No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Validity Check of ARP Packets

Validity Check of ARP Packets

Background

Address Resolution Protocol (ARP) is a protocol used for resolution of network layer addresses into link layer addresses. It is easy to implement, but does not have any security mechanisms. Therefore, it is vulnerable to attacks. Attackers can forge ARP packets by modifying media access control (MAC) addresses carried in the Data fields of ARP packets sent from authorized users. This process makes the source and destination MAC addresses carried in the Data field different from those carried in the Ethernet header.

This problem can be solved by configuring a validity check of ARP packets on devices. When a device capable of checking ARP packet validity receives an ARP packet, the device checks whether the source and destination MAC addresses carried in the Data field match those carried in the Ethernet header. If they match, the packet is considered valid and allowed to pass through. If they do not match, the device considers the packet an attack packet and discards it.

Related Concepts

A device can check the validity of ARP packets based on one of the following fields in a packet:
  • Source MAC addresses After receiving an ARP packet, the device checks whether the source MAC address in the Data field matches that in the Ethernet header. If they match, the device considers the packet valid and allows it to pass through. If they do not match, the device considers the packet an attack packet and discards it.

  • Destination MAC addresses (only for ARP reply packets)
    • After receiving an ARP packet, the device checks the destination MAC address in the Data field. If the destination MAC address is all 1s, the device considers the ARP packet an attack packet and discards it.
    • After receiving an ARP packet, the device checks whether the destination MAC address in the Data field matches that in the Ethernet header. If they match, the device considers the packet valid and allows it to pass through. If they do not match, the device considers the packet an attack packet and discards it.
  • Source and destination MAC addresses
    • After receiving an ARP request packet, the device checks whether the source and destination MAC addresses in the Data field match those in the Ethernet header. If they match, the device considers the packet valid and allows it to pass through. If they do not match, the device considers the packet an attack packet and discards it.
    • After receiving an ARP reply packet, the device checks whether the source and destination MAC addresses in the Data field match those in the Ethernet header and whether the destination MAC address is all 1s. If the source and destination MAC addresses in the Data field match those in the Ethernet header and the destination MAC address is not all 1s, the device considers the packet valid and allows it to pass through. Otherwise, the device considers the packet an attack packet and discards it.

Implementation

Figure 3-1 shows how the validity of ARP packets is checked.
Figure 3-1 Validity check of ARP packets

In the example in Figure 3-1, host A is attacked, and the attacker modifies the source MAC address of the ARP request packet. As a result, in the ARP request packet that host A sends, the source MAC address in the Data field of the packet is different from that in the Ethernet header of the packet. If validity check of ARP packets is not enabled, both host B and provider edge (PE) learn the fake address information carried in the ARP request packet from host A.

If validity check of ARP packets is configured on the PE, and the PE receives an ARP request packet, the PE checks whether the source MAC address in the Data field of the ARP request packet matches that in the Ethernet header. If they match, the PE learns the address information carried in the packet. If they do not match, the PE discards the packet.

Usage Scenario

Validity check of ARP packets is deployed on access devices.

Benefits

Validity check of ARP packets protects devices against ARP packets sent from authorized users that have been attacked. Therefore, network security and reliability are improved.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12821

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next