Sunday, May 9, 2021

Dynamic Arp Inspection , DAI

It strikes me that not many organizations enable Dynamic Arp inspection or DAI for short, on their switches users connect to. Why bother with DAI anyway you might ask. I would say this is something that it easy to activate to make switch block ARP messages that are not legit on your network. Those ARP messages can be utilized by an attacker to trick devices on a segment that the attacker computer is the router which will make traffic from client computers go to the attackers computers instead of the router.

First we need to think about how ARP work. When a host want to communicate with another host and it does not know the MAC address of the target host it send out an ARP messages asking who has this IP address, the target host should then do an ARP reply saying I have the IP address and MAC address you asked for. Next the communication can be established on Layer two between the learned mac addresses.
In comes the bad host answering the ARP reply (even though it should not) or sending a Gratuitous ARP (sort of an ARP reply without anyone asking for it). ARP reply can then contain the asked for IP address but with the MAC address of the bad host tricking the other host to send traffic to the bad host instead of the intended host. 
This can be stopped by enabling DAI on the switch which is quite easy.
ip arp inspection vlan x , where x is the vlan you enable DAI on
ip arp inspection vlan 101

To see info about DAI you use "show ip arp inspection"

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  101     Enabled          Active

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
  101     Deny             Deny              Off


But how does the switch know what mac address and IP addresses are legit? 
It uses the DHCP binding database. So to be able to use DAI you must first enable DHCP snooping to make switch to build the dhcp binding database (see my previous posts about DHCP ). This will introduce a problem for hosts with a static IP address not received from a DHCP server, the IP and MAC address binding is not in the snooping database on switch and will therefore be blocking the ARP replies making other hosts not be able to communicate with the host with static IP address since no one will learn its MAC address.

You will see this in the switch log.
*May  9 12:53:55.779: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Et0/0, vlan 101.([0000.0c9f.f065/10.1.101.1/5000.0012.0000/10.1.101.11/14:53:54 EET Sun May 9 2021])

Log entry means that port E0/0 , vlan 101 has blocked an arp packet from 10.1.101.1 with MAC 0000.0c9f.f065 going to 10.1.101.11  with MAC 0000.0c9f.f065

There is two solutions to this. You can either set the interface as trusted.
SW3(config-if)#ip arp inspection trust
similar to the DHCP trusted ports function.
You probably do this with the uplink interface leading to other switches and routers. But remember that it is basically the same as disabling ARP inspection on that interface.
Or you can create a static binding with mac address, IP address, vlan and interface.
This is accomplished by creating an ARP access list and then apply it to the vlan.

arp access-list VLAN101
permit ip host 10.1.101.1 mac host 0000.0c9f.f065
Add as many IP address to MAC address mapping you need in this ACL and then apply the ARP ACL to the vlan
ip arp inspection filter VLAN101 vlan 101
You have now allowed a host to make ARP reply with IP address 10.1.101.1 to use MAC address of 0000.0c9f.f065 on vlan 101.

You can configure a lot more with DAI, such as rate limit  and logging and what parameters in the ARP package to verify.
With "show ip arp inspection" we saw that there was no inspection of mac-addresses and IP address. I suggest you enable validation of these fields in the ARP package.
ip arp inspection validate src-mac dst-mac ip

To rate limit ARP packages use the interface command "ip arp inspection limit rate x" where x is number of ARP packages per second. Default is 15 which might is too small on a trunk interfaces.

You see, DAI is not that complicated at all and is easy to enable.