Downloads |
Table Of Contents
Restrictions for DHCP Authorized ARP
Information About DHCP Authorized ARP
Security Vulnerabilities in Public Wireless LANs
DHCP Authorized ARP Feature Design
Benefits of DHCP Authorized ARP
How to Configure DHCP Authorized ARP
Securing ARP Table Entries to DHCP Leases
Configuring DHCP Authorized ARP
Configuration Examples for DHCP Authorized ARP
Verifying DHCP Authorized ARP: Example
DHCP Authorized ARP
The DHCP Authorized ARP feature enhances the Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) components of the Cisco IOS software to limit the leasing of IP addresses to mobile users to authorized users. This feature enhances security in public wireless LANs (PWLANs) by blocking ARP responses from unauthorized users at the DHCP server.
Feature History for the DHCP Authorized ARP Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for DHCP Authorized ARP
•
•
•
Restrictions for DHCP Authorized ARP
When this feature is configured on an interface, dynamic learning of ARP for that interface is disabled.
This feature is supported only on Ethernet interfaces.
Information About DHCP Authorized ARP
Before you configure this feature, you should understand the following concepts:
•
•
•
Security Vulnerabilities in Public Wireless LANs
Wireless networking is gaining popularity. As more people start using PWLANs, security becomes an important concern. Most implementations of PWLANs rely on DHCP for users to obtain an IP address while in a hot spot (such as a coffee shop, airport terminal, hotel, and so on) and use this IP address provided by the DHCP server throughout their session.
IP spoofing is a common technique used by hackers to spoof IP addresses. For example, customer A obtains an IP address from DHCP and has already been authenticated to use the PWLAN, but a hacker spoofs the IP address of customer A and uses this IP address to send and receive traffic. Customer A will still be billed for the service even though he or she is not using the service.
DHCP Authorized ARP Feature Design
Two features have been designed and implemented to address the security concerns in PWLANs. The first is the DHCP Secured Address Assignment feature introduced in Cisco IOS Release 12.2(15)T. This feature secures ARP table entries to DHCP leases in the DHCP database. See DHCP Secured IP Address Assignment feature documentation for more information.
The second feature is DHCP Authorized ARP. This feature provides a complete solution by addressing the need for DHCP to explicitly know when a user logs out. Before the introduction of this feature, there was no mechanism to inform the DHCP server if a user had left the system ungracefully, which could result in excessive billing for a customer that had logged out but the system had not detected the log out. To prevent this problem, the DHCP Authorized ARP feature sends periodic ARP messages on a per-minute basis to determine if a user is still logged in. Only authorized users can respond to the ARP request. Unauthorized ARP responses are blocked at the DHCP server providing an extra level of security.
In addition, DHCP Authorized ARP disables dynamic ARP learning on an interface. The address mapping can be installed only by the authorized component specified by the authorized arp interface configuration command. DHCP is the only authorized component currently allowed to install ARP entries.
Benefits of DHCP Authorized ARP
This feature enhances security in PWLANs by blocking ARP responses from unauthorized users at the DHCP server.
How to Configure DHCP Authorized ARP
This section contains the following procedures:
•
•
Securing ARP Table Entries to DHCP Leases
When the update arp command is used, ARP table entries and their corresponding DHCP leases are secured automatically for all new leases and DHCP bindings. However, existing active leases are not secured. These leases are still insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically. If this command is disabled on the DHCP server, all existing secured ARP table entries will automatically change to dynamic ARP entries.
This task describes how to secure ARP table entries to DHCP leases:
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring DHCP Authorized ARP
This task describes how to disable dynamic ARP learning on an interface.
Restrictions
If both static and authorized ARP are installing the same ARP entry, static configuration overrides authorized ARP. You can install a static ARP entry by using the arp global configuration command. You can only remove a nondynamic ARP entry by the same method in which it was installed.
The ARP time out period should not be set to less than 30 seconds. The feature is designed to send out an ARP message every 30 seconds, beginning 90 seconds before the ARP time out period specified by the arp timeout command. This behavior allows probing for the client at least three times before giving up on the client. If the ARP time out is set to 60 seconds, an ARP message is sent twice, and if it is set to 30 seconds, an ARP message is sent once. An ARP time out period set to less than 30 seconds can yield unpredictable results.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type number
Example:Router(config)# interface ethernet 1
Configures an interface type and enters interface configuration mode.
