Chapter 21. Dynamic ARP Inspection
Understanding ARP Spoofing Attacks
Understanding DAI
© Copyright Lenovo 2017
Address Resolution Protocol (ARP) provides IP communication within a Layer 2
broadcast domain by mapping an IP address to a MAC address. Network devices
maintain this mapping in a cache that they consult when forwarding packets to
other devices. If the ARP cache does not contain an entry for the destination device,
the host broadcasts an ARP request for that deviceʹs address and stores the
response in the cache.
ARP spoofing (also referred to as ARP cache poisoning) is one way to initiate
man‐in‐the‐middle attacks. A malicious user could poison the ARP caches of
connected systems (hosts, switches, routers) by sending forged ARP responses and
could intercept traffic intended for other hosts on the LAN segment.
For example, in Figure
pretending to be Host B. As a result, Host A populates its ARP cache with a
poisoned entry having IP address IB and MAC address MC. Host A will use the
MAC address MC as the destination MAC address for traffic intended for Host B.
Host C then intercepts that traffic. Because Host C knows the true MAC addresses
associated with Host B, it forwards the intercepted traffic to that host by using the
correct MAC address as the destination, keeping the appearance of regular
behavior.
Figure 37. ARP Cache Poisoning
Dynamic ARP Inspection is a security feature that lets the switch intercept and
examine all ARP request and response packets in a subnet, discarding those
packets with invalid IP to MAC address bindings. This capability protects the
network from man‐in‐the‐middle attacks.
A switch on which ARP Inspection is configured does the following:
Intercepts all ARP requests and responses on untrusted ports.
Verifies that each of these intercepted packets has a valid IP/MAC/VLAN/port
binding before updating the local ARP cache or before forwarding the packet to
the appropriate destination.
37, the attacker (Host C) can send an ARP Reply to Host A
357