[c-nsp] Disable ARP

Arnold Nipper arnold at nipper.de
Fri Aug 25 06:19:54 EDT 2006


On 25.08.2006 11:28 Alex A. Pavlenko wrote

> ----- Original Message ----- From: "Saku Ytti"
> <saku+cisco-nsp at ytti.fi> To: <cisco-nsp at puck.nether.net> Sent:
> Thursday, August 24, 2006 7:14 PM Subject: Re: [c-nsp] Disable ARP
> 
> 
>> On (2006-08-24 19:02 +0400), Alex A. Pavlenko wrote:
>> 
>>> Are there any means to disable ARP learning on Ethernet interface
>>> or subinterface on Cisco router?
>> 
>> Yeah, unnumbered vlan subinterfaces (learning happens on DHCP), and
>> cisco itself does not send 'arp who has' on the wire. Very useful
>> if you have lot of low-speed subscribers on same rather empty
>> subnet, to avoid filling their pipes with useless 'arp who has'
>> queries when someone scans whole subnet through.
> 
> Thanks, you've revealed to me a very interesting technique. However
> it is linked to DHCP, which is not used in our network. The main goal
> is to increase security - to forbid customers to steal ip addresses.
> Obviously, it can be achieved by setting static ARP cache entries on
> the router and disable ARP learning on subinterface.  Without second
> step customer can take unused ip address which is not statically
> placed into ARP cache. However it is still incomprehensible how to
> disable ARP :( The only workaround I see is to attach inbound
> access-list where all legitimate addresses are listed, but it
> requires a lot of hand work and consumes router resources :( So I'll
> appreciate any further ideas if any. Thanks
> 


Maybe a ARP sponge may be more efficient. What is an ARP sponge? Just 
link all unused address space to a certain host. I do this via sort of

  for i in $(cat /etc/arpsponges)
   ip address add $i/$mask dev $interface

That at least makes customers having stolen address space very unhappy ;-)

arpwatch (http://linux.maruhn.com/sec/arpwatch.html) also helps you to 
keep an eye on what's going on on your LAN.





Arnold


More information about the cisco-nsp mailing list