Step 4
ip address ip-address mask
Example:Router(config-if)# ip-address 168.71.6.23 255.255.255.0
Sets a primary IP address for an interface.
Step 5
arp authorized
Example:Router(config-if)# arp authorized
Disables dynamic ARP learning on an interface.
•
Step 6
arp timeout seconds
Example:Router(config-if)# arp timeout 60
Configures how long an entry remains in the ARP cache.
•
Step 7
end
Example:Router(config-if)# end
(Optional) Exits the configuration mode and returns to privileged EXEC mode.
Step 8
show arp
Example:Router# show arp
(Optional) Displays the entries in the ARP table.
Configuration Examples for DHCP Authorized ARP
This section contains the following configuration examples:
•
DHCP Authorized ARP: Example
Router 1 is the DHCP server that assigns IP addresses to the routers that are seeking IP addresses, and Router 2 is the DHCP client configured to obtain its IP address through the DHCP server. Because the update arp DHCP pool configuration command is configured on Router 1, it will install a secure ARP entry in its ARP table. The arp authorized command stops any dynamic ARP on that interface. Router 1 will send periodic ARPs to Router 2 to make sure that the client is still active. Router 2 responds with an ARP reply. Unauthorized clients cannot respond to these periodic ARPs. The unauthorized ARP responses are blocked at the DHCP server. The timer for the entry is refreshed on Router 1 upon receiving the response from the authorized client.
See Figure 1 for an example topology.
Figure 1 Example Topology for DHCP Authorized ARP
Router 1 (DHCP Server)
ip dhcp pool name1network 10.0.0.0 255.255.255.0lease 0 0 20update arp!interface Ethernet0ip address 10.0.0.1 255.255.255.0half-duplexarp authorizedarp timeout 60Router 2 (DHCP Client)
interface Ethernet0/0ip address dhcphalf-duplexVerifying DHCP Authorized ARP: Example
The following is the output for the show arp command on Router 1:
Router1 # show arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.0.0.3 0 0004.dd0c.ffcb ARPA Ethernet01Internet 10.0.0.1 - 0004.dd0c.ff86 ARPA Ethernet0The following is the output for the show arp command on Router 2:
Router2 # show arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.0.0.3 - 0004.dd0c.ffcb ARPA Ethernet0/02Internet 10.0.0.1 0 0004.dd0c.ff86 ARPA Ethernet0/0Additional References
The following sections provide references related to the DHCP Authorized ARP feature.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents a new command. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
arp authorized
To disable dynamic ARP learning on an interface, use the arp authorized command in interface configuration mode. To reenable dynamic ARP learning, use the no form of this command.
arp authorized
no arp authorized
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
Usage Guidelines
The arp authorized command disables dynamic ARP learning on an interface. This command enhances security in public wireless LANs (PWLANs) by limiting the leasing of IP addresses to mobile users to authorized users. The IP address to MAC address mapping for that interface can only be installed by the authorized subsystem. Unauthorized clients can not respond to ARP requests.
If both static and authorized ARP are installing the same ARP entry, static configuration overrides authorized ARP. You can install a static ARP entry by using the arp global configuration command. You can only remove a nondynamic ARP entry by the same method in which it was installed.
You can only use this command on Ethernet interfaces.
Examples
The following example disables dynamic ARP learning on interface Ethernet 0:
interface Ethernet0ip address 10.0.0.1 255.255.255.0arp authorizedRelated Commands
arp (global)
Adds a permanent entry in the ARP cache.
update arp
Secures dynamic ARP entries in the ARP table to their corresponding DHCP bindings.
Glossary
ARP—Address Resolution Protocol. ARP is used to map a Layer 3 IP address to a Layer 2 MAC address. A Cisco router stores this mapped information in an ARP table. The ARP table provides MAC rewrite information when the router is forwarding a packet using Cisco Express Forwarding (CEF) or other IP switching technologies.
DHCP—Dynamic Host Configuration Protocol. DHCP provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.
hot spot—A specific geographic location in which an access point provides public wireless broadband network services to mobile visitors through a WLAN. Examples of hot spots include airports, coffee shops, hotels, and conference centers. Hot spots typically have a short range of access.
Note
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
