Using Dynamic ARP Inspection

Introduction

This document will define the operation of DAI or Dynamic ARP Inspection on the system. This document will also define how to configure the DAI feature and implement it in the network.

Document Number

ENG-010616

Applies To

This document applies to the DAI feature on all OLAN platforms. The DAI feature is applicable to releases 30.1 and above.

Document Revisions

Revision	Date	Notes
Revision A	Jan 2016	Initial Release of Document
Revision B	Aug 2025	Added DAI and DHCP trust states. Added DHCP Snooping checks and violation logging.

Dynamic ARP Inspection

Description

using-dynamic-arp-inspection-img0001

Dynamic ARP inspection provides protection from ARP Spoofing attacks and helps to ensure that the proper MAC / IP binding is maintained in the ARP tables. Dynamic ARP inspection ensures that all the ARP requests and responses are inspected to ensure they agree with the bindings given by DHCP or an ACL associated with the port.

As seen in the diagram above, ARP Spoofing occurs when a host uses a gratuitous ARP to bind its own MAC to an IP address that it wants to spoof. If accepted, the gratuitous ARP will cause all the devices on the subnet to update their ARP tables to send traffic to the hackers' MAC for traffic to the Spoofed IP. Typically, these are man in the middle of attacks and the hacker will intercept and then forward the traffic to the correct MAC for that IP binding so that the victim is not tipped off that their traffic is being diverted. This attack only works within layer 2 domains. Once the hacker has redirected traffic, he can then inspect, modify, or drop the user’s traffic on the subnet.

It should be noted that some devices use the gratuitous ARP to allow redundant computers or systems to dynamically take over in the event of a failure. This is true of the VGW, for example, and many voice switches.

using-dynamic-arp-inspection-img0002

Dynamic ARP Inspection works via two mechanisms. The first is DHCP snooping. DHCP snooping allows the system to maintain a database of DHCP entries with MAC to IP address bindings. This table is used to track the legitimate binding of MACs to IPs and ensure that all ARP entries agree with the bindings of DHCP. There is also an added benefit that the IP address binding and IP addresses associated with a port can be seen in the DHCP snooping database.

Dynamic ARP Inspection or DAI inspects all the ARP Responses and ensures that their binding matches that in the DHCP message exchange. If it does not match, the ARP response is dropped, ensuring that a man in the middle attack will fail and that the ARP table cannot be poisoned. Up to four bindings per MAC are supported.

The Tellabs OLAN system is a layer 2 switch and, generally speaking, is only aware of the Layer 2 MAC addresses. The addition of DAI and DHCP snooping adds the capability to learn and display the MAC to IP binding on a port. The DHCP lease time is also learned and can be displayed at the EMS in the switching display.

Dynamic ARP Inspection also uses ACLs to handle Static IP addresses and maintain those entries in the database.

DAI Configuration

DAI has a global enable that is required for the DAI feature to be enabled for use. The user must first configure this panel and define the desired behavior of the feature:

using-dynamic-arp-inspection-img0003

The following configurable attributes exist:

Admin State - Enable will turn on the DAI support, and Disable will turn off all DAI processing.
Logging Admin State - Defines whether to log the events occurring during DAI processing. Events will be logged when enabled.
Logging Type - Deny will log only denied/dropped ARPs. Permit will log only permitted ARPs. Both will log both permitted and denied ARPS. Typically, the user should ONLY log DENY ARPs unless debugging a situation. Logging ALL permitted ARPS can cause logging of hundreds of events per second.
Using Dynamic ARP Inspection - Ensures that the destination MAC of the Ethernet Header agrees with the target MAC in the ARP body of ARP responses and should typically be enabled.
Enable ARP IP Check - Ensures that the IP address is a valid IP address and will exclude all Multicast Addresses, all FFs or all zeroes. IP is checked in all ARP requests and responses and should typically be enabled.
Enable Source MAC Check - Verifies that the ARP header and body have the same source MAC address in both ARP requests and ARP responses and should typically be enabled.
Enable Source IP Protection - If desired, you can add source IP protection. If this feature is enabled, once the Source IP is bound, it will drop all packets that do not match the source IP to MAC binding learned from DHCP.

DAI is enabled on a per VLAN basis. For each VLAN which you wish DAI to be enforced, the VLAN Properties for that VLAN should have the Enable DAI attribute checked. The system will support 24 DAI VLANs per QOIU7.

using-dynamic-arp-inspection-img0004

In the port profile, there is also the option to disable DAI on specific ports. There may be special requirements in the users' network which are valid but violate the DAI rules. The user can configure a port to be a trusted port with no ARP checks to be performed for that port. It is rare that this will be needed. One typical use case is if the device does not use IPv4 and either uses IPv6 or an Ethertype different from IPv4. Some discovery protocols and special-purpose protocols use proprietary non-IP packets and therefore no IP to MAC binding can be learned and no ARP or DHCP snooping can occur.

The default setting is for the port to be untrusted and if DAI is enabled, the checks will be performed.

using-dynamic-arp-inspection-img0005

The behavior of each port with respect to DAI is configured within the port profile via two attributes:

DAI Trust state
DHCP trust state.

DAI Trust State

Trusted: No DAI ARP checks are performed on the port and ARPs are forwarded without inspection. Static IPs MUST be configured as trusted.
Untrusted: Configured DAI ARP checks are performed on the port and all ARPs are inspected.

