Forwarding Plane Security – Layer 3 Security

Created: Mar 31, 2017 15:28:01Latest reply: Apr 2, 2018 16:05:28 2154 2 0 0

Forwarding Plane Security – Layer 3 Security

On Layer 2 networks, S series switches take the measures such as MAC address table protection and broadcast storm suppression. On Layer 3 networks, data forwarding is instructed by routing table and ARP table.

l   The routing entries are generated by exchanging the routing protocol packets between switches. Users do not intervene in routing entry generation, so it is difficult to attack the routing table.

l   ARP entries are generated by exchanging protocol packets between user hosts and switches. Therefore, the ARP table is prone to attacks.

ARP table security is the key of Layer 3 network security protection. Another method of Layer 3 network attack is that unauthorized users forge IP addresses to attack the network. This article describes how to ensure Layer 3 network security by protecting ARP table security and preventing IP address spoofing.

1.1 How to Protect ARP Table Security

ARP entries are classified into dynamic and static ARP entries. Static ARP entries are manually configured, so they have no security risk. Dynamic ARP entries are generated through dynamic ARP learning. The ARP learning process may be attacked. The following are the possible attacks targeting at different stages in ARP learning and defense methods.

Table 1-1 ARP learning analysis

ARP Learning Stage

Possible Attack

Defense Method

1.     An interface on the switch receives an ARP packet, and sends the packet to the CPU.

Send a large number of ARP packets to the switch. As a result, the switch cannot send the ARP packets of authorized users to the CPU.

Ensure that the ARP packets of authorized users can be sent to the CPU.

2.     The switch checks whether the ARP entry matching the source IP address of the ARP packet exists in the ARP table. If the matching entry exists, the switch updates the ARP entry. Otherwise, the switch adds a new entry to the ARP table.

Send a fake ARP packet to tamper with the correct ARP entry.

Ensure the correctness of ARP entries.

3.     The switch checks whether ARP table resource is sufficient. If the resource is sufficient, the switch adds the new ARP entry. Otherwise, the switch does not add the ARP entry.

Send a large number of packets with variable source IP or MAC addresses to consume ARP resource.

Ensure that the ARP entries of authorized users can be successfully generated.

 

The following sections describe how the S series switches defend against ARP attacks.

1.1.1 Ensure That the ARP Packets of Authorized Users Can Be Sent to the CPU

To protect the CPU, the switch uses CPCAR to limit the number of each type of protocol packets sent to the CPU. The packets exceeding the CPCAR are dropped. If an unauthorized user sends a large number of ARP packets, the ARP packets of authorized users cannot be sent to the CPU, so the ARP entries cannot be generated for the authorized users. The S series switches provide the following methods to address this problem.

Ø  Limit the rate of ARP packets

S series switches support ARP rate limiting in different dimensions.

Table 1-2 Rate limiting on ARP packets

Dimension

Implementation

Based on source MAC address

The switch collects statistics on the ARP packets destined for the CPU based on source MAC address. If the rate of ARP packets from one MAC address per second exceeds the threshold, the switch drops the excessive ARP packets.

The switch can limit packet rate for any source MAC address or a specific source MAC address.

Based on source IP address

The switch collects statistics on the ARP packets destined for the CPU based on source IP address. If the rate of ARP packets from one IP address per second exceeds the threshold, the switch drops the excessive ARP packets.

The switch can limit packet rate for any source IP address or a specific source IP address.

Based on VLAN or interface, or global

Limit the number of ARP packets from a VLAN or an interface, or global ARP packets.

If the number of ARP packets received per second exceeds the limit, the switch drops the excessive ARP packets.

 

The configuration is as follows:

·         Limit the ARP packet rate based on source MAC address.

[HUAWEI] arp speed-limit source-mac maximum 10   //Set the maximum number of ARP packets that can pass from any MAC address to 10.

·         Limit the ARP packet rate based on source IP address.

