DHCP Snoop

DHCP Snooping
TAC Virtual Chalk Talk for Partners
2002, Cisco Systems, Inc. All rights reserved.
Mini Primer on DHCP (RFC 2131 and 2132)
Centralized administration of IP address config Superset of BootP Client/Server protocol Temporary allocation of IP address and options based on MAC, Client ID, or subnet (GIADDR) Transport: UDP, port 67 (server listens on this port) and 68 (client listens on this port) Lease renewal efforts occur at two intervals:
T1 1/2 of the lease has been used T2 7/8 of the lease has been used
DHCP Address Acquisition

DHCP Client DHCP Server
DHCP Discover DHCP Offer DHCP Request DHCP Ack (or Decline, Nack) Lease renewal (T1 or T2 timer)
DHCP Release
DHCP Discover (client-to-server)
DHCP Offer (server-to-client)
DHCP Request (client-to-server)
Duplicate packets??
Why do you think my laptop was sent TWO DHCP Offers?
DHCP ACK (server-to-client)
Several DHCP message types.

DHCP Client Server A Server B
Client messages:
Discover Request (4 kinds):
selecting renew rebind Init/Reboot
Server messages:
Offer ACK NAK
Decline Release Inform

DHCP Message Format

Client-A
10.1.2.0/24
IP Helper
10.1.1.0/24 .2 .1
DHCP Server
Client-C
Client-B
.1
16
32
OP Code (1)
HTYPE (1)
HLEN (1)
HOPS (1)
TRANSACTION ID (4) SECONDS (2) UNUSED (2)
CLIENT IP ADDRESS (4) YOUR IP ADDRESS (4) SERVER IP ADDRESS (4) GATEWAY IP ADDRESS (GiADDR) (4) SERVER HOST NAME (64) BOOT FILE NAME (128) VENDOR-SPECIFIC OPTIONS (312)
The GIADDR is stuffed with IP address by IP Helper feature to ID subnet of client
10
DHCP Spoofing Attack

Who: Malicious user: pretend to be the network DHCP server Mis-configured user: fire up DHCP server incorrectly Where: Commonly seen in higher education, metro Ethernet How: Attacker Intercepts Discovery Broadcast and Replies With Bogus Gateway and DNS Addresses
192.168.1.1/24 IP Helper 195.11.2.1
DHCP Offer
IP: 10.1.1.20/24 GW: 10.1.1.1 DNS: 192.168.1.122
DHCP Discovery Broadcast Victim
Attacker
192.168.1.122
11
Do I Trust You?
DHCP Snooping relies on correct identification of Trusted and Untrusted ports. Default = All Ports Untrusted Trust ONLY those ports for which you have direct control of the end-device, ie:
Routers Switches Servers
Router(config-if)# ip dhcp snooping trust
untrusted
untrusted
untrusted untrusted Trusted
DHCP Server
12
DHCP Attack Solution: DHCP Snooping

DHCP Snooping discarding attackers bogus DHCP offer messages by intercepting DHCP messages within a switch
Switch forwards DHCP requests from untrusted access ports only to Trusted ports. All other types of DHCP traffic from untrusted access ports dropped. If network DHCP server not local to the switch, trust the uplink port Building a DHCP binding table containing client IP address, client MAC address, port, VLAN number Optional insertion and removal of DHCP option 82 data into/from DHCP messages DoS attack on DHCP server is prevented by rate limiting DHCP packets per access port
DHCP Snooping
DHCP Offer
untrusted
13
DHCP Binding Table

Contains binding entries for local untrusted ports only Includes both static entries and dynamic entries learned via DHCP gleaning
4 bytes 6 bytes 2 bytes 4 bytes 4 bytes 4 bytes
IP Address MAC Address VLAN Id Lease Timer Port Binding Type

14
What is allowed to pass (client-to-server)?
DHCP Discover DHCP Request DHCP Decline DHCP Release
untrusted
untrusted
untrusted untrusted trusted
DHCP Server
15
What is allowed to pass (server-to-client)?
DHCP Offer DHCP Ack DHCP Nack DHCP Lease Query
untrusted
untrusted
16
What is prevented (untrusted-to-untrusted).
ANY DHCP message
untrusted
untrusted
DHCP Server
17
What is prevented (Untrusted Server Packets).
DROPPED!!
DROPPED!!

