Dai Configuration; Dai Overview - Zte ZXR10 5900 Series User Manual

All gigabit-port intelligent routing switch

Hide thumbs Also See for ZXR10 5900 Series:

User manual (133 pages)

Hardware manual (53 pages)

Product description (77 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

page of 208

/ 208
Contents
Table of Contents
Bookmarks

Table of Contents

DAI Configuration

DAI Overview

The attack based on ARP often happens in network. DHCP SNOOP-

ING module on the switch implements DAI (Dynamic ARP Inspec-

tion) function, but this function is limited.

Currently DAI function only checks binding table in DHCP SNOOP-

ING for switch learning ARP packet, that is, only can check layer

3 user.

If users of the switch are in the same VLAN, the communication

between users requires switch to forward not on layer 3 but layer

2. Switch need not to learn ARP packets of these users. Therefore

there isn't relevant security check. It is a big security bug, which

causes man-in-the-middle attack, as shown in

39 M

IGURE

THE

A/B/C are in the same broadcast domain, that is, the same net-

work segment. When A and B communicates with each other,

ARP packet is sent first, which can be learned by C. If C acts as

man-in-the-middle to do malicious scanning, only sends free ARP

to A to inform that IP corresponding MAC address of B has been

updated to that of C, the flow from A to B is directly forwarded

to C; Based on the same principle the flow from B to A can be

forwarded to C. After doing malicious scanning on packet, C mod-

ifies the destination address as the real MAC address of B or A

and return the packet to switch. The flow between A and B can

be forwarded normally and not be perceived. So that C completes

man-in-the-middle attack.

To avoid this bug, all ARP packets should be checked. Those that

conform to the qualification are forwared by software. The ARP

packets that fail in check will be discarded.

Based on this requirement, the following methods that prevents

usual ARP attack are added.

1. As for untrusted interface, DAI blocks all ARP packets and send

them to upper layer software for check.

2. The speed that ARP packet sent to CPU is configurable.

3. When DHCP SNOOPING is enabled, laye 2 IP ,MAC and port

corresponding relationship are checked. Illegal user will be

discarded.

Confidential and Proprietary Information of ZTE CORPORATION

Chapter 17 Security Configuration

MIDDLE

TTACK

Figure

39.

177

Table of Contents

Show Quick Links

Hide quick links:

Chapters

Table of Contents

This manual is also suitable for:

Zxr10 5200 series Zxr10 5924 Zxr10 5928 Zxr10 5928–fi Zxr10 5952 Zxr10 5224 ... Show all

Dai Configuration; Dai Overview - Zte ZXR10 5900 Series User Manual

DAI Configuration

DAI Overview

Hide quick links:

Chapters

Related Manuals for Zte ZXR10 5900 Series

Related Content for Zte ZXR10 5900 Series

This manual is also suitable for:

Table of Contents