Today I am going to talk about DAI. DAI is a layer 2 feature that can be applied on most Cisco switches. It stands for “Dynamic ARP inspection” and this layer 2 feature is vital for protecting the network from any ARP based attacks such as MITM, ARP spoofing and even DOS attacks that are ARP related(*It is important to note that the DOS attack MUST be ARP related*) DAI works by having two categories in which ports are called, which are either trusted ports or untrusted ports. By default, when a switch is turned on without any configuration, ports are usually untrusted. The usual configuration for trusted and untrusted ports in DAI is that uplink ports(which are switches connected to other switches, switches connected to DHCP servers, or switches connected to routers).
However, untrusted ports are usually access ports that connect to end devices. This is the case because the access ports are more prone to be attacked as most messages that include spoofing are often frames sent from end devices. The type of messages that can be spoofed most commonly are gratuitous ARP, ARP request, or an ARP reply responding to a legitimate ARP request. If one of these messages is accepted by a legitimate host, the attacker can attach a legitimate host IP to the attacker’s MAC address. This is bad because all of the frames and messages that are supposed to go to that legitimate IP address get sent to the attacker instead. The attacker then has multiple things that it can do such as saving the data in the frames and sending the frame to the actual host so the host doesn’t know what’s going on or they can intercept the frame and discard it when they get it causing a DOS attack.
DAI fixes this or at least tampers down these attacks by doing inspections on the ARP packets before the frame is actually traversed across the network. Before I dive into DAI, there is one thing that MUST be enabled before DAI can operate efficiently. Another Layer 2 feature must be enabled called “DHCP Snooping”. This is another topic for another day so I will keep it short. DHCP snooping is meant to stop rogue DHCP servers and DHCP starvation attacks by verifying client DHCP messages and automatically blocking server DHCP messages on an untrusted port. DHCP snooping keeps a database called a “DHCP binding table” which includes legitimate clients IP to MAC mapping, IP lease times, VLAN, and interface. DAI uses this DHCP binding table database, in order to verify any ARP message.
As you probably know ARP is used to map IP addresses to MAC addresses so this is the perfect database to verify legitimate clients. Before an ARP message is traversed over the network on an untrusted port it is intercepted by DAI. From there the ARP request or gratuitous ARP is then inspected by DAI and it looks at the DHCP binding table to verify the source IP address and source MAC address to see if it matches an entry in the DHCP binding table. If there is an entry in the DHCP binding table with a matching IP and MAC, the frame is then allowed to traverse the network to its destination. If there is no IP to MAC mapping or there is a right IP but a different MAC address, maybe even a wrong IP and a right MAC address then the frame does not get transmitted onto the network.
Without an actual IP to MAC mapping on a legitimate database(DHCP binding table) no illegitimate traffic will ever get on to the network for the most part. So you’ve probably noticed that it’s a DHCP binding table, so that doesn’t include static assigned IP addresses? If you thought that you are most certainly correct. Not only does DAI work with DHCP binding tables, if there are static IPs on your network that need to send frames then it uses another database to verify those addresses. The table that DAI checks for when there is a static IP is a static ARP ACL. This is the table that has to be manually configured and once it is configured for the actual ACL and then explicitly applied to DAI, the same process is repeated but for a different database. Static ARP entries must match the IP to MAC on the static ARP ACL; if neither a DHCP binding or a static ARP ACL entry exists, the ARP packet is dropped on untrusted ports. I hope this article has given you a clear understanding of what DAI is, how it works and why it is needed!
Leave a Reply