Untrusted (port incorrectly identified)
untrusted
DHCP Server
18
What is prevented (Who do you think YOU are??).
DROPPED!!
DHCP Decline DHCP Release
DHCP Binding Database: MAC- AA = port 3/3

Untrusted port 3/3 untrusted trusted
Untrusted port 3/1
Hacker attempts to impersonate you and release your IP address. SRC MAC = AA SRC MAC = BB AA
19
What is prevented (No relay for YOU!!).

DROPPED!!
DHCP packet with non-zero giaddr field.
Untrusted port 3/1
Untrusted port 3/3
trusted
Normal DHCP-Relay operation populates giaddr field in DHCP messages. This is not allowed if arriving on an untrusted port.
20
DHCP Relay packet dropped!!

DHCP Relay Agent Int vlan 3 ip add 3.3.3.3 DHCP Discover Giaddr = 3.3.3.3
Switch-B 2/1 Vlan-3

DHCP Discover
3/25
DHCP Snooping
Aggregation Sw
Untrusted Interface
DHCP Server
Customer-B
Aggregation Switch with DHCP Snooping enabled drops DHCP packet on untrusted port with non-zero giaddr field.
The Solution:
21
DHCP Snooping - Configuration

DHCP Discover
Edge Switch 2/1

DHCP Discover
Relay Agent Relay Agent
DHCP Server
Customer-B
Ensure that DHCP Server and the Relay Agent (if it exists) are already fully functional before you configure DHCP Snooping.
Configure this on ports leading to trusted DHCP Serversor on uplink ports to Aggregation Switches.
22
DHCP Snooping Additional Config Options

DHCP Discover
Edge Switch 2/0/1

DHCP Discover
Relay Agent Relay Agent
DHCP Server
Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100

Customer-B Prevents DHCP DoS attacks that would overwhelm the DHCP Server.
DHCP Snooping can also be configured on Private VLANs. Must configure only on the Primary VLANwill be dynamically propagated to all Secondary VLANs. No way (currently) to have different DHCP Snooping configurations applied to Secondary VLANs all residing under the same Primary VLAN.
23
DHCP Snooping Verification
Untrusted interfaces dont display.
24
DHCP Relay Agent

Best practice is to store DHCP Binding Database externally to the switch.
If stored locally in flash/bootflash, database must be erased and re-written for every new entry. CPU intensivecan lock up the switch. If switch crashes or reloads, all entries / lease info lost and can kill the DHCP Snooping process.
Feature to do this is called DHCP Snooping Database Agent.

Can also use FTP, HTTP, and RCP
Switch(Config)# ip dhcp snooping database tftp://192.168.1.1/Snoop-data.dhcp Switch(Config)# ip dhcp snooping database write-delay 15
Specify the duration for which the transfer should be delayed after the binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes).
25
DHCP Relay Agent GOTCHAS (1)

From the Cat3750 Configuration Guide:
For network-based URLs (such as TFTP and FTP), you must create an empty file at the configured URL before the switch can write bindings to the binding file at that URL. See the documentation for your TFTP server to determine whether you must first create an empty file on the server; some TFTP servers cannot be configured this way.
Meaning The switch cannot create this file from scratch. The server must already contain a 0-byte file with this name for this to work.
What will you see if you DONT have a 0-byte file to start with??
Cat3750# show ip dhcp snooping database Agent URL : tftp://192.168.1.1/Snoop-data.dhcp
26
DHCP Relay Agent GOTCHAS (2)

From the Cat3750 Configuration Guide:
To ensure that the lease time in the database is accurate, we recommend that you enable and configure NTP.
The REAL STORY: NTP (Network Time Protocol) is MANDATORY! Agent wont work without it!!
What will you see if you DONT have NTP running??
From Case# 601706547: Safe read write mode is a special mode which tries to open the file mentioned in the database URL in the read-only format and only if it exists tries to write to it as in try to update it. If the file does not exist , it tries to create the file. And from the debug messages ( the explanation of debug messages are not documented on CCO ) , what I can see is safe mode is just simply failing to access the file.
A sniffer trace from the customer showed that the switch wasnt sending ANYTHING to the database server (which contradicted the explanation above because it wasnt even trying to read the file). Turned out that the NTP server had failed, which caused this problem.
27
I need an NTP Server??!!

