Skip to main content

L2 security – Address Resolution Protocol (ARP).

I would like to look closer on the ARP protocol, how it works and what kind of security method we can use to control ARP packets.


       /----\                  /----\ 
      |  R1  |----------------|  R2  |
       \----/\                /\----/ 
            Gig0/0       Gig0/0
            10.0.0.1   10.0.0.2


Let’s check what we see in the ARP table:
 
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   ca02.0eb8.0008  ARPA   GigabitEthernet0/0
R1#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Interface, via GigabitEthernet0/0, last updated 69 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock

R1#

R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.2                -   ca03.0eb8.0008  ARPA   GigabitEthernet0/0
R2#sh arp detail
ARP entry for 10.0.0.2, link type IP.
  Interface, via GigabitEthernet0/0, last updated 5 minutes ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock

R2#

If we don’t send any traffic, the routers don’t have any dynamic ARP entries in their ARP tables. Once we initiate traffic the ARP will probe the neighboring host. Now we send ping from R1 to R2 and we check the ARP tables once again: 
 
R1#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

*Apr 19 01:02:14.835: IP ARP: creating incomplete entry for IP address: 10.0.0.2 interface GigabitEthernet0/0
*Apr 19 01:02:14.839: IP ARP: sent req src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.2 0000.0000.0000 GigabitEthernet0/0
*Apr 19 01:02:14.871: IP ARP: rcvd rep src 10.0.0.2 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/42/48 ms
R1#

On R2 we can see R1 request:
 
R2#
*Apr 19 01:02:14.775: IP ARP: rcvd req src 10.0.0.1 ca02.0eb8.0008, dst 10.0.0.2 GigabitEthernet0/0
*Apr 19 01:02:14.779: IP ARP: creating entry for IP address: 10.0.0.1, hw: ca02.0eb8.0008
*Apr 19 01:02:14.783: IP ARP: sent rep src 10.0.0.2 ca03.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
R2#

The request action captured by the Wireshark:
 
Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:16:50.453967000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397863010.453967000 seconds
    [Time delta from previous captured frame: 0.613754000 seconds]
    [Time delta from previous displayed frame: 0.613754000 seconds]
    [Time since reference or first frame: 1.685325000 seconds]
    Frame Number: 3
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        Address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 10.0.0.2 (10.0.0.2)

As we see the request message is sent as a broadcast, ARP type is 0x0806.
The respond packet captured by the Wireshark:
 
Frame 4: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:16:50.483955000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397863010.483955000 seconds
    [Time delta from previous captured frame: 0.029988000 seconds]
    [Time delta from previous displayed frame: 0.029988000 seconds]
    [Time since reference or first frame: 1.715313000 seconds]
    Frame Number: 4
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08), Dst: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Destination: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        Address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        Address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
    Sender IP address: 10.0.0.2 (10.0.0.2)
    Target MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Target IP address: 10.0.0.1 (10.0.0.1)

Let’s check ARP tables once again:
 
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   ca02.0eb8.0008  ARPA   GigabitEthernet0/0
Internet  10.0.0.2                1   ca03.0eb8.0008  ARPA   GigabitEthernet0/0
R1#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Interface, via GigabitEthernet0/0, last updated 79 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock
ARP entry for 10.0.0.2, link type IP.
  Dynamic, via GigabitEthernet0/0, last updated 1 minute ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Dynamic ARP Subblock
    Entry will be refreshed in 240 minutes and 29 seconds.
    It has 2 chances to be refreshed before it is purged.
    Entry is complete.
  * IP ARP Adjacency
    Adjacency (for 10.0.0.2 on GigabitEthernet0/0) was installed.
    Connection ID: 0


R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                2   ca02.0eb8.0008  ARPA   GigabitEthernet0/0
Internet  10.0.0.2                -   ca03.0eb8.0008  ARPA   GigabitEthernet0/0
R2#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Dynamic, via GigabitEthernet0/0, last updated 2 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Dynamic ARP Subblock
    Entry will be refreshed in 249 minutes and 32 seconds.
    It has 2 chances to be refreshed before it is purged.
    Entry is complete.
  * IP ARP Adjacency
    Adjacency (for 10.0.0.1 on GigabitEthernet0/0) was installed.
    Connection ID: 0
ARP entry for 10.0.0.2, link type IP.
  Interface, via GigabitEthernet0/0, last updated 14 minutes ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock

R2#
 
On R1 we cleared the ARP entry for 10.0.0.2, R1 checks if R2 is still available:
 
R1#clear ip arp 10.0.0.2
R1#
*Apr 19 01:05:41.123: IP ARP: sent req src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.2 ca03.0eb8.0008 GigabitEthernet0/0
*Apr 19 01:05:41.163: IP ARP: rcvd rep src 10.0.0.2 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
*Apr 19 01:05:41.167: IP ARP: creating entry for IP address: 10.0.0.2, hw: ca03.0eb8.0008
R1#
 
Let’s shutdown port on R2 and check its ARP table:
 
