SupportDocumentationRoutersService RoutersME60Configuration & CommissioningConfiguration Guide

ME60 V800R023C10SPC500 Configuration Guide

Configuring Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing

Configuring Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing

This section describes how to configure the IP/MAC address binding and Option 82 functions to prevent man-in-the-middle attacks and IP/MAC address spoofing.

Applicable Environment

In man-in-the-middle attacks and IP/MAC address spoofing, attackers pretend to be servers and clients. The servers consider that all packets are sent from and destined for the clients, and so do the clients. Actually these packets are second-hand information from man-in-the-middle, and in this manner attackers can obtain the data on the servers and clients.

To prevent man-in-the-middle attacks and IP/MAC address spoofing, enable the Dynamic Host Configuration Protocol (DHCP) snooping function on a device so that the device forwards a packet only if the packet info matches an entry in the DHCP snooping binding table. If a packet does not match any entry in the DHCP snooping binding table, the device discards the packet.

Pre-configuration Tasks

Before you configure defense against man-in-the-middle attacks and IP/MAC address spoofing, configure DHCP snooping.

Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions, enable DHCP snooping first.

Context

Enable DHCP snooping in the following sequence:
  1. Enable DHCP globally.
  2. Enable DHCP snooping globally.
  3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP snooping for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run vlan vlan-id

      The VLAN view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the VLAN.

    6. Run quit

      The system view is displayed.

    7. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run bridge-domain bd-id

      The BD view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled in a BD.

    6. Run commit

      The configuration is committed.

  • Enable DHCP snooping for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run interface interface-type interface-number

      The interface view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the interface.

    6. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

      By default, DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

      By default, DHCP snooping is disabled globally.

    4. Run bridge-domain bd-id

      The BD view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled in a BD.

      By default, DHCP snooping is disabled in a BD.

    6. Run commit

      The configuration is committed.

Enabling DHCP Request Packet Check

To prevent man-in-the-middle attacks and IP/MAC address spoofing, enable Dynamic Host Configuration Protocol (DHCP) request packet check. After packet check is enabled on a device, the device checks the received Address Resolution Protocol (ARP) or IP packets to see whether the combination of source IP addresses and source MAC addresses in the packets match entries in the DHCP snooping binding table.

Context

For DHCP users, the DHCP snooping binding table is automatically generated when DHCP snooping is enabled. For users using static IP addresses, the DHCP snooping binding table needs to be manually configured.

Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP request packet check in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping check { arp | ip } enable [ interface interface-type interface-number ]

      DHCP request packet check is enabled for the VLAN.

    4. Run commit

      The configuration is committed.

  • Enable DHCP request packet check in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping check { arp | ip } enable

      DHCP request packet check is enabled in a BD.

    4. Run commit

      The configuration is committed.

  • Enable DHCP request packet check in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping check { arp | ip } enable

      DHCP request packet check is enabled for the interface.

    4. Run commit

      The configuration is committed.

(Optional) Configuring the DHCP Snooping Binding Table

Dynamic entries in the DHCP snooping binding table are automatically generated when DHCP snooping is enabled. Static entries in the DHCP snooping binding table must be manually configured.

Context

The static IP address and the IP address allocated to a user in static mode are the IP addresses that are manually configured on the client. Static users are those who use static IP addresses.

If the IP addresses allocated to users are static IP addresses, static binding entries can be configured for these IP addresses, ensuring static IP address anti-embezzlement. If there are a large number of static users, static binding entries must be configured for each static IP address; otherwise, unauthorized users who attempt to embezzle static IP addresses cannot be isolated.

Dynamic entries in the DHCP snooping binding table do not need to be configured. They are automatically generated when DHCP snooping is enabled. However, static entries in the DHCP snooping binding table must be configured by running commands.

  • For the IP addresses dynamically allocated to users, devices automatically learn the MAC addresses of users and create a binding relationship table. The table does not need to be configured manually.
  • For the IP addresses statically allocated to users, devices cannot create a binding relationship table. The table must be created manually.

If the binding relationship table for static users is not created manually, the following situations occur:

  • If the device is configured to forward packets that do not match any entry in the binding relationship table, the packets of all static users are forwarded. All static users can access the DHCP server normally. This is the default condition of the devices.
  • If the device is configured for discard packets that do not match any entry in the binding relationship table, the packets of all static users are discarded. All static users cannot access the DHCP server.