If the customer doesnt normally use NTP (but its required for the Database Agent) simply configure the NTP Server on another networking device.
28
Restricting Allocated Addresses

Customers Challenge: 1. 2. 3. How can I ensure that each switch is only allocated a maximum of X addresses from my DHCP Pool? How can I ensure that port 2/1 on Switch-B is only allocated a maximum of X addresses from my DHCP Pool? What if someone in Customer-Cs network is attempting a DHCP DoS attack (sending multiple DHCPDiscover/Request messages to completely exhaust the DHCP Address Pool)? How can I prevent that?
Aggregation Sw
DHCP Server
Switch-A
Switch-B 4/1 2/1 Customer-B
Switch-C
Switch-D
Customer-A
Customer-C
Customer-D
The Solution: DHCP Option-82

a.k.a. DHCP Relay Agent Option (RFC 3046)
29
DHCP Option-82
Aggregation Sw
DCHP packet w/ Option-82 inserted DHCP Server
DCHP packet w/ Option-82 inserted
Switch-C
Switch-D
Customer-C
Customer-D
Option-82
Option-82
Switch-A
Switch-B 4/1 2/1 Customer-B
Customer-A
1. 2.
Option-82 allows trusted access devices to insert this option into (and remove from) DHCP Packets. This option gives descriptive information about the device/port that received the DHCP message.
30
DHCP Option-82
DHCP Discover Option-82 02-aa-11-11-22-11 Option-82 Remote-id = 02-aa-11-11-22-11 Circuit-id = 3-2-1
Switch-B 2/1
VLAN-3 DHCP Discover
Aggregation Sw
DHCP Server
Customer-B
Im only allowed to allocate a maximum of 100-addresses to that combination of Remote-ID and Circuit-ID!!
1.
Switch adds Remote-ID and Circuit-ID sub-options into Option82 data. Remote-ID default is switch MAC address Circuit-ID default is port identifier in the format vlan-mod-port
2.
These fields are configurable to use ASCII strings if you prefer

31
DHCP Option-82 Technical Details
Debug ip dhcp snooping packet
32
DHCP Option-82 Caveats

DHCP Discover Option-82
What the heck is THAT??
Remote-id = 02-aa-11-11-22-11
Option-82
02-aa-11-11-22-11
Circuit-id = 3-2-1
Aggregation Sw
Switch-B 2/1
VLAN-3 DHCP Discover
DHCP Server
Customer-B
1. 2.
DHCP Servers must be configured to recognize and respond in some way to DHCP Option-82 otherwise packets may be dropped. Switches receiving DHCP messages containing Option-82 will DROP THEM if received on an untrusted interface!! The solution for aggregation switches:
Switch(config)# ip dhcp snooping information option This is the DEFAULT setting. Remove it if unsupported by the DHCP Server.
Switch(config)# ip dhcp snooping information option allow-untrusted
33
Dynamic ARP Inspection (DAI)
34
MIM Attack Attacking another host

Layer 3 Network
DHCP Server
ARP Cache ARP Cache
Router R
Host A
Host B
Malicious Host M
35

Layer 3 Network
DHCP Server
ARP Cache ARP Cache
IPB
IPA
MACA
Router R
Host A ARP Request Malicious Host M
Host B
36

Layer 3 Network
DHCP Server
ARP Cache ARP Cache
IPB
MACB
IPA
MACA
Router R
Host A ARP Response Malicious Host M
Host B
37

Layer 3 Network
DHCP Server
ARP Cache ARP Cache
IPB
MACB
IPA
MACA
Router R
Host A User Traffic Malicious Host M

Host B
38

Layer 3 Network
DHCP Server
ARP Cache ARP Cache
IPB
MACM
IPA
MACA
Router R
Host A Unsolicited ARP Response Malicious Host M

Host B
39

Layer 3 Network
DHCP Server
ARP Cache ARP Cache
IPB
MACM
IPA
MACA
Router R
Host A User Traffic Malicious Host M

Host B
40
DOS Attack Attacking the default gateway

Layer 3 Network
ARP Cache
DHCP Server
IPA
ARP Cache
IPB
ARP Request
IPB
MACA MACB
Router R
L2 Network with PVLAN

