No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of ARP Security

Overview of ARP Security

Address Resolution Protocol (ARP) security protects devices from attacks that tamper with or forge ARP packets. ARP security implementation enhances device and network security.

ARP Security Background

The Address Resolution Protocol (ARP) is an Internet protocol used to map IP addresses to MAC addresses.

If two hosts need to communicate, the sender must know the network-layer IP address of the receiver. IP datagrams, however, must be encapsulated with MAC addresses before they can be transmitted over the physical network. Therefore, ARP is needed to map IP addresses to MAC addresses to ensure the transmission of datagrams.

ARP Attack Type

ARP is a protocol used for resolution of network layer addresses into link layer addresses. It is easy to implement, but does not have any security. Therefore, it is vulnerable to attacks. The following ARP attacks may occur on networks:
  • ARP spoofing attack

    Attackers send fake ARP packets to modify ARP entries on gateways or valid hosts. As a result, valid ARP packets cannot be transmitted.

  • ARP flood attack (denial of service)

    Attackers forge and send to a device excessive ARP request packets and gratuitous ARP packets with IP addresses that cannot be mapped to media access control (MAC) addresses. As a result, the device's ARP buffer overflows, and the device is incapable of caching valid ARP entries. Valid ARP packets cannot be transmitted.

ARP Security Application

These ARP attacks pose a serious threat to network security. ARP security offers various technologies to detect and protect against ARP attacks. Table 3-1 describes how ARP security is implemented to protect a device against ARP attacks.
Table 3-1 ARP security implementation

Attack Type

ARP Security

Description

Benefit

ARP spoofing attack

Validity Check of ARP Packets

After receiving an ARP packet, the device checks whether the source and destination MAC addresses in the Ethernet header match those in the Data field of the packet. If they match, the device considers the packet valid and allows it to pass. If they do not match, the device considers the packet an attack packet and discards it.

ARP anti-spoofing functions protect devices against ARP attack packets, improving the security and reliability of network communication.

ARP flood attack

Strict ARP Learning

The device learns the MAC addresses of only the ARP reply packets in response to the ARP request packets sent by itself. This prevents attacks that send ARP request packets and ARP reply packets that are not in response to the request packets that the device itself sends.

ARP anti-flood functions relieve CPU load and prevent an ARP entry overflow, ensuring normal network operation.

ARP Entry Limit

The device limits the number of ARP entries that an interface can learn to prevent ARP entry overflow and improve ARP entry security.

ARP Packet Rate Limit

The device counts the number of received ARP packets. If the number of ARP packets received in a specified period exceeds an upper limit, the device does not process the excess ARP packets. This function prevents ARP entry overflow.

ARP Miss Message Rate Limit

The device counts the number of received ARP Miss messages. If the number of ARP Miss messages received in a specified period exceeds an upper limit, the device does not process the excess ARP Miss messages. This function relieves CPU load.

Gratuitous ARP Packet Discarding

The device discards all received gratuitous ARP packets to prevent ARP entry overflow.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20403

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next