CCNA試験対策 下巻ch8: DHCP Snooping and ARP Inspection (2/2)
https://www.ciscopress.com/store/ccna-200-301-official-cert-guide-volume-2-9781587147135www.ciscopress.com
Dnyamic ARP Inspection
DAI Concepts
Review of Normal IP ARP
Gratuitous ARP as an Attack Vector
- GARP: Gratuitous ARP
- 自身のIPアドレスをSource IP address/Target IP addressにセットしてブロードキャストする
- GARPの目的
- 後者を攻撃に利用できる
- ARPキャッシュを汚染し、MITM攻撃に繋げる
Dynamic ARP Inspection Logic
- DAIのアイディア: DHCP Snooping Binding Tableを用いてARPメッセージの正当性を確認する
- DHCPを利用していない場合はARP ACLsを利用する
- DHCPのCHADDRのチェック同様、IEEE802.3ヘッダのsource MAC address等の照合有効化することもできる
Dynamic ARP Inspection Configuration
Configuring ARP Inspection on a Layer 2 Switch
ip arp inspection vlan 1 ! ip dhcp snooping vlan 1 no ip dhcp snooping information option ip dhcp snooping ... ! interface GigabitEthernet0/1 ip arp inspection trust ip dhcp snooping trust ip dhcp snooping limit rate 10
これと
ip arp inspection vlan 1
これ
interface GigabitEthernet0/1 ip arp inspection trust
- ステータス
Switch#show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 1 Enabled Inactive Vlan ACL Logging DHCP Logging Probe Logging ---- ----------- ------------ ------------- 1 Deny Deny Off Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 1 4 0 0 0 Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures ---- ------------ ----------- ------------- ------------------- 1 4 0 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data ---- ----------------- ---------------------- --------------------- 1 0 0 0
- DAIでDHCP Snooping binding tableに乗っかる場合、テーブルを確認できる
Switch#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ----------------- 00:01:64:DB:A5:C5 10.0.1.52 86400 dhcp-snooping 1 FastEthernet0/1 00:E0:F9:57:1A:AA 10.0.1.51 86400 dhcp-snooping 1 FastEthernet0/2 Total number of bindings: 2
- DAIの統計情報
Switch#show ip arp inspection statistics Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 1 4 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- 1 4 0 0 Vlan Dest MAC Failures IP Validation Failures ---- ----------------- ---------------------- 1 0 0
Limiting DAI Message Rates
Switch(config-if)#ip arp inspection limit rate 8 burst interval 4
- DHCP Snooping同様↑のように設定できるはずだが、Packet Tracerでは設定できなかった…
- 設定確認
Switch#show ip arp inspection interface Interface Trust State Rate(pps) Burst Interval --------------- ----------- --------- -------------- Fa0/1 Untrusted 15 1 Fa0/2 Untrusted 15 1 ... Gig0/1 Trusted 15 1 Gig0/2 Untrusted 15 1
- Rate
- packets per seconds
- Burst Interval
- 連続してこの秒数Rateを超過したら、当該interfaceはerr-disabledになる
Configuring Optional DAI Message Checks
Switch(config)#ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP address src-mac Validate source MAC address
- デフォルトですべて無効になっている
Switch#show ip arp inspection Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled ...
- 有効化するとCPUを食うが、より広範な攻撃から防御できるようになる