t s r e s e r v e d . Host 38 . C is c o S y s t e m s . In c .M IM A tta c k – A tta c k i n g a n oth e r h ost L ay er 3 N etw ork DHCP Serv er I PB AR P Ca c h e MACM Router “R” I PA AR P Ca c h e MAC Host “A” U ser T r a f f i c Malicious Host “M” © 2 0 0 9 .

In c . C is c o S y s t e m s .DO S A tta c k – A tta c k i n g th e d e f a ul t g a te w a y L ay er 3 N etw ork I PA ARP Request Router “R” AR P Ca c h e DHCP Serv er I PB AR P Ca c h e ? I PB MACA MACB L 2 N etw ork w ith PV L A N Host “A” Host Malicious Host “M” © 2 0 0 9 . A ll r ig h t s r e s e r v e d . 39 .

DO S A tta c k – A tta c k i n g th e d e f a ul t g a te w a y L ay er 3 N etw ork I PA AR P Ca c h e DHCP Serv er I PB AR P Ca c h e MACR Pr o x y ARP Resp o n se Router “R” I PB MACA MACB L 2 N etw ork w ith PV L A N Host “A” Host Malicious Host “M” © 2 0 0 9 . C is c o S y s t e m s . In c . A ll r ig h t s r e s e r v e d . 40 .

A ll r ig h t s r e s e r v e d . 41 . C is c o S y s t e m s .DO S A tta c k – A tta c k i n g th e d e f a ul t g a te w a y L ay er 3 N etw ork I PA U ser T r a f f i c Router “R” AR P Ca c h e DHCP Serv er I PB AR P Ca c h e MACR I PB MACA MACB L 2 N etw ork w ith PV L A N Host “A” Host Malicious Host “M” © 2 0 0 9 . In c .

42 . C is c o S y s t e m s .DO S A tta c k – A tta c k i n g th e d e f a ul t g a te w a y L ay er 3 N etw ork I PA AR P Ca c h e DHCP Serv er I PB AR P Ca c h e MACR Router “R” I PB MACA MACM L 2 N etw ork w ith PV L A N Host “A” U n so l i c i ted ARP Resp o n se Host Malicious Host “M” © 2 0 0 9 . In c . A ll r ig h t s r e s e r v e d .

43 . C is c o S y s t e m s .DO S A tta c k – A tta c k i n g th e d e f a ul t g a te w a y L ay er 3 N etw ork I PA U ser T r a f f i c Router “R” AR P Ca c h e DHCP Serv er I PB AR P Ca c h e MACR I PB MACA MACM L 2 N etw ork w ith PV L A N Host “A” Host Malicious Host “M” © 2 0 0 9 . A ll r ig h t s r e s e r v e d . In c .

In c . p ac k ets c ontaining G . 44 . A ll r ig h t s r e s e r v e d .A R P P oi son i n g : S e ri ous B usi n e ss Recording V oice Calls Si • Avaya demonstrated a variation of AR P p oisoning at th eir c u stomer b riefing c enter u sing C isc o g ear R ec o rd “D a ta ” • After interc ep ting a netw ork c onnec tion. C is c o S y s t e m s . 7 1 1 voic e data are c ol l ec ted and th e p h one c onversation is rec orded and th en rep l ayed Stealing Passwords E m a il S e r v e r • D emonstrated l ive to C isc o senior ex ec u tives in th e C isc o netw ork • T ool s are p u b l ic l y avail ab l e w ith G U I and b i-direc tional sp oofs: E tterc ap and D sniff • E asil y tau g h t in 5 minu tes Si V ic tim • N eith er th e vic tim nor th e defau l t g atew ay is aw are of th e attac k © 2 0 0 9 .

and l og g ing th e attempts f or au d iting B ind ing s of cl ient IP ad d r ess. A ll r ig h t s r e s e r v e d .A R P P oi son i n g A tta c k S ol uti on : Dy n a m i c A R P In sp e c ti on Dynamic ARP Inspection – d iscar d ing attack er ’s g r atu itou s ARP pack ets in th e sw itch . 45 . V L AN nu mb er ar e b u il t d ynamical l y b y DH C P snooping E ach inter cepted pack et is v er if ied f or v al id IP-to-M AC A sol u tion w ith no ch ang e to th e end u ser or h ost conf ig u r ations Dynamic ARP Inspection Gratuitous ARP S w itch inter cepts al l ARP r eq u ests and r epl ies on th e u ntr u sted access por ts b ind ing u ntr u sted © 2 0 0 9 . In c . por t. cl ient M AC ad d r ess. C is c o S y s t e m s .

