This test checks that the access switch inspects all received ARP packets and only allows those through that have a correct source MAC in the Ethernet header and source MAC/source IP in the ARP payload. If customers can send spoofed ARP packets, the network is vulnerable to man-in-the-middle attacks against other customers, as well as to denial-of-service attacks. The testing is done by attempting to send spoofed ARP packets as well as trying to perform an attack.
Note: Commonly the correct and allowed MAC/IP address pair is detected by a switch by snooping DHCP packets, i.e. the switch knows what MAC address has been assigned a certain IP address.
Impact: MITM, DoS
- Malicious sends ARP replies to Customer using real addresses.
- Malicious sends ARP replies to Customer using a fake IP address.
- Malicious sends ARP replies to ISP using a fake IP address.
- Malicious sends ARP replies to Customer using fake IP and MAC addresses.
- Malicious sends ARP replies to ISP using fake IP and MAC addresses.
- Malicious sends ARP replies with IP address from Customer and own MAC address while UDP packets are sent from ISP to Customer.
- An ARP reply with fake IP or MAC address arrives at Customer or ISP.
- A packet intended for Customer arrives at Malicious in the last step of the test.
This test conforms to SEC Access Certification ID "SEC-V4-ARP-1" and to SAVI RFC 6959 sections 3.1.3 and 3.2.1.
- Malicious Customer: A customer interface performing malicious actions.
- Customer: One or more customers that Malicious will affect.
- ISP: A central node on a trusted port. The test requires that the ISP reside in the same Layer 2 network as Malicious and Customer.
- Source UDP port: Source UDP port for traffic sent from ISP to Customer. Range: 1 ... 65535. Default: 41234.
- Destination UDP port: Destination UDP port for traffic sent from ISP to Customer. Range: 1 ... 65535. Default: 24567.