[HUAWEI] arp speed-limit source-ip maximum 10   //Set the maximum number of ARP packets that can pass from any IP address to 10.

·         Limit the ARP packet rate globally.

[HUAWEI] arp anti-attack rate-limit enable   //Enable ARP rate limiting.

[HUAWEI] arp anti-attack rate-limit packet 200 interval 10   //Set the maximum number of ARP packets that can be sent to the CPU within 10s to 200. The excessive packets are dropped.

·         Limit the ARP packet rate based on VLAN.

[HUAWEI-vlan3] arp anti-attack rate-limit enable  //Enable ARP rate limiting.

[HUAWEI-vlan3] arp anti-attack rate-limit packet 200 interval 10   //Set the maximum number of ARP packets that can be sent from VLAN 3 to the CPU within 10s to 200. The excessive packets are dropped.

·         Limit the ARP packet rate based on interface.

[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable   //Enable ARP rate limiting.

[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10   //Set the maximum number of ARP packets that can be sent from GE0/0/1 to the CPU within 10s to 200. The excessive packets are dropped.

Ø  Limit the rate of ARP Miss messages

Why is ARP Miss rate limiting important? Let's see how are ARP Miss messages generated.

A user host sends a large number of IP packets with unresolvable destination IP addresses (the routing table contains the routing entries matching the destination IP addresses of the packets but the device does not have the ARP entries matching the next hop addresses of the routing entries) to the device, the device generates a large number of ARP Miss packets. The IP packets triggering ARP Miss messages are sent to the CPU for processing. The device generates and delivers many temporary ARP entries according to the ARP Miss messages, and sends a large number of ARP request packets to the destination network. This increases CPU usage of the device.

Limiting the rate of ARP Miss messages can reduce the CPU load. ARP packets of authorized users can be sent to the CPU for processing.

Configure ARP Miss rate limiting:

·         Configure ARP Miss rate limiting based on source IP address.

[HUAWEI] arp-miss speed-limit source-ip maximum 60   //Set the maximum number of ARP Miss messages that can be processed by the switch from a source IP address to 60.

·         Configure global rate limiting for ARP Miss messages. Or configure rate limiting based on VLAN or interface.

[HUAWEI] arp-miss anti-attack rate-limit enable   //Enable ARP Miss rate limiting.

[HUAWEI] arp-miss anti-attack rate-limit packet 200 interval 10  //Set the maximum number of ARP Miss messages sent to the CPU within 10s to 200. The excessive packets are dropped.

Ø  Configure egress ARP inspection (EAI)

After receiving an ARP request packet, the device broadcasts the packet in the broadcast domain.

EAI aims at reducing the number of broadcast packets in a VLAN, to relieve the CPU workload. The EAI searches for the outbound interface matching the destination IP address of an ARP request packet in the DHCP snooping table, and forwards the ARP request packet through the outbound interface. This reduces the number of ARP packets broadcast in the VLAN and relieves the CPU workload.

The EAI reduces the number of ARP packets processed by the gateway. In Figure 1-1, after EAI is enabled on a Layer 2 switch, the Layer 2 switch searches the DHCP snooping binding table before broadcasting the ARP request packet. If the outbound interface matching the destination IP address of an ARP packet is found, the ARP request packet is forwarded through the outbound interface. This reduces the number of ARP request packets received by the gateway.

Figure 1-1 EAI application

20170331152648231001.png

Configure EAI as follows:

[L2switch] dhcp enable   //Enable DHCP globally.

[L2switch] dhcp snooping enable   //Enable DHCP Snooping globally.

[L2switch] vlan 10  

[L2switch-vlan10] dhcp snooping enable  

[L2switch-vlan10] dhcp snooping arp security enable  //Enable EAI.

1.1.2 Ensure the Correctness of ARP Entries

After an ARP packet is sent to the CPU, the switch searches for the ARP entry matching the source IP address in the ARP table. If a matching ARP entry is found, the switch updates the ARP entry. The attacker may send a fake ARP packet to tamper with the ARP entry. Then the packets of authorized users cannot be correctly forwarded. The S series switches provide different defense methods for different types of attacks.