– – Ports are untrusted b y default DA I does not v erify any A R P R eq uests/ R eplies from Trusted interfaces. • R elies on sam e concepts of “T r u sted ” and “U ntr u sted ” por ts as DHCP Snooping. C is c o S y s t e m s . © 2 0 0 9 . – I f an A R P A CL is configured to drop a pack et. static A R P A CL s can be conf igu r ed instead . th at A R P w ill b e dropped ev en if th ere is a v alid entry in th e DHCP Snooping Tab le. In c .Dynamic ARP Inspection (DAI) Overview • • When DHCP Snooping not applicable. A R P A CL s alw ay s tak e pr ior ity ov er DHCP Snooping T able. 46 . A ll r ig h t s r e s e r v e d .

C is c o S y s t e m s . F o r w a r d v a lid A R P p a c k et 47 . A ll r ig h t s r e s e r v e d . In c .A R P In sp e c ti on P roc e d ure T r u sted I / F ? N o Y es E th er n et & IP v 4 Y es N o N o M a tc h A R P A C L ? Y es Y es Match DHCP b inding tab le? N o A c ti o n ? D en y Per m i t D r o p & lo g in v a lid A R P p a c k et © 2 0 0 9 .

V L A N > triplet is v alid O ptional ( for A R P response) : T a rg et M A C = = D es t i na t i o n M A C So u rc e M A C ARP Packet Format M A C A d d r D es t M A C A d d r Source F ra m e T y p e T y p e T y p e H /W P rot H /W P rot Si z e Si z e C od e M A C A d d r I P A d d r M A C A d d r O p Sen d er Sen d er T a rg et IP T a rg et 0 x 0 8 0 6 ( ARP) 0 x 0 1 ( E th er n et) 0 x 0 8 0 0 ( I Pv 4) 6 4 © 2 0 0 9 . A ll r ig h t s r e s e r v e d . 48 . = = I P . C is c o S y s t e m s . In c .A R P In sp e c ti on O v e rv i e w • A n A R P r eq u est/ r esponse pack et is consid er ed v alid if it m eets the f ollow ing cr iter ia: 2 ) 1) 3 ) O ptional: Sender M A C M andatory : Sender < M A C .

49 . In c . switches.B a si c DA I C on f i g ura ti on • T w o D esig n M eth odol og ies: 1 . Cat6 5 0 0 ( config) # ip arp inspection v lan 1-12 Cat6 5 0 0 ( config) # interface fasteth ernet3 / 2 5 Cat6 5 0 0 ( config-if) # ip arp inspection trust Cat6 5 0 0 ( config-if) # end © 2 0 0 9 . etc) . – – 2 . Config ure DAI on all E dg e switches ( assuming that hosts are only connected to E dg e switches) . L eav e all edg e ports as U ntrusted Config ure DAI on ev ery switch in the network . one per line. C is c o S y s t e m s . • • S tep -1 : C onfig u re and verify D H C P S noop ing first! S tep -2 : C onfig u re D AI : Cat6 5 0 0 # conf t E nter configuration com m ands. A ll r ig h t s r e s e r v e d . T rust all interfaces connected to network ing dev ices ( routers. E nd w ith CN TL / Z .

1 .1.1 V L A N -1 3/ 6 DAI -e n a b l e d S w itc h 6 5 0 0 V L A N -1 3/ 7 A dm i n S h ut X F a 0 /0 1. In c . 50 .1 .DA I i n a c ti on ! ! ( 1 ) DHCP-g i v e n a d d r e s s o f 1 .1. A ll r ig h t s r e s e r v e d . C is c o S y s t e m s .1 © 2 0 0 9 .

1 V L A N -1 3/ 6 DAI -e n a b l e d S w itc h 6 5 0 0 V L A N -1 3/ 7 A dm i n S h ut X F a 0 /0 1. In c .DA I i n a c ti on ! ! ( 2 ) DHCP-g i v e n a d d r e s s o f 1 . a 51 .1 A s soon as th e router’s F astE th ernet interface com es up it w ill perform gratuitous A R P…let’s see w h at h appens! ! © 2 0 0 9 . C is c o S y s t e m s . A ll r ig h t s r e s e r v e d .1 .1.1.1 .

