IPv4 address resolution and router discovery use some heuristic, operational rules to mitigate attacks on the BN1 and AR1 interfaces. IPv4 provides no support for address autoconguration, so no security is required.
Address resolution in IPv4 is performed by the Address Resolution Protocol (ARP).
Attacks on ARP are called "ARP spoong." In these attacks, the attacker replies to an ARP with its IP address, causing the node sending the ARP to install an incorrect mapping in the mapping table, called the ARP cache. The attacker can then insert itself as a man in the middle and inspect trafc between the two nodes. One way to prevent.
ARP spoong is to not use the protocol, and instead install tables in the routers that resolve the IP address to the link address. However, this technique is not practical in wireless networks, since IP addresses are assigned dynamically, and subnets can support many clients.
A more practical method that is commonly used in existing products is DHCP snooping combined with ARP inspection and validation. The switches within a switched LAN monitor DHCP trafc across untrusted ports when an IPv4 node initially congures its.
IP address. The switches record the valid link layer address to IP address bindings seen in the DHCP replies on the monitored ports. Later, when an ARP reply is seen on a port, the switch compares the IP address and link layer address in the reply to the recorded addresses, and if the two do not match, the ARP reply is dropped. This prevents an attacker from substituting its link layer address for the victim's. This defense fails if the attacker changes its link layer address to match the victim's. The IP to link layer address mapping on the switch matches the ARP reply, but link layer delivery of packets is disrupted because there are now two network interface cards with the same link layer address on the link. If the attacker's intention is to disrupt packets to the victim, this will certainly do it. Use of 802.1x network access authentication is the only way to deter link address spoo?ng, because 802.1x locks down what link addresses are allowed on,specic ports.
IPv4 address resolution and router discovery use some heuristic, operational rules to mitigate attacks on the BN1 and AR1 interfaces. IPv4 provides no support for address autoconguration, so no security is required.
Address resolution in IPv4 is performed by the Address Resolution Protocol (ARP).
Attacks on ARP are called "ARP spoong." In these attacks, the attacker replies to an ARP with its IP address, causing the node sending the ARP to install an incorrect mapping in the mapping table, called the ARP cache. The attacker can then insert itself as a man in the middle and inspect trafc between the two nodes. One way to prevent.
ARP spoong is to not use the protocol, and instead install tables in the routers that resolve the IP address to the link address. However, this technique is not practical in wireless networks, since IP addresses are assigned dynamically, and subnets can support many clients.
A more practical method that is commonly used in existing products is DHCP snooping combined with ARP inspection and validation. The switches within a switched LAN monitor DHCP trafc across untrusted ports when an IPv4 node initially congures its.
IP address. The switches record the valid link layer address to IP address bindings seen in the DHCP replies on the monitored ports. Later, when an ARP reply is seen on a port, the switch compares the IP address and link layer address in the reply to the recorded addresses, and if the two do not match, the ARP reply is dropped. This prevents an attacker from substituting its link layer address for the victim's. This defense fails if the attacker changes its link layer address to match the victim's. The IP to link layer address mapping on the switch matches the ARP reply, but link layer delivery of packets is disrupted because there are now two network interface cards with the same link layer address on the link. If the attacker's intention is to disrupt packets to the victim, this will certainly do it. Use of 802.1x network access authentication is the only way to deter link address spoo?ng, because 802.1x locks down what link addresses are allowed on,specic ports.
access point vs router
Niciun comentariu:
Trimiteți un comentariu