DHCP Snooping+ARP Inspection vs. IP Source Guard

Hi,

Can someone explain me the difference between “DHCP Snooping + ARP Inspection” and “IP Source Guard”? From user perspective they work exactly the same. Untrusted hosts which are not in the binding table are not able to connect to other hosts (based on IP/MAC). Are there any cons/pros to choose particular one? Did you see them in production networks? Be honest I have never seen any of them in any of my enterprise customers, so I’m just curious which one is better, more popular, etc.

Thank you
Hubert

Comments

  • They actually have different purposes,

    1) DHCP Snooping: Prevents a rogue dhcp server on the lan from giving ip addresses to host. Note that once the address is gotten by the client, dhcp snooping doesn't give a damn to whats happening

    2) Arp Inspection: A client doesn't spoof another client's mac address. Note that once the arp is properly learned, arp inspection doesn't care again. Also this doesn't prevent me from spoofing packets

    3) IP source guard: Filters packets in the data plane to ensure a client can't spoof another's address.

    They are typically all used together

    DHCP and Arp inspection - protects the control plane

    IP source guard - protects the data plane

     

     

  • Hi,

    DAI and IPSG are doing different things and prevent different attacks on the access-ports.

    DAI

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swdynarp.html

     

    Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

    • Intercepts all ARP requests and responses on untrusted ports
    • Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
    • Drops invalid ARP packets



    As you can see DAI only verifies ARP packets and not IP packets. In this case you could still spoof your MAC and IP address and send unidirectional traffic to a host. Also, DHCP Snooping doesn't have to be enabled. You could as well configure static ARP access-lists if you don't run DHCP. This would prevent ARP spoofing (GARP, or malicious ARP Responses)
     


    IP Source Guard







    When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.




    Again, you don't necessarily need DHCP snooping if you configure everything statically. Also, in addition you can enable port-security to check the source MAC address as well. This would prevent any MAC/IP spoofing on the access port.



    I hope this helps.


    Florian




  • Hi,

        DHCP Snooping protects against DHCP client/server attacks, DAI protects against ARP attacks; so both protect attacks against the control-plane. IP Source Guard dinamically filters the data-plane based on the layer2/layer3 information. So DHCP Snooping + DAI does not equal IPSG. Each feature does a different thing, so you can shoose to enable one or all; it is indeed not that widely deployed due to the configuration and management overhead.

    Regards,

    Cristian.

  • I did one test and I enabled DHCP Snooping + DAI. I had 3 ports on switch: 1) dhcp server, 2) dhcp client, 3) attacker – IP assigned manually. The result of this configuration was lack of connection between the attacker and rest of the network (ARP blocked due to missing entry in DHCP snooping binding table). Then I removed DAI and I enabled IPSG. From the attacker perspective, the result was the same. I understand it is implemented in other way as IPSG apply filters and we can easily check what is the current statue looking into below table:

    MP-SW#sh ip verify source
    Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log
    ---------  -----------  -----------  ---------------  -----------------  ----   ---
    Fa1/0/4    ip-mac       active       deny-all         deny-all           1
    Fa1/0/13   ip-mac       active       10.0.0.6         04:C5:A4:3F:D6:D0  1      disabled
    MP-SW


    Can you give me any example of scenario where one is more suitable than another one?

    Thank you
    Hubert

  • Hi,

       I hope it's clear that each feature achieves a different scope. In your case, because that host has a static IP assigned, with DAI enabled, ARP will fail and thus IP traffic cannot work (unless you configure the host with static ARP entries); but this combination of DHCP Snooping and DAI restricts IP traffic from the host just because ARP does not work, otherwise IP traffic would work. When you removed DAI and applied IPSG, at that point because the host has a static IP, all inbound traffic is dropped (both IP and non-IP).

      Yes, in some cases, enabling one feature may seem to work the same way as other feature (traffic is blocked), but this is NOT the way you should think.

    Regards,

    Cristian.

  • Hi,

    it isn't so obvious yet :)

    From the WB:

    "Dynamic ARP Inspection (DAI) is a security feature that fixes some well-known weaknesses in the ARP protocol. Generally, ARP operation on an Ethernet segment allows any host to spoof a MAC address for any IP address on the segment. These attacks, commonly known as Man-in-the-Middle (MITM) attacks, cannot be prevented by using only port-security, access-lists, or other well-known security features. DAI is used to prevent ARP poisoning attacks"


    "IP Source Guard is a security feature intended to prevent packet spoofing based on MAC or IP addresses (MiTM attacks)."


    Let's assume I'm asked to implement any feature on switch to protect network against MiTM attack. I know in both solutions it will be done in different way but both relay on DHCP Snooping binding table. Which one is more preferable as in both descriptions we can see that functionality?

  • Hi,

     The task will let you know which feature to impement (based on the attack type), it will not be that vague. 

    Regards,

    Cristian. 

  • This is what I was worried about. That's good. Thank you

  • Seyi, Florian - thank you for your responds. All your explanations (with Cristian's ones too) made the topic much more clear. I have one more question. You said these features are typically all used together and I wonder why we need DAI if we enable IPSG with option MAC/IP (ip verify source port-security). Is there any way to spoof MAC? I did some tests and I'm blocked every time with modified MAC

    Regards
    Hubert

  • Hi,

        With IPSG you can block traffic bases on layer2/layer3 source address. DAI inspects the ARP payload, NOT the source MAC address from the layer 2 Ethernet header. IPSG cannot do that. You can still use "valid" layer2/layer3 source addresses so that traffic is allowed by IPSG but spoof ARP packets by changing the ARP payload to whatever you want.

    Regards,

    Cristian.

  • Hi Cristian,

    ARP payload is a key word.  Now everything make sense why we need all of them. Thank you for your patience :)

    Regards

    Hubert

    On Jan 20, 2015 8:50 AM, "cristian.matei" <[email protected]> wrote:

    Hi,

        With IPSG you can block traffic bases on layer2/layer3 source address. DAI inspects the ARP payload, NOT the source MAC address from the layer 2 Ethernet header. IPSG cannot do that. You can still use "valid" layer2/layer3 source addresses so that traffic is allowed by IPSG but spoof ARP packets by changing the ARP payload to whatever you want.

    Regards,

    Cristian.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
Sign In or Register to comment.