4 — ONT software and security features
4-10 July 2008 Alcatel-Lucent 7342 ISAM FTTU ONT R04.05.06
ONT Product Information Manual Edition 01 3FE 51892 AAAA TCZZA
4.8 Anti-spoofing mechanism
The 7342 ISAM FTTU supports two features to protect against spoofing:
• gratuitous ARP discard
• source address anti-spoofing
Gratuitous ARP discard
A gratuitous ARP request is an ARP packet where the sender IP address and the
target IP address are the same. Attackers can use gratuitous ARP requests to corrupt
the ARP cache of a router by sending out a gratuitous ARP request that claims to be
the default router.
The 7342 ISAM FTTU supports a discard mechanism that filters incoming traffic for
gratuitous ARP requests. When gratuitous ARP discard is enabled, incoming
gratuitous ARP requests are discarded.
Gratuitous ARP discard is implemented on a per ONT UNI port basis. See
7342 ISAM FTTU Operations and Maintenance Procedures Guide using TL1 and
CLI for configuration information.
Source address anti-spoofing
Source address spoofing is an attempt to gain entry to a system by posing as a trusted
source. Although the packet cannot be routed back to the initial source, source
address spoofing can lead to unnecessary network congestion and to possible denial
of service.
To block unauthorized traffic, the 7342 ISAM FTTU supports an anti-spoofing
mechanism that limits source address spoofing. Upstream traffic arriving at the ONT
is validated for source address. Authorized packets are forwarded and non-validated
packets are discarded, as illustrated in Figure 4-3.
Figure 4-3 ONT packet authorization
Note — Gratuitous ARP discard only applies for residential bridge
VLANs; in VLAN cross-connect mode, gratuitous ARP requests are
always forwarded.
Upstream packets
ONT
Forward authorized packets
Discard
unauthorized
packets
Authorized
source addresses
1907
Authorize
packets
To Next Page
Loading...