Re: Protection against Man-in -d -middle attack from Marko Milivojevic on 2010-03-23 (Ccielab archives 03/2010)

From: Marko Milivojevic <markom_at_ipexpert.com>
Date: Tue, 23 Mar 2010 21:11:42 +0000

On Tue, Mar 23, 2010 at 20:21, Narbik Kocharians <narbikk_at_gmail.com> wrote:
> Marko,
>
> I have a tested lab, and it works as its advertised.

You know, I love to be proven wrong from time to time. It makes me
revisit things.

------------------------------8<------------------------------
Initial lab setup:

! Cat2:
vlan 12
name TEST-VLAN
!
interface FastEthernet0/1
description ProctorLabs-R1
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
description ProctorLabs-R2
switchport access vlan 12
switchport mode access
spanning-tree portfast
!

! R1:
interface FastEthernet0/1
ip address 12.12.12.1 255.255.255.0
!

! R2:
interface GigabitEthernet0/1
ip address 12.12.12.2 255.255.255.0
!
------------------------------8<------------------------------

Let's see if ping from R1 to R2 works:

ProctorLabs-R1#ping 12.12.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
ProctorLabs-R1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 12.12.12.1 - 0012.8031.b169 ARPA FastEthernet0/1
Internet 12.12.12.2 0 0011.9369.1481 ARPA FastEthernet0/1

OK, let's configure DAI with bogus MAC address for R2 on Cat2:

arp access-list ARP-ACL
permit ip host 12.12.12.12 mac host 0001.0000.0001
!
ip arp inspection filter ARP-ACL vlan 12 static
!
interface FastEthernet0/1
ip arp inspection trust
!
interface FastEthernet0/2
! no real need, since it's the default
no ip arp inspection trust
!

Clear ARP on R1 and make sure there's no trace of R2 there.

ProctorLabs-R1#clear arp-cache
ProctorLabs-R1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 12.12.12.1 - 0012.8031.b169 ARPA FastEthernet0/1

ProctorLabs-R1#ping 12.12.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Wow. Let's see what happens when we put R2's real address in that ARP ACL on R2:

no arp access-list ARP-ACL
arp access-list ARP-ACL
permit ip host 12.12.12.2 mac host 0011.9369.1481
!

Again, testing from R1:

ProctorLabs-R1#clear arp-cache
ProctorLabs-R1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 12.12.12.1 - 0012.8031.b169 ARPA FastEthernet0/1
ProctorLabs-R1#ping 12.12.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
------------------------------8<------------------------------

Pretty neat. Thanks for this. Now, in what documentation did I read
that DAI requires DHCP snooping database...?!

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert
YES! We include 400 hours of REAL rack
time with our Blended Learning Solution!
Mailto: markom_at_ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Web: http://www.ipexpert.com/
Blogs and organic groups at http://www.ccie.net

Received on Tue Mar 23 2010 - 21:11:42 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART