Zte ZXR10 5900 Series - DAI Configuration; DAI Overview

To Next Page

To Previous Page

Chapter17SecurityConguration

DAIConfiguration

DAIOverview

TheattackbasedonARPoftenhappensinnetwork.DHCPSNOOP-

INGmoduleontheswitchimplementsDAI(DynamicARPInspec-

tion)function,butthisfunctionislimited.

CurrentlyDAIfunctiononlychecksbindingtableinDHCPSNOOP-

INGforswitchlearningARPpacket,thatis,onlycanchecklayer

3user .

IfusersoftheswitchareinthesameVLAN,thecommunication

betweenusersrequiresswitchtoforwardnotonlayer3butlayer

2.SwitchneednottolearnARPpacketsoftheseusers.Therefore

thereisn’trelevantsecuritycheck.Itisabigsecuritybug,which

causesman-in-the-middleattack,asshowninFigure39.

FIGURE39MAN-IN-THE-MIDDLEATTACK

A/B/Careinthesamebroadcastdomain,thatis,thesamenet-

worksegment.WhenAandBcommunicateswitheachother ,

ARPpacketissentrst,whichcanbelearnedbyC.IfCactsas

man-in-the-middletodomaliciousscanning,onlysendsfreeARP

toAtoinformthatIPcorrespondingMACaddressofBhasbeen

updatedtothatofC,theowfromAtoBisdirectlyforwarded

toC;BasedonthesameprincipletheowfromBtoAcanbe

forwardedtoC.Afterdoingmaliciousscanningonpacket,Cmod-

iesthedestinationaddressastherealMACaddressofBorA

andreturnthepackettoswitch.TheowbetweenAandBcan

beforwardednormallyandnotbeperceived.SothatCcompletes

man-in-the-middleattack.

Toavoidthisbug,allARPpacketsshouldbechecked.Thosethat

conformtothequalicationareforwaredbysoftware.TheARP

packetsthatfailincheckwillbediscarded.

Basedonthisrequirement,thefollowingmethodsthatprevents

usualARPattackareadded.

1.Asforuntrustedinterface,DAIblocksallARPpacketsandsend

themtoupperlayersoftwareforcheck.

2.ThespeedthatARPpacketsenttoCPUiscongurable.

3.WhenDHCPSNOOPINGisenabled,laye2IP,MACandport

correspondingrelationshiparechecked.Illegaluserwillbe

discarded.

CondentialandProprietaryInformationofZTECORPORATION177

Other manuals for Zte ZXR10 5900 Series