Layer 2 security – ARP and ARP Inspection
This article is the second of our layer 2 attacks identification and mitigation techniques series, which will be a part of a bigger series discussing Security Infrastructure. Dynamic ARP Inspection relies on DHCP snooping technology explained in the previous article. It’s strongly recommended to be familiar with DHCP snooping, if you are not, just take a quick look at it.
What is ARP?
Address Resolution Protocol is a layer 2 protocol responsible for resolving IPv4 addresses to MAC addresses.
Note: IPv6 does NOT use ARP; it uses a different protocol that relies on ICMP called Network Discovery Protocol (NDP). We will get to that in later article when we discuss IPv6 security and deployment considerations.
Why do we need ARP?
When a device needs to communicate with another; it need to know the MAC address of the next hop to forward data packets to. The next hop could be another host in the same segment or the default gateway (if both devices reside on 2 different segments).
ARP message types
Request: A Host send a broadcast looking for the MAC address of a specific IP address.
Reply: A Host replies to an ARP request with his MAC address.
Types of ARP
ARP: The host knows the IP address of the destination and needs the layer 2 MAC address.
Figure 1 – ARP Message format
RARP (Reverse ARP): The client knows the MAC address and need the IP address of the destination. Obsolete by the use of BOOTP and DHCP.
InARP (Inverse ARP): Works with Frame Relay. In this case (like RARP) the client knows the layer 2 address (DLCI) and needs the layer 3 IP address. InARP is also used with ATM technology for the same purpose.
GARP (Gratuitous ARP): Is an ARP message sent without request. Mainly used to notify other hosts in the network of a MAC address assignment change. When a host receives a GARP it either adds a new entry to the cache table or modify an existing one. I will expand more about GARP in the next section, as it’s the one that concerns us most from security point of view.
GARP Request: A regular ARP request that contains the source IP address as sender and target address, source MAC address as sender, and broadcast MAC address (ff:ff:ff:ff:ff:ff) as target. There will be no reply to this request
GARP Reply: The source / destination IP addresses AND MAC addresses are set to the sender addresses. This message is sent to no request.
GARP Probe: When an interface goes up with a configured IP address, it sends a probe to make sure no other host is using the same IP; hence, prevent IP conflicts. A probe has the sender IP set to zeros (0.0.0.0), the target IP is the IP being probed, the sender MAC is the source MAC , and the target MAC address is set to all zeros.
GARP use cases
- Make sure there are no IP conflict on the segment (GARP Probe)
- In failover systems like clusters, HSRP, VRRP, etc.; a virtual MAC address is used to point to the active device, when this device fails, the failover control sends a gratuitous ARP to ask other systems to change their ARP table entries and point the vMAC of the cluster to the new active device. (GARP Request/Reply).
- GARP is also used when an Ethernet interface goes up; that’s when the host sends a GARP to notify all systems with his IP address, instead of waiting for them to ask and send replies to each one. (GARP Request/Reply).
- Extensively used with data center technologies like Vmotion, and load balancers. Whenever a machine is moved or a virtual interface is created on a load balancer; GARP is used to notify other devices of the changes.
ARP Poisoning and Man In The Middle
Due to GARP capability to update ARP cache entries on other hosts; attackers exploit this feature to perform a Man In The Middle (MITM) attack by altering (poisoning) other hosts ARP cache tables.
Figure 2 – ARP Poisoning
When a host goes online and connects to the network it sends an ARP message to acquire the MAC address of its default gateway and starts communicating with other networks (for ex., The Internet).
An attacker will send a GARP to that host telling him that the gateway MAC address has changed and puts his MAC address (the attackers MAC) associated with the gateway IP address. The victim host will receive the GARP and changes his cache table to the new gateway MAC address, and starts sending traffic with the attacker MAC address as a destination layer 2 address.
Now, the switch is a layer 2 device; it forwards traffic based on MAC addresses, as a result, the switch will forward the traffic to the destination MAC address, which is the attacker MAC address.
The attacker will then receive the packets; view (or alter) them, and forwards it to the actual gateway MAC address with his MAC address as the source address.
When the gateway replies back; it will be replying to the attackers MAC address; because for the gateway the traffic originated from the attacker; the gateway does not know anything about the victim host.
The attacker will receive the traffic, forwards it back to the victim, and continues like that till the victim reboots or clears its ARP cache table.
Dynamic ARP Inspection (DAI)
DAI is a security feature that allows us to intercept and validate ARP packets originating from hosts connected to the switch. DAI uses the DHCP snooping binding table to validate the ARP packets.
DAI deployment involves identification of trusted and untrusted ports. DAI will trust and allow -without inspection- ARP packets on all trusted interfaces, and will intercept all packets on untrusted interfaces.
When DAI intercepts a packet it compares the source MAC and IP addresses with the DHCP snooping binding table; if DAI finds a valid entry it will allow the packet to pass, if no valid entry found, it will drop the packet and log the event.
This way ARP can make sure that only valid packets are allowed; and that’s because entries in DHCP snooping binding table are created when a host acquires IP address from DHCP server.
DAI Deployment considerations
- As stated before DAI relies on DHCP snooping to perform ARP packets validation; that means you must allow for the binding table to be built before applying DAI, otherwise, DAI will block everything. Allow the same time of DHCP lease. For example, if DHCP lease time is 1 day; give DHCP snooping 1 day; and then apply DAI.
- Trusted and untrusted ports should be configured properly; All ports connected to hosts should be configured as untrusted; ports connected to other switches should be configured as trusted.
- For statically assigned IP addresses, you have to create static entries in the snooping binding table.
In our next article, we will discuss IP source guard. Source guard is another l2 security technique that also relies on DHCP Snooping.