Ø  Defend against bogus gateway attacks

The attacker sends an ARP packet with the source IP address being the gateway address within the local subnet. Then the gateway address mappings on other user hosts are tampered with. The other user hosts send the traffic destined for the gateway to the attacker, and they cannot access the network. In addition, the attacker can receive the data sent from the user hosts, causing information disclosure.

As shown in Figure 1-2, the attacker poses as the gateway to notify user A that the MAC address is changed to 5-5-5. User A then sends the data destined for gateway (1-1-1) to the incorrect gateway address 5-5-5, causing a communication interruption. The MAC address 5-5-5 belongs to the attacker. So the attacker obtains the data from user A, causing information disclosure.

Figure 1-2 Bogus gateway attack

20170331152649200002.png

 

S series switches provide the following methods to prevent bogus gateway attacks.

Table 1-3 Defense against bogus gateway attacks

Defense Method

Description

Gratuitous ARP packets

The gateway periodically sends gratuitous ARP packets and updates the ARP entries of authorized users, so that the correct gateway address mapping is recorded in the authorized users' ARP entries.

ARP gateway anti-collision

When a device receives an ARP packet of which the source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the inbound interface, or the source IP address is the inbound interface's virtual address but the source MAC address is not the VRRP virtual MAC address, the device considers that the ARP packet conflicts with the gateway address. Then the device generates an ARP attack defense entry, and drops the ARP packets from the same VLAN and source MAC address received by this interface within a period of time.

ARP gateway protection

The interfaces with gateway protection enabled can receive and forward the ARP packets from the specified source IP address. The interfaces without gateway protection enabled drop the ARP packets from the specified source IP address.

 

The configuration is as follows:

·         Configure the gateway to periodically send gratuitous ARP packets.

[Gateway] arp gratuitous-arp send enable   //Enable the sending of gratuitous ARP packets. The default sending interval is 30s.

·         Configure ARP gateway anti-collision.

[Gateway] arp anti-attack gateway-duplicate enable

·         Configure ARP gateway protection.

[L2switch] interface gigabitethernet 0/0/1  

[L2switch-GigabitEthernet0/0/1] arp filter source 10.1.1.1   //The protected gateway address is 10.1.1.1.

Ø  Defend against bogus user attacks

As shown in Figure 1-3, the attacker forges an ARP packet as an authorized user to tamper with user A's ARP entry on the gateway. When user B forwards data to user A through the gateway, an incorrect ARP entry is found and user A cannot receive data from user B.

Figure 1-3 Bogus user attack

20170331152650828003.png

 

S series switches provide the following methods to prevent bogus user attacks.

Table 1-4 Defense against bogus user attack

Defense Method

Description

Fixed ARP

Fixed ARP can be implemented in the following modes:

fixed-mac: When receiving an ARP packet, the switch drops the packet if the MAC address does not match the MAC address in the corresponding ARP entry.

fixed-all: When receiving an ARP packet, the switch drops the packet if the MAC address, interface number, or VLAN ID does not match an entry in the ARP table.

send-ack: After a device receives an ARP packet related to MAC address, VLAN, or interface information modification, it sends an ARP request packet. If no response is received, the device drops the packet.

DAI

The device checks the IP address, MAC address, VLAN, or interface information in the ARP packet against the DHCP snooping entries. If no matching entry is found, the device drops the packet.

 

The configuration is as follows:

·         Configure fixed ARP globally or based on interface.

[Gateway] arp anti-attack entry-check fixed-mac enable   //Set the fixed ARP mode to fixed-mac.

·         Configure DAI based on interface and VLAN.