© 2 0 0 9 .1 . C is c o S y s t e m s . In c .1 V L A N -1 3/ 6 DAI -e n a b l e d S w itc h 6 5 0 0 V L A N -1 3/ 7 A dm i n S h ut X G ratuitous A R P from R outer is dropped b y DA I on sw itch .1 .DA I i n a c ti on ! ! ( 3 ) DHCP-g i v e n a d d r e s s o f 1 . A ll r ig h t s r e s e r v e d . 52 .

th e router h as b een giv en a v alid. 1. 6 / 2 4 . 53 . A ll r ig h t s r e s e r v e d .1 .DA I f or n on -DH C P h osts N otice th at in th is ex am ple. In c .1 . 1. B ut b ecause it is connected to an untrusted port and does not participate in DHCP.1 V L A N -1 3/ 6 DAI -e n a b l e d S w itc h 6 5 0 0 V L A N -1 3/ 7 © 2 0 0 9 . static address of 1. nob ody can A R P for it! DHCP-g i v e n a d d r e s s o f 1 . C is c o S y s t e m s .

A ll r ig h t s r e s e r v e d .DA I f or n on -DH C P h osts ( 2 ) Th e Solution: A R P A ccess-L ist S e n d e r o f AR P R e s p o n s e “a n y ” t a r g e t IPa d d r e s s S e n d e rs M AC a d d r e s s “a n y ” t a r g e t M AC a d d r e s s DHCP-g i v e n a d d r e s s o f 1 .1 V L A N -1 3/ 6 DAI -e n a b l e d S w itc h 6 5 0 0 V L A N -1 3/ 7 © 2 0 0 9 . In c . C is c o S y s t e m s . 54 .1 .1 .

ev en i f a c o rresp o ndi ng m a tc h IS i n th e D H C P S no o p i ng D B . 1 . A l terna ti v el y y o u c a n a l so sp ec i f y “R eq uest” o r “R esp o nse”. 0 1 0 . In c .A R P A C L E x a m p le Conf igu r ing A R P A CL (c o n f i g -a r p -n a c l ) # (C o n f i g ) # a r p a c c e s s -l i s t d e n y (c o n f i g -a r p -n a c l ) # p e r m i t p e r m i t i p a r p _ a c l _ 1 i p h o s t a n y “IP ” w i l l a p p l y to b o th A R P req uests a nd resp o nses. 1 .. 1 . 1 . a r p _ a c l _ 1 a r p _ a c l _ 1 v l a n v l a n 5 5 s t a t i c W i th th e “sta ti c ” k ey w o rd D A I w i l l use th e i m p l i c i t “deny a l l ” i f no m a tc h i s f o und i n th e A C L . 55 . 0 0 0 2 A pply ing A R P A CL to a V L A N (c o n f i g ) # (c o n f i g ) # o r … i p a r p i n s p e c t i o n f i l t e r i p a r p i n s p e c t i o n f i l t e r W i th o ut th e “sta ti c ” k ey w o rd D A I w i l l c o nti nue to l o o k f o r a m a tc h i ng entry i n th e D H C P S no o p i ng D a ta b a se i f no th i ng m a tc h es th e A C L . A ll r ig h t s r e s e r v e d . 1 a n y m a c 0 . 0 . © 2 0 0 9 . 0 0 0 1 . 2 5 5 m a c m a c h o s t a n y 0 0 0 0 .. 0 . C is c o S y s t e m s . (c o n f i g -a r p -n a c l ) # i p 1 0 .

• D ef au l t i s 1 5 pps • T ru sted i n terf aces are n o t rate-l i m i ted • ( co n f i g -i f ) # i p arp i n specti o n l i m i t < x > to rai se o r l o w er th i s l i m i t. • E x ceed i n g th e l i m i t cau ses th e i n terf ace to b e pl aced i n to E rrd i sab l e state.R a te -L i m i ti n g of A R P tra f f i c • ARP packets are rate-l i m i ted to prev en t a d en i al o f -serv i ce attack o n U n tru sted i n terf aces. © 2 0 0 9 . A ll r ig h t s r e s e r v e d . 56 . C is c o S y s t e m s . In c .

A ll r ig h t s r e s e r v e d . In c .Th e E n d TAC Virtual Chalk Talk for Partners © 2 0 0 2 . 57 . C is c o S y s t e m s .

Sign up to vote on this title
UsefulNot useful