Host A Host B
Malicious Host M
41

Layer 3 Network
ARP Cache
DHCP Server
IPA
ARP Cache
IPB
MACR
Proxy ARP Response Router R
IPB
MACA MACB

Host A Host B
Malicious Host M
42

Layer 3 Network
ARP Cache
DHCP Server
IPA
ARP Cache
IPB
MACR
User Traffic
IPB
MACA MACB
Router R

Host A Host B
Malicious Host M
43

Layer 3 Network
ARP Cache
DHCP Server
IPA
ARP Cache
IPB
MACR
IPB
MACA MACM
Router R

Host A Unsolicited ARP Response Malicious Host M
Host B
44

Layer 3 Network
ARP Cache
DHCP Server
IPA
ARP Cache
IPB
MACR
User Traffic
IPB
MACA MACM
Router R

Host A Host B
Malicious Host M
45
ARP Poisoning: Serious Business

Recording Voice Calls
Si
Avaya demonstrated a variation of ARP poisoning at their customer briefing center using Cisco gear After intercepting a network connection, packets containing G.711 voice data are collected and the phone conversation is recorded and then replayed
Record Data
Stealing Passwords
Email Server
Demonstrated live to Cisco senior executives in the Cisco network Tools are publicly available with GUI and bi-directional spoofs: Ettercap and Dsniff Easily taught in 5 minutes Neither the victim nor the default gateway is aware of the attack
Si
Victim
46
ARP Poisoning Attack Solution: Dynamic ARP Inspection

Dynamic ARP Inspection discarding attackers gratuitous ARP packets in the switch, and logging the attempts for auditing Bindings of client IP address, client MAC address, port, VLAN number are built dynamically by DHCP snooping Switch intercepts all ARP requests and replies on the untrusted access ports Each intercepted packet is verified for valid IP-to-MAC binding A solution with no change to the end user or host configurations
Dynamic ARP Inspection
Gratuitous ARP
untrusted
47
Dynamic ARP Inspection (DAI) Overview
When DHCP Snooping not applicable, static ARP ACLs can be configured instead. ARP ACLs always take priority over DHCP Snooping Table.
If an ARP ACL is configured to drop a packet, that ARP will be dropped even if there is a valid entry in the DHCP Snooping Table.
Relies on same concepts of Trusted and Untrusted ports as DHCP Snooping.

Ports are untrusted by default DAI does not verify any ARP Requests/Replies from Trusted interfaces.
48
ARP Inspection Procedure

Trusted I/F ?
No Yes
Ethernet & IPv4

Yes No
No
Match ARP ACL?
Yes Permit
Action?
Match DHCP binding table? No Yes Deny
Drop & log invalid ARP packet

Forward valid ARP packet

49
ARP Inspection Overview

An ARP request/response packet is considered valid if it meets the following criteria:
1) Mandatory: Sender <MAC, IP, VLAN> triplet is valid 2) Optional: Sender MAC == Source MAC 3) Optional (for ARP response): Target MAC == Destination MAC
ARP Packet Format

Dest MAC Addr Source MAC Addr Frame Type H/W Prot H/W Prot Op Sender Sender Target Target IP Addr Type Type Size Size Code MAC Addr IP Addr MAC Addr
0x0806 (ARP)
0x0800 6 (IPv4)
0x01 (Ethernet)
50
Basic DAI Configuration

Two Design Methodologies:
1. 2. Configure DAI on every switch in the network. Leave all edge ports as Untrusted Trust all interfaces connected to networking devices (routers, switches, etc). Configure DAI on all Edge switches (assuming that hosts are only connected to Edge switches).
Step-1: Configure and verify DHCP Snooping first! Step-2: Configure DAI:
Cat6500#conf t Enter configuration commands, one per line. End with CNTL/Z. Cat6500(config)#ip arp inspection vlan 1-12 Cat6500(config)#interface fastethernet3/25 Cat6500(config-if)#ip arp inspection trust Cat6500(config-if)#end
51
DAI in action!! (1)

DHCP-given address of 1.1.1.1
3/6 VLAN-1
6500
DAI-enabled Switch
Admin Shut 3/7 VLAN-1
X
Fa0/0 1.1.1.1
52
DAI in action!! (2)

3/6 VLAN-1
6500
DAI-enabled Switch
X
Fa0/0 1.1.1.1
As soon as the routers FastEthernet interface comes up it will perform a gratuitous ARPlets see what happens!!
53
DAI in action!! (3)

3/6 VLAN-1
6500
DAI-enabled Switch
Gratuitous ARP from Router is dropped by DAI on switch.
54
DAI for non-DHCP hosts

Notice that in this example, the router has been given a valid, static address of 1.1.1.6 /24. But because it is connected to an untrusted port and does not participate in DHCP, nobody can ARP for it!