If the created binding table must contain interface information, the Option82 function must be enabled. If the Option82 function is not enabled and DHCP snooping is enabled on the VLANIF interface, entries in the created DHCP snooping binding table do not contain interface information. For details, see the description of how to "configure the Option82 function".

When an interface receives an Address Resolution Protocol (ARP) or IP packet, the interface matches the source IP address and source MAC address of the ARP or IP packet with entries in the DHCP snooping binding table. The interface checks the MAC address, IP address, interface, and virtual local area network (VLAN) information. Based on this check, the interface performs the following actions:

  • The ARP or IP packet is discarded if its source IP address and source MAC address do not match any entry in the DHCP snooping binding table.
  • The ARP or IP packet is forwarded if its source IP address and source MAC address match an entry in the DHCP snooping binding table.

When an interface receives an ARP or IP packet, the interface matches the source IP address and source MAC address of the ARP or IP packet with entries in the DHCP snooping binding table. The ARP or IP packet is forwarded if its source IP address and source MAC address match an entry in the DHCP snooping binding table, or is discarded if its source IP address and source MAC address do not match any entry in the DHCP snooping binding table.

Procedure

  • Configure DHCP snooping static entries for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping bind-table static ip-address ip-address [ mac-address mac-address ] [ interface interface-type interface-number [ ce-vlan ce-vlan-id ] ]

      The static DHCP snooping entry is configured for the VLAN.

    4. Run commit

      The configuration is committed.

  • Configure static DHCP snooping binding entries.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping bind-table static ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

      The static DHCP snooping entry is configured.

    4. Run commit

      The configuration is committed.

  • Configure static DHCP snooping binding entries.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping bind-table static ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

      The static DHCP snooping entry is configured.

    4. Run commit

      The configuration is committed.

  • Configure backup for the DHCP snooping binding table.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp snooping bind-table autosave filename

      Automatic backup is configured for the DHCP snooping binding table.

      After this configuration, the system backs up the file that stores the DHCP snooping binding table in the specified backup path at an interval of 60 minutes or When 150 entries are dynamically generated.

    3. Run commit

      The configuration is committed.

  • (Optional) Configure the file integrity check mode of the DHCP snooping binding table.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp snooping database authentication-mode { check | no-check | force-check }

      The file integrity check mode of the DHCP snooping binding table is configured.

    3. Run commit

      The configuration is committed.

(Optional) Configuring Option 82 Field Insertion

After Option 82 field insertion is enabled on a device, the device can record the location information of a DHCP client or create binding entries with accurate interface information based on the Option 82 information.

Context

The Option 82 field contains the location information of Dynamic Host Configuration Protocol (DHCP) hosts, such as information about the login interface, virtual local area network (VLAN), and address. After DHCP snooping is configured, the device can create binding entries with accurate interface information based on the Option 82 field. In addition, the DHCP server that supports the Option 82 field can allocate different IP policies to different clients based on the Option 82 information. This provides more flexible address allocation modes.

Procedure

  • Configure Option 82 field insertion in the VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp option82 insert enable [ interface interface-type interface-number ] or dhcp option82 rebuild enable [ interface interface-type interface-number ]

      Option 82 field insertion is enabled.

      • After the dhcp option82 insert enable command is run: If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet; if the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • After the dhcp option82 rebuild enable command is run: If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet; if the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.

    4. Run quit

      Return to the system view.

    5. (Optional) Run dhcp option82 inner-vlan insert enable

      Option 82 information is encapsulated into the inner and outer VLAN IDs of a double-tagged user packet.

      In scenarios where users go online through Layer 2 interfaces or VLANIF interfaces and device interworking and version upgrade are involved, you can determine whether to run this command as required.

    6. Run commit

      The configuration is committed.

  • Configure Option 82 field insertion in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp option82 insert enable

      Option 82 field insertion is enabled.

      • After the dhcp option82 insert enable command is run: If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet; if the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • After the dhcp option82 rebuild enable command is run: If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet; if the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.
    4. Run commit

      The configuration is committed.

  • Configure Option 82 field insertion on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp option82 insert enable or dhcp option82 rebuild enable

      Option 82 field insertion is enabled.

