No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of ARP Security

Overview of ARP Security

Definition

Address Resolution Protocol (ARP) security is a feature that protects devices from attacks that tamper with or forge ARP packets. ARP security implementation enhances device and network security.

Purpose

ARP is a protocol used for resolution of network layer addresses into link layer addresses. It is easy to implement, but does not have any security. Therefore, it is vulnerable to attacks. The following ARP attacks may occur on networks:
  • ARP spoofing attack

    Attackers send fake ARP packets to modify ARP entries on gateways or valid hosts. As a result, valid ARP packets cannot be transmitted.

  • ARP flood attack (denial of service)

    Attackers forge and send to a device excessive ARP request packets and gratuitous ARP packets with IP addresses that cannot be mapped to media access control (MAC) addresses. As a result, the device's ARP buffer overflows, and the device is incapable of caching valid ARP entries. Valid ARP packets cannot be transmitted.

These ARP attacks pose a serious threat to network security. ARP security offers various technologies to detect and protect against ARP attacks. Table 3-1 describes how ARP security is implemented to protect a device against ARP attacks.
Table 3-1 ARP security implementation

Attack Type

ARP Security

Description

Benefit

ARP spoofing attack

Validity Check of ARP Packets

After receiving an ARP packet, the device checks whether the source and destination MAC addresses in the Ethernet header match those in the Data field of the packet. If they match, the device considers the packet valid and allows it to pass. If they do not match, the device considers the packet an attack packet and discards it.

ARP anti-spoofing functions protect devices against ARP attack packets, improving the security and reliability of network communication.

ARP flood attack

Strict ARP Learning

The device learns the MAC addresses of only the ARP reply packets in response to the ARP request packets sent by itself. This prevents attacks that send ARP request packets and ARP reply packets that are not in response to the request packets that the device itself sends.

ARP anti-flood functions relieve CPU load and prevent an ARP entry overflow, ensuring normal network operation.

ARP Entry Limit

The device limits the number of ARP entries that an interface can learn to prevent ARP entry overflow and improve ARP entry security.

ARP Packet Rate Limit

The device counts the number of received ARP packets. If the number of ARP packets received in a specified period exceeds an upper limit, the device does not process the excess ARP packets. This function prevents ARP entry overflow.

ARP Miss Message Rate Limit

The device counts the number of received ARP Miss messages. If the number of ARP Miss messages received in a specified period exceeds an upper limit, the device does not process the excess ARP Miss messages. This function relieves CPU load.

Gratuitous ARP Packet Discarding

The device discards all received gratuitous ARP packets to prevent ARP entry overflow.

Benefits

  • ARP security provides the following benefits to operators: Lowers the maintenance costs for network operation and security.
  • Helps operators offer secure networking and stable services to users.
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12735

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next