Dynamic ARP Inspection

Andrew Lutz · ‎03-01-2016

Good Evening,

I'm trying to decipher the usefulness of the additional validation options with dynamic ARP inspection. Below is what is quoted in Cisco articles, as well as books I have read:

The additional validations do the following:

•dst-mac—Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

•ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.

•src-mac—Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

Can someone enlighten me to how implementing these are useful? Perhaps give me examples of how and why an attacker would craft ARP messages in each manner? SRC-MAC I can dream up--an attacker would want to send a ARP reply to trick a host into believing that they are actually a different MAC address than what they are, so it would be different. DST-MAC and IP I'm coming up short on examples. If the ARP messages will be denied regardless if they don't match the DHCP snooping database, why implement any of this additional validation? Thanks.

Philip D'Ath · ‎03-01-2016

If someone managed to take over the destination of packets then they could insert themselves into the middle of conversations to your servers, to your default gateway, etc.

Andrew Lutz · ‎03-02-2016

I understand what you mean, but I'm looking for specific examples of how changing the destination MAC or IP in the ARP body makes this happen.