Sunday, April 20, 2014

L2 security – Address Resolution Protocol (ARP).

I would like to look closer on the ARP protocol, how it works and what kind of security method we can use to control ARP packets.


       /----\                  /----\ 
      |  R1  |----------------|  R2  |
       \----/\                /\----/ 
            Gig0/0       Gig0/0
            10.0.0.1   10.0.0.2     


Let’s check what we see in the ARP table:
 
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   ca02.0eb8.0008  ARPA   GigabitEthernet0/0
R1#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Interface, via GigabitEthernet0/0, last updated 69 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock

R1#

R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.2                -   ca03.0eb8.0008  ARPA   GigabitEthernet0/0
R2#sh arp detail
ARP entry for 10.0.0.2, link type IP.
  Interface, via GigabitEthernet0/0, last updated 5 minutes ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock

R2#

If we don’t send any traffic, the routers don’t have any dynamic ARP entries in their ARP tables. Once we initiate traffic the ARP will probe the neighboring host. Now we send ping from R1 to R2 and we check the ARP tables once again:
 
R1#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

*Apr 19 01:02:14.835: IP ARP: creating incomplete entry for IP address: 10.0.0.2 interface GigabitEthernet0/0
*Apr 19 01:02:14.839: IP ARP: sent req src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.2 0000.0000.0000 GigabitEthernet0/0
*Apr 19 01:02:14.871: IP ARP: rcvd rep src 10.0.0.2 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/42/48 ms
R1#

On R2 we can see R1 request:
 
R2#
*Apr 19 01:02:14.775: IP ARP: rcvd req src 10.0.0.1 ca02.0eb8.0008, dst 10.0.0.2 GigabitEthernet0/0
*Apr 19 01:02:14.779: IP ARP: creating entry for IP address: 10.0.0.1, hw: ca02.0eb8.0008
*Apr 19 01:02:14.783: IP ARP: sent rep src 10.0.0.2 ca03.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
R2#

The request action captured by the Wireshark:
 
Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:16:50.453967000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397863010.453967000 seconds
    [Time delta from previous captured frame: 0.613754000 seconds]
    [Time delta from previous displayed frame: 0.613754000 seconds]
    [Time since reference or first frame: 1.685325000 seconds]
    Frame Number: 3
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        Address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 10.0.0.2 (10.0.0.2)

As we see the request message is sent as a broadcast, ARP type is 0x0806.
The respond packet captured by the Wireshark:
 
Frame 4: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:16:50.483955000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397863010.483955000 seconds
    [Time delta from previous captured frame: 0.029988000 seconds]
    [Time delta from previous displayed frame: 0.029988000 seconds]
    [Time since reference or first frame: 1.715313000 seconds]
    Frame Number: 4
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08), Dst: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Destination: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        Address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        Address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
    Sender IP address: 10.0.0.2 (10.0.0.2)
    Target MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Target IP address: 10.0.0.1 (10.0.0.1)

Let’s check ARP tables once again:
 
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   ca02.0eb8.0008  ARPA   GigabitEthernet0/0
Internet  10.0.0.2                1   ca03.0eb8.0008  ARPA   GigabitEthernet0/0
R1#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Interface, via GigabitEthernet0/0, last updated 79 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock
ARP entry for 10.0.0.2, link type IP.
  Dynamic, via GigabitEthernet0/0, last updated 1 minute ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Dynamic ARP Subblock
    Entry will be refreshed in 240 minutes and 29 seconds.
    It has 2 chances to be refreshed before it is purged.
    Entry is complete.
  * IP ARP Adjacency
    Adjacency (for 10.0.0.2 on GigabitEthernet0/0) was installed.
    Connection ID: 0


R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                2   ca02.0eb8.0008  ARPA   GigabitEthernet0/0
Internet  10.0.0.2                -   ca03.0eb8.0008  ARPA   GigabitEthernet0/0
R2#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Dynamic, via GigabitEthernet0/0, last updated 2 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Dynamic ARP Subblock
    Entry will be refreshed in 249 minutes and 32 seconds.
    It has 2 chances to be refreshed before it is purged.
    Entry is complete.
  * IP ARP Adjacency
    Adjacency (for 10.0.0.1 on GigabitEthernet0/0) was installed.
    Connection ID: 0
ARP entry for 10.0.0.2, link type IP.
  Interface, via GigabitEthernet0/0, last updated 14 minutes ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock

R2#
 
On R1 we cleared the ARP entry for 10.0.0.2, R1 checks if R2 is still available:
 