      • After the dhcp option82 insert enable command is run: If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet; if the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • After the dhcp option82 rebuild enable command is run: If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet; if the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.
    4. (Optional) Run dhcp option82 link-selection insert enable

      The function of inserting sub-option 5 into Option 82 is enabled.

    5. (Optional) Run dhcp option82 link-selection subnet-ip-address

      An IP address corresponding to sub-option 5 in Option 82 is configured.

    6. (Optional) Run dhcp option82 vendor-specific insert enable

      The device is enabled to insert Option 82's sub-option 9 into a DHCP packet.

    7. (Optional) Run dhcp option82 vendor-specific format

      A format is configured for Option 82's sub-option 9 carried in a DHCP packet.

    8. Run quit

      Return to the system view.

    9. (Optional) Run dhcp option82 inner-vlan insert enable

      Option 82 information is encapsulated into the inner and outer VLAN IDs of a double-tagged user packet.

      In scenarios where users go online through Layer 2 interfaces or VLANIF interfaces and device interworking and version upgrade are involved, you can determine whether to run this command as required.

    10. Run commit

      The configuration is committed.

Follow-up Procedure

After Option 82 field insertion is enabled, you can configure the format of the Option 82 field as required.

  • Configure the format of the Option 82 field in the VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp option82 format { user-defined text | type1 | type2 | self-define self-define | cn-telecom | cn-telecom-inherit } interface interface-type interface-number

      The format of the Option 82 field is configured for the VLAN.

    4. Run commit

      The configuration is committed.

  • Configure the format of the Option 82 field on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp option82 format { self-define extendtext | type1 | type2 | cn-telecom | cn-telecom-inherit } or dhcp option82 { circuit-id | remote-id } format self-define extendtext or dhcp option82 [ circuit-id | remote-id ] format user-defined text

      The format of the Option 82 field is configured.

    4. Run commit

      The configuration is committed.

(Optional) Configuring the Alarm Function for Discarded Man-in-the-Middle Attack and IP/MAC Address Spoofing Packets

By configuring the function described in this chapter, you can have an alarm generated when a specified number of man-in-the-middle attack and IP/MAC address spoofing packets are discarded.

Context

After packet check is enabled, if a received Address Resolution Protocol (ARP) or IP packet of a man-in-the-middle attack or IP/MAC address spoofing does not match any entry in the Dynamic Host Configuration Protocol (DHCP) snooping binding table, the device discards the ARP or IP packet. With the function described in this section configured, when the number of discarded packets reaches a specified threshold, an alarm is generated.

Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in a VLAN, BD, or interface view.

Procedure

  • Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping alarm { arp | ip } enable [ interface interface-type interface-number ]

      The alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets is enabled for the VLAN.

    4. Run dhcp snooping alarm { arp | ip } threshold threshold [ interface interface-type interface-number ]

      The alarm threshold for the number of discarded packets is configured for the VLAN.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping alarm { arp | ip } enable

      The alarm function is enabled for discarded man-in-the-middle attack and IP/MAC address spoofing packets in the BD view.

    4. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm { arp | ip } enable

      The alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets is enabled for the interface.

    4. Run dhcp snooping alarm { arp | ip } threshold threshold-value

      The alarm threshold for the number of discarded packets is configured for the interface.

    5. Run commit

      The configuration is committed.

Verifying the Configuration of Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing

This section describes how to check the configuration of defense against man-in-the-middle attacks and IP/MAC address spoofing.

Prerequisites

The configuration of defense against man-in-the-middle attacks and IP/MAC address spoofing is complete.

Procedure

  • Run the display dhcp snooping global command to check the global DHCP snooping information.
  • Run the display dhcp snooping bind-table { all | dynamic | interface interface-type interface-number | ip-address ip-address | mac-address mac-address | static | vlan vlan-id [interface interface-type interface-number ] | vsi vsi-name | bridge-domain bd-id } command to check the information about the Dynamic Host Configuration Protocol (DHCP) snooping binding table.
  • Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] | bridge-domain bd-id } command to check the DHCP snooping configuration.
  • Run the display dhcp option82 configuration [ interface interface-type interface-number | vlan vlan-id | bridge-domain bd-id ] command to check the Option 82 configuration.