FAQ: What is Dynamic ARP Inspection?
Network security is a big job, especially if you allow public access to a network. If anyone out there can jump in and access your network, you face certain risks.
A specific risk that shows up a lot is IP spoofing. This is where a device on a network copies the IP address of something else on the network. By masking its IP address in this way, the malicious device can overcome security measures that exist on other endpoint devices. As a result, any user on the network might be at risk.
Fortunately, there are measures you can take to prevent these kinds of attacks, and one of the most prolific is dynamic ARP inspection.
Dynamic ARP Inspection
Address resolution protocol (ARP) is a layer 2 function that creates an address map pairing IP addresses to MAC addresses. The table made with this process can be accessed by any device on the network. When one device wants to communicate with another on the same network, the ARP table is important for establishing the connection.
Dynamic ARP inspection (DAI) is a security feature that looks at ARP requests to ensure their legitimacy. Without DAI, a man in the middle attack allows a connected device to spoof the IP address of a different device, enabling nefarious behavior.
DAI stops these attacks by checking credentials when access to the ARP table is requested. If the credentials don’t match, the request is denied, and the device never has the information needed to spoof an IP address.
How It Works
DAI is a powerful security feature that can prevent problems on publicly accessible (or large) networks. How does it actually work?
The key mechanism is DHCP snooping, but that only works after the DAI has a valid white list of approved traffic. Below, you’ll see how these functions play together along with the downside that stems from this method.
Before a DAI can manage ARP requests, it first needs a list of valid addresses. This is created by white listing ports in the network (more on that later). The network administrator identifies known safe ports and gives that information to the DAI client. That’s the starting point.
DAI then relies on DHCP snooping to listen to ARP requests on the network. Whenever a request is made, the DAI compares the addresses in the request to the existing white list. If the request matches the DAI list, it is approved. If there is a mismatch, it is denied.
This leads to a glaring weakness for DAI. It stops spoofing by inspecting ARP requests through DHCP snooping. These requests and this snooping only work in settings with dynamic IP addresses. If a connected device utilizes a static IP, then there is no snooping, and the DAI cannot prevent spoofing.
How Do You Use DAI?
Now that you know more about how DAI works, we can go over the basics of setting up and managing DAI in a network.
Setting up Trusted Ports
As you have already seen, DAI relies on a white list to approve requests. This list is built on externally identified trusted ports. In other words, you have to select these ports, and they will be excluded from DAI interference.
That’s only step one.
You also need to mark untrusted ports (ports that you cannot guarantee are always safe). The untrusted ports typically face end-hosts. This doesn’t mean the end hosts are always untrusted, but any such port that you cannot thoroughly vet could be used maliciously and thus is not trusted.
If you untrust ports to network devices (from one switch to another, for instance), you can create connectivity problems. The idea is that you control the devices in those ports, so they don’t need DAI.
Once you have provided the trusted and untrusted port list to your DAI manager, the rest runs automatically. Any time a device tries to spoof an IP address, the ARP table will show a mismatch, and the DAI will automatically stop that traffic.
In most cases, the DAI process will create an event log that you can inspect and manage as you see fit.
In fact, that’s the final key process of managing DAI. You can browse the event log, and any time the DAI blocks a request that you want to go through, you can create an exception. This exception will be logged in the DAI table, so that specific device will be able to make requests moving forward. When you grant an exception, DAI expands the white list, making it much easier to manage.
That covers the essentials of DAI. It’s a great tool, especially for networks where you cannot carefully oversee all users and devices. DAI is a specialized component of network security. It’s great at what it does and offers little outside of that niche process. Fortunately, it’s easy to manage and runs automatically, making it a valuable layer of security in many networks.
Additional Learning Center Resources