[168240] in North American Network Operators' Group
Re: Proxy ARP detection (was re: best practice for advertising
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Thu Jan 16 00:18:03 2014
In-Reply-To: <52D764CB.3030509@kenweb.org>
From: Jimmy Hess <mysidia@gmail.com>
Date: Wed, 15 Jan 2014 23:17:29 -0600
To: ML <ml@kenweb.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 15, 2014 at 10:49 PM, ML <ml@kenweb.org> wrote:
>
> Shouldn't ARP inspection be a common feature?
>
Dynamic ARP inspection is mostly useful only when the trusted ports
receive their MAC to IP address
mapping from a trusted DHCP server, and the trusted mapping is established
using DHCP snooping.
Or else, you have a manually entered entries in the secure ARP database
of MAC to IP mappings.
Which most operators would be resistant to dealing with, because of all
the extra work.
-It's not as if the switches know what the valid subnets are and suppress
ARP requests for outside networks.
Therefore, in most cases; ARP inspection won't be used, except for DHCP
clients.
Arp inspection goes hand-in-hand with increasing resistance against a Man
in the Middle attack from
a compromised workstation on a LAN, using ARP hijacking to capture traffic
or distribute malware
to a neighboring workstation.
In most cases, DHCP-based configuration will not be used for routers (the
very devices that might inadvertently have proxy-arp)....
--
-JH