R1#sh arp detail
ARP entry for 10.0.0.1, link type IP.
  Interface, via GigabitEthernet0/0, last updated 84 minutes ago.
  Encap type is ARPA, hardware address is ca02.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Interface ARP Subblock
ARP entry for 10.0.0.2, link type IP.
  Dynamic, via GigabitEthernet0/0, last updated 3 minutes ago.
  Encap type is ARPA, hardware address is ca03.0eb8.0008, 6 bytes long.
  ARP subblocks:
  * Dynamic ARP Subblock
    Entry will be refreshed in 249 minutes and 3 seconds.
    It has 2 chances to be refreshed before it is purged.
    Entry is complete.
  * IP ARP Adjacency
    Adjacency (for 10.0.0.2 on GigabitEthernet0/0) was installed.
    Connection ID: 0

R1#

We see in the R1's ARP table entry with the R2 IP address. The next refresh attempt will be in 249 min, until then the entry will reside in the ARP table.
On switches we can block ARP traffic by MAC access list:
 
!
mac access-list extended BLOCK-ARP
 deny any any 0x0806 0x0
 permit any any 
!
int Fa1/0/11
mac access-group BLOCK-ARP in
!

Now, we check how Duplicate Address Detection works with ARP and the Gratuitous ARP role in the process.
I changed IP address on R2 and now both routers have the same IP (10.0.0.1). Once we change IP address, ARP protocol generates ARP Gratuitous reply. The interesting fact is the respond is sent for non-exist request. There are few reasons why the message is generated and one of them is detection of IP conflict.
 
R1#
*Apr 19 01:30:36.283: IP ARP: rcvd rep src 10.0.0.1 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
*Apr 19 01:30:36.287: %IP-4-DUPADDR: Duplicate address 10.0.0.1 on GigabitEthernet0/0, sourced by ca03.0eb8.0008
R1#
*Apr 19 01:30:36.287: IP ARP: sent rep src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
*Apr 19 01:30:36.291: IP ARP: rcvd rep src 10.0.0.1 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
*Apr 19 01:30:36.295: IP ARP: Gratuitous ARP throttled.
*Apr 19 01:30:36.295: IP ARP: 10.0.0.1 added to arp_defense_Q
*Apr 19 01:30:36.683: IP ARP: 10.0.0.1 removed from arp_defense_Q
*Apr 19 01:30:36.683: IP ARP: sent rep src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
*Apr 19 01:30:36.739: IP ARP: rcvd rep src 10.0.0.1 ca03.0eb8.0008, dst 10.0.0.1 GigabitEthernet0/0
R1#
*Apr 19 01:30:36.743: IP ARP: Gratuitous ARP throttled.
*Apr 19 01:30:36.743: IP ARP: 10.0.0.1 added to arp_defense_Q
*Apr 19 01:30:37.675: IP ARP: 10.0.0.1 removed from arp_defense_Q
*Apr 19 01:30:37.679: IP ARP: sent rep src 10.0.0.1 ca02.0eb8.0008,
                 dst 10.0.0.1 ca02.0eb8.0008 GigabitEthernet0/0
R1#

Address Resolution Protocol (reply/gratuitous ARP):
 
Frame 4: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:34:11.982781000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397864051.982781000 seconds
    [Time delta from previous captured frame: 0.010000000 seconds]
    [Time delta from previous displayed frame: 0.010000000 seconds]
    [Time since reference or first frame: 3.176000000 seconds]
    Frame Number: 4
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        Address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
Address Resolution Protocol (reply/gratuitous ARP)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    [Is gratuitous: True]
    Sender MAC address: ca:03:0e:b8:00:08 (ca:03:0e:b8:00:08)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
    Target IP address: 10.0.0.1 (10.0.0.1)

Example of Duplicate IP addresses detection:
 
Frame 5: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 19, 2014 01:34:11.992781000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1397864051.992781000 seconds
    [Time delta from previous captured frame: 0.010000000 seconds]
    [Time delta from previous displayed frame: 0.010000000 seconds]
    [Time since reference or first frame: 3.186000000 seconds]
    Frame Number: 5
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:arp]
Ethernet II, Src: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        Address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: ARP (0x0806)
    Padding: 000000000000000000000000000000000000
[Duplicate IP address detected for 10.0.0.1 (ca:02:0e:b8:00:08) - also in use by ca:03:0e:b8:00:08 (frame 4)]
    [Frame showing earlier use of IP address: 4]
        [Expert Info (Warn/Sequence): Duplicate IP address configured (10.0.0.1)]
            [Message: Duplicate IP address configured (10.0.0.1)]
            [Severity level: Warn]
            [Group: Sequence]
    [Seconds since earlier frame seen: 0]
Address Resolution Protocol (reply/gratuitous ARP)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    [Is gratuitous: True]
    Sender MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: ca:02:0e:b8:00:08 (ca:02:0e:b8:00:08)
    Target IP address: 10.0.0.1 (10.0.0.1)
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more