3/6 VLAN-1
6500
DAI-enabled Switch
3/7 VLAN-1
55
DAI for non-DHCP hosts (2)

The Solution: ARP Access-List
Sender of ARP Response
any target IP address
Senders MAC address
any target MAC address

3/6 VLAN-1
6500
DAI-enabled Switch
3/7 VLAN-1
56
ARP ACL Example

Configuring ARP ACL
(Config)#arp access-list arp_acl_1
IP will apply to both ARP requests and responses. Alternatively you can also specify Request or Response.
(config-arp-nacl)# permit ip host 10.1.1.1 mac host 0000.0001.0002 (config-arp-nacl)# deny ip 10.1.1.0 0.0.0.255 mac any (config-arp-nacl)# permit ip any mac any
Without the static keyword DAI will continue to look for a matching entry in the DHCP Snooping Database if nothing matches the ACL.
Applying ARP ACL to a VLAN

or
(config)# ip arp inspection filter arp_acl_1 vlan 5
(config)# ip arp inspection filter arp_acl_1 vlan 5 static
With the static keyword DAI will use the implicit deny all if no match is found in the ACL...even if a corresponding match IS in the DHCP Snooping DB.
57
Rate-Limiting of ARP traffic

ARP packets are rate-limited to prevent a denialof-service attack on Untrusted interfaces. Default is 15 pps Trusted interfaces are not rate-limited (config-if)# ip arp inspection limit <x> to raise or lower this limit. Exceeding the limit causes the interface to be placed into Errdisable state.
58
The End
59

DHCP Snoop

Uploaded by

Copyright:

Available Formats

DHCP Snoop

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DHCP Snoop

Uploaded by

Copyright:

Available Formats

DHCP Snooping

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

Mini Primer on DHCP (RFC 2131 and 2132)

DHCP Address Acquisition

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

DHCP Discover (client-to-server)

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

DHCP Offer (server-to-client)

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

DHCP Request (client-to-server)

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

DHCP ACK (server-to-client)

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

Several DHCP message types.

Decline Release Inform

DHCP Message Format

TRANSACTION ID (4) SECONDS (2) UNUSED (2)

The GIADDR is stuffed with IP address by IP Helper feature to ID subnet of client

DHCP Spoofing Attack

192.168.1.1/24 IP Helper 195.11.2.1

DHCP Discovery Broadcast Victim

TAC Virtual Chalk Talk for Partners

Router(config-if)# ip dhcp snooping trust

untrusted untrusted Trusted

DHCP Attack Solution: DHCP Snooping

DHCP Binding Table

IP Address MAC Address VLAN Id Lease Timer Port Binding Type

What is allowed to pass (client-to-server)?

DHCP Discover DHCP Request DHCP Decline DHCP Release

untrusted untrusted trusted

What is allowed to pass (server-to-client)?

DHCP Offer DHCP Ack DHCP Nack DHCP Lease Query

untrusted untrusted trusted

TAC Virtual Chalk Talk for Partners

2002, Cisco Systems, Inc. All rights reserved.

What is prevented (untrusted-to-untrusted).

ANY DHCP message

untrusted untrusted trusted

What is prevented (Untrusted Server Packets).

DHCP Offer DHCP Ack DHCP Nack DHCP Lease Query

DHCP Offer DHCP Ack DHCP Nack DHCP Lease Query

untrusted untrusted trusted

What is prevented (Who do you think YOU are??).

DHCP Decline DHCP Release

DHCP Binding Database: MAC- AA = port 3/3

Untrusted port 3/1

What is prevented (No relay for YOU!!).

DHCP packet with non-zero giaddr field.

Untrusted port 3/1

Untrusted port 3/3

TAC Virtual Chalk Talk for Partners