Dynamic arp inspection, Arp poisoning, How dai works – Brocade Multi-Service IronWare Switching Configuration Guide (Supporting R05.6.00) User Manual

754

Multi-Service IronWare Switching Configuration Guide

53-1003036-02

Dynamic ARP inspection

19

The timer-value variable is a value between 10 to 3600 seconds. The default value is 60 seconds.

Dynamic ARP inspection

NOTE

This feature is supported on Layer 2 and Layer 3 code.

Dynamic ARP Inspection (DAI) enables the device to intercept and examine all ARP request and
response packets in a subnet and discard those packets with invalid IP to MAC address bindings.
DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning, and
disallow mis-configuration of client IP addresses.

ARP poisoning

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a
MAC address. Before a host can talk to another host, it must map the IP address to a MAC address
first. If the host does not have the mapping in its DAI table, it creates an ARP request to resolve the
mapping. All computers on the subnet will receive and process the ARP requests, and the host
whose IP address matches the IP address in the request will send an ARP reply.

An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 network
by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic
intended for other hosts on the subnet. For instance, a malicious host can reply to an ARP request
with its own MAC address, thereby causing other hosts on the same subnet to store this
information in their DAI tables or replace the existing ARP entry. Furthermore, a host can send
gratuitous replies without having received any ARP requests. A malicious host can also send out
ARP packets claiming to have an IP address that actually belongs to another host (e.g. the default
router). After the attack, all traffic from the device under attack flows through the attacker’s
computer and then to the router, switch, or host.

How DAI works

DAI allows only valid ARP requests and responses to be forwarded.

A device on which ARP Inspection is configured does the following:

•

Intercepts ARP packets received by the system CPU

•

Inspects all ARP requests and responses received on untrusted ports

•

Verifies that each of the intercepted packets has a valid IP-to-MAC address binding before
updating the ARP table, or before forwarding the packet to the appropriate destination

•

Drops invalid ARP packets

When you enable ARP Inspection on a VLAN, by default, all member ports are untrusted. You must
manually configure trusted ports. In a typical network configuration, ports connected to host ports
are untrusted. You configure ports connected to other switches or routers as trusted.