DHCP Trust State

Trusted: Trusted ports are allowed to send DHCP server messages (i.e. assign IP addresses).
Untrusted: Port is not allowed to send DHCP server messages and can assign IPs. This prevents switches with DHCP servers, modems or other devices from assigning IP addresses. This can often lead to devices not being able to access the network since the addresses were not assigned by sanctioned DHCP servers. Server messages from untrusted ports are discarded, but the port is not blocked.

DHCP Snooping Checks

When DAI is enabled on a VLAN, DHCP snooping checks will be performed on that VLAN. The following checks are performed:

chaddr check: Packets are dropped when the chaddr in the message doesn't agree with the mac in the message header.
Decline/Release check: When DHCP clients send release messages or decline messages to IPs that were not granted by the server, these are discarded.
client Discover / Offer with Relay agent set to 0.0.0.0: Client Messages that have the relay agent IP of 0.0.0.0 are discarded.
untrusted port sending option 82: When an untrusted port sends DHCP messages with an option 82 message in it, the message is discarded. This should only be inserted by the relay agent.

Syslogging of DHCP Violations

DHCP Violations will be logged to syslog with the message type of: DHCPSVRINVALID. The DHCPServer IP MAC and Port ID are logged.

chaddr - check failures will be logged with DHCPMACINVALID syslog mesages.
Decline/Release - checks will be logged with DHCPINVALIDRELEASE messages.
client messages - checks with invalid relay agent IP are logged with DHCPINVALIDRELAY messages.
untrusted ports - sending option 82 will be logged with DHCPOPT82INVALID messages.

Static IP Addresses

DAI depends on learning of MAC to IP binding via snooping of DHCP message exchanges. Some devices have static IP addresses and therefore are never going to send DHCP messages. This section addresses how to handle Static IP addresses.

Static IPs can be handled in one of several ways:

Static IPs must be trusted - Static IPs must be set to DAI trusted ports in the port profile. This prevents them from being blocked by DAI. This is critical for the operation of Static IPs when DAI is enabled.
Static IP Auto Learning - The DAI agent can learn the IP and MAC from a Static IP when it ARPs. This is allowed if the IP in use has no learned binding. The binding will be added to the table. Static IP will be learned automatically, but in highly secure environments this may not be acceptable.
Static IP blocking when in the DHCP range - When the system detects that a static IP is in the DHCP range by seeing a DHCP address granted that is the same as a previously detected Static IP, it will block the port with the static IP, alarm it and allow the DHCP granted port to use the assigned IP address.
Sticky MAC ACL Entry - The port can be set up for a Sticky MAC ACL, allowing the MAC to be learned and then bound to the port. If deployed with a Max MAC of 1, this would ensure only that a MAC was present. Also, an IP address filter could be added as well if needed.

Sticky MAC ACL:

using-dynamic-arp-inspection-img0006

MAC with bound IP:

using-dynamic-arp-inspection-img0007

DAI Scope

DAI scope is per QOIU/OIU card. This maps well to the number of ports on a PON card.

DAI Statistics

The system supports statistics on the DAI Interface that are used to understand the number of packets that have been processed or acted on by DAI.

using-dynamic-arp-inspection-img0008

The user first enters the VLAN ID to retrieve the statistics, then presses the Locate button to retrieve the statistics for that VLAN. The following statistics are displayed:

ARPs Forwarded - The number of ARPs that were forwarded by the DAI process for that VLAN.
ARPS Dropped - The number of ARPS that were deemed to be incorrectly formatted and were dropped.
ARPS Permitted (DHCP) - The number of ARPs that were deemed good and had a DHCP binding.
ARPS Permitted (ACL) - ARPs permitted because a valid ARP ACL was found.
ARPS Denied Invalid Binding - ARPs dropped because no binding was found in the DHCP binding database or the ARP ACL list for this VLAN.
ARPS Denied Source MAC Mismatch - ARPs that were dropped because the Source MAC in the message header and the body did not agree.
ARPs Denied Destination MAC Mismatch - The destination MAC in the message header and body did not agree.
ARPS Denied Invalid IP - ARPs that were dropped because the IP was invalid (was a multicast IP, all zeroes or all FF).
Dropped IP Source Protection - Packets that were dropped because the IP Source (and source MAC) in the packet didn’t match the binding.

DHCP Snooping Statistics

DHCP snooping statistics are currently only supported at the CLI and can be seen using the command:
ne dhcpsnoopinginspection show

The following counters are displayed:

Forwarded: The number of DHCP packets forwarded.
Server Forwarded from Trusted: Essentially the count of DHCP server messages.
Client Forward to Trusted: Valid Client messages forwarded.
Server Drop Rcvd on Untrusted: Server messages discarded due to port being untrusted.
Server Drop Unauth:
Server Drop Gateway IP on Untrusted port: The gateway IP appeared on an untrusted port and was discarded.
Client drop Untrusted Option 82: Discarded DHCP messages with option 82 on an untrusted port.
Client drop invalid DHCP release: count of DHCP messages droopped due to invalid release messages.
Client drop mac check failure: count of DHCP messages dropped on client ports with a MAC violation.
Maxbind limit failure: DHCP was dropped due to exceeding the maximum allowed bindings per MAC.
Client drop invalid relay agent ip: count of DHCP messages dropped due to invalid Relay agent IP.