[Gateway] vlan 10  

[Gateway-vlan10] arp anti-attack check user-bind enable

1.1.3 Ensure That the ARP Entries of Authorized Users Can Be Successfully Generated

A device has limited ARP entry resource. If the attacker initiates an ARP flood attack to exhaust ARP entry resource, the ARP entries of authorized users cannot be generated, causing a failure in packet forwarding.

S series switches provide the following methods to prevent ARP entry resource exhaustion.

Table 1-5 Defense against ARP entry resource exhaustion

Defense Method

Description

Limit the number of ARP entries that can be learned

When an attacker connected to an interface occupies excessive ARP entry resource, limit the number of ARP entries that can be learned by the interface to avoid ARP resource exhaustion. When the number of ARP entries learned by the interface reaches the limit, the interface cannot learn new ARP entries.

Strict ARP learning

The device learns only the ARP Reply packets in response to the ARP Request packets sent by itself.

 

The configuration is as follows:

·         Configure ARP learning limit.

[HUAWEI] interface gigabitethernet 0/0/1 

[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20  //Configure GE0/0/1 to learn a maximum of 20 dynamic ARP entries in VLAN 10.

·         Configure strict ARP learning.

[HUAWEI] arp learning strict  //Configure strict ARP learning.

1.2 How to Prevent IP Address Spoofing Attack

IP address spoofing means the attacker initiates an attack by using the IP address of an authorized user.

The following sections describe two methods of defense against IP address spoofing: IPSG and URPF.

1.2.1 IPSG

IP Source Guard (IPSG) uses a binding table to prevent IP address spoofing. When the IP packet sent by a user does not match an entry in the binding table, the packet is considered an attack packet and dropped.

Static ARP can prevent bogus IP address, why do we need IPSG?

Both IPSG of static binding table and static ARP can implement IP address and MAC address binding. They have the following differences.

Table 1-6 Differences between IPSG and static ARP

Feature

Description

Usage Scenario

IPSG

Builds a static binding table to bind IP addresses to MAC addresses. The device checks the packets received by interfaces, and forwards the packets matching the binding entries.

Configured on the access device directly connected to user hosts to prevent IP address spoofing attacks from the intranet. For example, a malicious host steals an authorized host's IP address to access the network.

Static ARP

Builds a static ARP table to bind IP addresses to MAC addresses. A static ARP table is not dynamically updated. The device processes received packets according to the static ARP table.

Configured on the gateway. The static ARP table stores the ARP entries of key servers to prevent ARP spoofing attacks and ensure normal communication between hosts and servers.

 

Figure 1-4 IPSG and static ARP usage scenario

20170331152651109004.png

 

In Figure 1-4, IPSG is not configured on the switch. When a malicious host steals an authorized host's IP address to access the Internet, the packet forwarding process is as follows:

1.         The packet sent by the malicious host reaches the switch.

2.         The switch forwards the packet to the gateway.

3.         The gateway forwards the packet to the Internet.

4.         The return packet from the Internet reaches the gateway.

5.         The gateway searches for the static ARP entry according to the destination IP address (the IP address of the authorized host), and considers the MAC address corresponding to this IP address as the authorized host's MAC address. The gateway then encapsulates the packet and forwards the packet to the switch.

6.         The switch forwards the packet to the authorized host according to the destination MAC address.

 

Details about this process are as follows:

If the malicious host steals the IP address of an authorized host, static ARP can prevent the malicious host from accessing the network by changing the IP address; however, the authorized host will receive a large number of invalid reply packets. If the malicious host keeps sending such packets, the online host will be attacked.

If the malicious host uses an idle IP address that has not been added to the static ARP table, the attack can be initiated successfully, and the return packets can be received by the malicious host. If you want to use static ARP to prevent IP address stealing, you need to add all the IP addresses on the network, including idle IP addresses to the static ARP table. This is a very time-consuming process.

To prevent IP address spoofing attacks on an intranet, configure IPSG on the switch.

As described above, we know that IPSG is used on Layer 2 network. Then why do we describe IPSG in Layer 3 network? This is because IPSG is a method to prevent IP address spoofing, and IP address is used in Layer 3 forwarding.