R1#clear ip arp 10.0.0.2
R1#
*Apr 19 01:05:41.123: IP ARP: sent req src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.2 ca03.0eb8.0008 GigabitEthernet0/0
*Apr 19 01:05:41.163: IP ARP: rcvd rep src 10.0.0.2 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
*Apr 19 01:05:41.167: IP ARP: creating entry for IP address: 10.0.0.2, hw: ca03.0eb8.0008
R1#
 
Let’s shutdown port on R2 and check its ARP table:
 
R1#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Interface, via GigabitEthernet0/0, last updated 84 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock
ARP entry for 10.0.0.2, link type IP.
  Dynamic, via GigabitEthernet0/0, last updated 3 minutes ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Dynamic ARP Subblock
    Entry will be refreshed in 249 minutes and 3 seconds.
    It has 2 chances to be refreshed before it is purged.
    Entry is complete.
  * IP ARP Adjacency
    Adjacency (for 10.0.0.2 on GigabitEthernet0/0) was installed.
    Connection ID: 0

R1#

We see in the R1's ARP table entry with the R2 IP address. The next refresh attempt will be in 249 min, until then the entry will reside in the ARP table.
On switches we can block ARP traffic by MAC access list:
 
!
mac access-list extended BLOCK-ARP
 deny any any 0x0806 0x0
 permit any any 
!
int Fa1/0/11
mac access-group BLOCK-ARP in
!

Now, we check how Duplicate Address Detection works with ARP and the Gratuitous ARP role in the process.
I changed IP address on R2 and now both routers have the same IP (10.0.0.1). Once we change IP address, ARP protocol generates ARP Gratuitous reply. The interesting fact is the respond is sent for non-exist request. There are few reasons why the message is generated and one of them is detection of IP conflict.
 
R1#
*Apr 19 01:30:36.283: IP ARP: rcvd rep src 10.0.0.1 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
*Apr 19 01:30:36.287: %IP-4-DUPADDR: Duplicate address 10.0.0.1 on GigabitEthernet0/0, sourced by ca03.0eb8.0008
R1#
*Apr 19 01:30:36.287: IP ARP: sent rep src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
*Apr 19 01:30:36.291: IP ARP: rcvd rep src 10.0.0.1 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
*Apr 19 01:30:36.295: IP ARP: Gratuitous ARP throttled.
*Apr 19 01:30:36.295: IP ARP: 10.0.0.1 added to arp_defense_Q
*Apr 19 01:30:36.683: IP ARP: 10.0.0.1 removed from arp_defense_Q
*Apr 19 01:30:36.683: IP ARP: sent rep src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
*Apr 19 01:30:36.739: IP ARP: rcvd rep src 10.0.0.1 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
R1#
*Apr 19 01:30:36.743: IP ARP: Gratuitous ARP throttled.
*Apr 19 01:30:36.743: IP ARP: 10.0.0.1 added to arp_defense_Q
*Apr 19 01:30:37.675: IP ARP: 10.0.0.1 removed from arp_defense_Q
*Apr 19 01:30:37.679: IP ARP: sent rep src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
R1#

Address Resolution Protocol (reply/gratuitous ARP):
 
Frame 4: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:34:11.982781000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397864051.982781000 seconds
    [Time delta from previous captured frame: 0.010000000 seconds]
    [Time delta from previous displayed frame: 0.010000000 seconds]
    [Time since reference or first frame: 3.176000000 seconds]
    Frame Number: 4
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        Address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (reply/gratuitous ARP)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    [Is gratuitous: True]
    Sender MAC address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
    Target IP address: 10.0.0.1 (10.0.0.1)

Example of Duplicate IP addresses detection:
 
Frame 5: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:34:11.992781000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397864051.992781000 seconds
    [Time delta from previous captured frame: 0.010000000 seconds]
    [Time delta from previous displayed frame: 0.010000000 seconds]
    [Time since reference or first frame: 3.186000000 seconds]
    Frame Number: 5
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        Address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
[Duplicate IP address detected for 10.0.0.1 (ca:02:0e:b8:00:08) - also in use by ca:03:0e:b8:00:08 (frame 4)]
    [Frame showing earlier use of IP address: 4]
        [Expert Info (Warn/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Message: Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warn]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]
Address Resolution Protocol (reply/gratuitous ARP)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    [Is gratuitous: True]
    Sender MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Target IP address: 10.0.0.1 (10.0.0.1)

No comments:

Post a Comment