15 - Security Services III - DHCP and ARP Inspection Flashcards
What 2 key things do clients use DHCP protocol to do?
- Discover a DHCP server
- Request to lease an address
What are the 4 message types exchanged between a DHCP client and server?
- Discover
- Offer
- Request
- Acknowledgement
What is a DHCP acknowledgement message?
Sent by the DHCP server to assign the address and also list the following:
- Mask
- Default router
- DNS server IPs
What 2 special IP addresses does DHCP make use of for hosts that don’t yet have an IP?
- 0.0.0 as a source IP
255. 255.255.255 local broadcast
Where are DHCP Offer messages addressed to?
255.255.255.255
What is included in a DHCP Discover messages to uniquely identify a client?
The client ID which is it’s MAC
How do DHCP Offer messages identify who they are intended for, given all hosts receive them?
The client ID (MAC)
How can you allow messages from a centralized DHCP server to traverse beyond the local subnet and back?
Make the device a DHCP Relay
ip helper-address {server ip}
What effects does the ip helper-address command have on messages coming in from DHCP clients?
- Look for incoming DHCP messages with destination 255.255.255.255
- Change said packets source IP to the routers incoming interface IP
- Change said packets destination IP to the address of the DHCP server (as configured with ip helper-address command)
- Route the packet to the DHCP server
What is the name of the feature enabled by the ip helper-address command?
DHCP Relay
What settings must a DHCP server be configured with?
- Subnet ID and Mask
- Reserved (excluded) addresses
- Default router(s)
- DNS IPs
What are the 3 DHCP Allocation modes?
- Dynamic
- Automatic
- Static
What does Automatic DHCP allocation mode do?
Sets the DHCP lease time to infinite
What does Static DHCP allocation mode do?
Pre-configures an IP for a client based on a specific MAC address
What 2 criteria identify interfaces that need to have DHCP Relay enabled?
- DHCP Clients exist in the subnet
- DHCP Servers do NOT exist in the subnet
How would you configure a switch to use DHCP to lease an address?
interface vlan 1
ip address dhcp
no shutdown
show interfaces vlan 1
How can you view details about DHCP configuration for interfaces on that device?
show dhcp lease
How can Routers distribute default routes learned on its internet facing interface from the ISP into the network?
Using an interior routing protocol such as OSPF
How do you configure an IP to be obtained from DHCP on an interface?
ip address dhcp
What does IOS display default routes learned from DHCP as?
A static route with an administrative distance of 254
What does IOS use to identify routes that are DHCP learned default routes?
An administrative distance of 254
What settings does a host need to work correctly for IPv4?
- Self IP and Subnet mask
- DNS IPs
- Default gateway (router) IP
How would you view the IP routing table on a Windows or MAC host?
netstat -rn
How would you view the default gateway and DNS servers on a Mac given the ifconfig command doesn’t?
networksetup-getinfo
networksetup-getdnsservers
How does DHCP Snooping work?
Switch analyzes incoming messages on specified subset of ports in VLAN depending on if it is a trusted or untrusted port.
If messages appear on
What layer does DHCP Snooping operate at?
Layer 2
What are DHCP RELEASE and DECLINE messages?
Clients can use DHCP RELEASE to tell the server they don’t need the IP assigned to them anymore
Clients can use DHCP DECLINE to turn down the use of an IP during the DORA flow
What are the DHCP Snooping rules for an Untrusted interface
- If normally sent by servers, discard the message
- Filter client DISCOVER and REQUEST messages to check for MAC address consistency between Ethernet frame and DHCP message
- Filter client RELEASE and DECLINE checking the incoming interface + IP vs the DHCP Snooping binding table
- For messages not filtered that result in a DHCP release, add a new entry to the binding table
What is the chaddr?
Client Hardware Address field in a DHCP message
What is the DHCP Snooping Binding Table?
A table that keeps track of DHCP addresses that are assigned through switch ports. A map of MACs to IPs
What is in a DHCP Snooping Binding Table entry?