IPSG binding tables include static and dynamic binding tables. The configurations are as follows:

·         Static binding table: Bind IP addresses, MAC addresses, VLANs, and interfaces manually.

[Gateway] user-bind static ip-address 10.1.1.1 mac-address 1E-1E-1E interface gigabitethernet 0/0/1 vlan 10  //Create a static binding entry.

[Gateway] vlan 10

[Gateway-vlan10] ip source check user-bind enable   //Enable IPSG in VLAN 10. After the binding table is created, IPSG does not take effect. It takes effect only after it is enabled on an interface or in a VLAN.

·         Dynamic binding table: Configure DHCP snooping. When a user host obtains an IP address through DHCP, the bindings of IP addresses, MAC addresses, VLANs, and interfaces are automatically generated.

[Gateway] dhcp enable

[Gateway] dhcp snooping enable  //Enable DHCP Snooping.

[Gateway] vlan 10

[Gateway-vlan10] dhcp snooping enable  

[Gateway-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/3  //Configure a trusted interface.

[Gateway-vlan10] ip source check user-bind enable  //Enable IPSG in VLAN 10.

1.2.2 URPF

Unicast Reverse Path Forwarding (URPF) is a method that prevents IP address spoofing attacks.

URPF searches for the outbound interface matching the source IP address of a packet in the routing table or ARP table, and checks whether the outbound interface matches the source of the packet. If no matching entry is found, the packet is dropped. This prevents IP address spoofing attack.

URPF has two working modes.

Table 1-7 URPF working modes

Mode

Description

Usage Scenario

Strict

A packet passes URPF check only when the source address has a matching entry in the routing or ARP table and the outbound interface matches the source of the packet.

The strict mode is recommended for the symmetric route environment. For example, when there is only one route between two network boundary devices, the strict mode can protect network security the greatest extent.

Loose

A packet can pass URPF check only when a route matching the source address of the packet exists in the routing table.

The loose mode is recommended for the unsymmetrical route environment. For example, if there are multiple paths between two network boundary devices, the loose mode can ensure a relatively high security.

 

Figure 1-5 URPF

20170331152651674005.png

 

In Figure 1-5, a bogus packet with source IP address 10.1.1.2 is sent to switch A. After receiving the bogus packet, switch A sends a response packet to the actual "owner" (switch B) of 10.1.1.2. Both switch A and switch B are attacked by the bogus packet.

When switch A where URPF strict check is enabled receives a packet with source address 10.2.1.1, URPF detects that the outbound interface found in the routing or ARP table does not match the source interface of the packet, and drops the packet.

Configure URPF as follows:

[SwitchA] urpf slot 1  //Enable URPF in slot 1.

[SwitchA] interface gigabitethernet 1/0/1

[SwitchA-GigabitEthernet1/0/1] urpf strict //Enable URPF strict check on GE1/0/1.

2 Conclusion

The series of security sessions are finished. They cover the security holistic view, management plane security, control plane security, forwarding plane-Layer 2 network security, and forwarding plane-Layer 3 network security. The security features are independent of each other. In addition to using and configuring these features, we try to link these features together based on their common characteristics and mechanisms, to help you understand these features better. Your feedback is appreciated.

 

Security Issues - Issue 1 Security Holistic View
Security Issues - Issue 2 Management Plane Security
Security Issues - Issue 3 Control Plane Security
Security Issues - Issue 4 Forwarding Plane Security – Layer 2 Security
Security Issues - Issue 5 Forwarding Plane Security – Layer 3 Security

 

 

本帖最后由 交换机在江湖 于 2017-08-11 10:41 编辑
  • x
  • convention:

gululu     Created Apr 1, 2017 10:27:11 Helpful(0) Helpful(0)

good!
  • x
  • convention:

Come on!
wissal  Enthusiast Technician   Created Apr 2, 2018 16:05:28 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top