[c-nsp] against arp spoofing

Mikael Abrahamsson swmike at swm.pp.se
Sun May 29 10:09:03 EDT 2005 

On Sun, 29 May 2005, Gert Doering wrote:

>> No, it doesn't, since you cannot do any layer 2 stuff to do
>> man-in-the-middle (two different users can use the same MAC address in the
>> same subnet and it still works),
>
> I'm not sure if I believe that.  If you share a subnet, at least the 
> router port would see the double MAC address, and then the packet 
> forwarding will get "interesting".  Most likely you cannot do MITM, but 
> you will be able to spoof-and-disrupt, which is nearly as bad.

Since the ARP and L2 information is not only bound to the super-vlan but 
to the subvlan as well, it works. The router will only populate the 
forwarding tables with both information and the configuration is checked 
before populating the ARP and L2 forwarding table.

It looks like this (these are the MAC addresses used by the DLINK NAT 
router in some of their firmware):

# show iparp mac-address 00:AA:BB:CC:DD:10
Destination     Mac                Age Static  VLAN    [VID]   Port
x.x.164.45   00:AA:BB:CC:DD:10   11   NO  SIW-5     [4077]  7
x.x.164.57   00:AA:BB:CC:DD:10    1   NO  SIW-5     [4077]  7
x.x.192.48   00:AA:BB:CC:DD:10    9   NO  SIW-2     [4084]  4
x.x.192.115  00:AA:BB:CC:DD:10    0   NO  SIW-4     [3892]  6

We use /27:s so the two first ones are in the same IP subnet but they are 
on different vlans:

# show fdb 00:AA:BB:CC:DD:10
Index              Mac              Vlan       Age  Use  Flags   Port List
--------------------------------------------------------------------------
53a01-102 00:AA:BB:CC:DD:10 dslam4port(3076)  0000 0001  d mi     4
53e50-104 00:AA:BB:CC:DD:10 dslam6port(3137)  0000 0001  d mi     6
53fe0-107 00:AA:BB:CC:DD:10 dslam7port(3162)  0000 0001  d mi     7
53c20-107 00:AA:BB:CC:DD:10 dslam7port(3174)  0000 0001  d mi     7

The subvlan configuration looks like this:

# show vlan SIW-5
VLAN Interface[20-213] with name "SIW-5" created by user
      Tagging:   Untagged (Internal tag 4077)
      IP:        x.x.164.33/255.255.255.224
      Ports:     0.     (Number of active ports=0)
      Sub VLANs:
                 dslam1port20, dslam8port5, dslam8port4, dslam8port3, dslam8port1, dslam7port24,
                 dslam7port23, dslam7port22, dslam7port21, dslam7port20, dslam7port19,
                 dslam7port18, dslam7port17, dslam7port16, dslam7port15, dslam7port14,
                 dslam7port13, dslam7port12, dslam7port11, dslam7port10, dslam7port9,
                 dslam7port8, dslam7port7, dslam7port6, dslam7port4, dslam7port3,
                 dslam7port2, dslam7port1, dslam6port24

# show vlan dslam7port12
VLAN Interface[166-2a5] with name "dslam7port12" created by user
      Tagging:   802.1Q Tag 3162
      SuperVlan: SIW-5
      SubRange:  x.x.164.45->x.x.164.45

Comes very handy. This is the best way I have been able to figure out how 
to make everything secure when you have an L2 only ethernet DSLAM. One 
broadcast domain per customer, spoof filter in the DSLAM per port 
(statically configured), and protect the forwarding path by only allowing 
ARP to be populated if the ARP answer comes in on the right vlan. The L3 
device of course has to do proxy-arp on all the subvlans in this scenario, 
but that goes without saying.

This is how Extreme Networks does what they have described in RFC3069. I 
wish I could make others implement the same mechanisms.

> ip source-guard can do something similar (with statically configured 
> mac-to-ip mappings).

Yes, but it doesn't solve the "two users with the same MAC-adress in the 
same IP subnet" problem, which for instance is a genuine problem since a 
lot of D-LINKs NAT routers for home use has a bug and will all have the 
same MAC address (as seen above).

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the cisco-nsp mailing list