- Client MAC
- IP
- DHCP Lease time
- VLAN number
- Interface
How do you enable DHCP Snooping on a switch?
ip dhcp snooping
ip dhcp snooping vlan 11
no ip dhcp snooping information option
OPTIONAL
interface Ge0/1
ip dhcp snooping trust
How do you enable an interface to be trusted by DHCP Snooping?
ip dhcp snooping trust
How do you show DHCP Snooping config information?
show ip dhcp snooping
What does “Insertion of option 82 is disabled” mean?
That Option 82 DHCP header field that is inserted by DHCP Relay agents is disabled, which is necessary when the device is not acting as a relay agent (L3 switch too)
How do you make DHCP Snooping work on a switch that is NOT also a DHCP relay agent?
Disabled Option 82 feature
no ip dhcp snooping information option
How does DHCP Snooping prevent attacks that involve it being overwhelmed by large volumes of messages?
Optional feature that tracks the number of incoming DHCP messages over a 1 second period and if the limit is exceeded moves the port into err-disabled state
How can you set the DHCP Snooping rate limit?
Interface subcommand:
ip dhcp snooping limit rate {number}
How do you allow an interface to automatically recover from being moved into err-disabled by DHCP Snooping rate limit trigger?
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30
What two sources of data does DAIs core feature compare incoming ARP messages with?
- DHCP Snooping binding table
- ARP ACLs
What is gratuitous ARP?
An ARP reply message sent without having received a request. Essentially a host informing all hosts in the subnet about its MAC address
What do gratuitous ARPs allow attackers to do?
Make other hosts change their ARP tables
What does the DHCP Snooping feature record about a DHCP message?
The IP address leased to a host and that hosts MAC
What does DAI do for untrusted ports?
Compares the ARP message’s origin IP and MAC to entries in the DHCP Snooping binding table.
It lets the ARP through if the IP and MAC matches an entry in the table
What type of ports should be trusted by DAI?
Anything other than links to end user devices
What are ARP ACLs?
Used by DAI as lists of statically configured correct pairs of IP and MACs.
DAI looks in both the DHCP Snooping binding data and these ARP ACLs
What other message comparisons can be made that cause an ARP message to be discarded?
- Ethernet header Source MAC != Origin MAC
- ARP Replies where Destination MAC != Target MAC
- Messages with unexpected IPs in the two ARP IP fields
True/False: DAI does it’s work in the Switch CPU and DHCP does it’s work in the Switch ASIC
False. They both do their work on the CPU
What is the downside of DAI with respects to DoS?
Because it uses the CPU it is susceptible to DoS attacks
True/False: DAI defaults to the ‘untrusted’ setting
True
How do you enable ARP inspection?
ip arp inspection vlan 11
interface Ge0/1
ip arp inspection trust
What happens if you just enable DAI but not DHCP Snooping or configure ARP ACLs?
The switch would filter all ARPs entering all untrusted ports in the configured VLAN
How do you show ARP inspection information including variables and counters?
show ip arp inspection
How do you show the DHCP Snooping binding table?
show ip dhcp snooping binding
How do you show ARP inspection statistics?
show ip arp inspection statistics
What is a key difference between DAI and DHCP Snooping rate limiting with respect to defaults?
DAI defaults to use rate limits for all interfaces (trusted and untrusted)
DHCP Snooping defaults to not using rate limits
What is a key difference between DAI and DHCP Snooping rate limiting with respect to intervals?
DAI allows configuration of the burst interval (number of seconds over which the rate is measured)
DHCP Snooping does not define a burst setting
How do you allow automatic recovery from the errdisable state when ARP inspection was the cause?
errdisable recovery cause arp-inspection
errdisable recovery interval 30
How do you modify the rate limit settings for ARP inspection?
ip arp inspection limit rate 8 burst interval 4
What is the default rate limit and burst settings for ARP inspection?
15 messages over a 1 second burst
How do you view ARP inspection settings for each interface?
show ip arp inspection interfaces
How do you enable additional ARP inspection options?
ip arp inspection validate { dst-mac | ip | src-mac }
True/False: DHCP Snooping could be implemented on L2 switches
True
