Ethernet
Network Systems Security
Mort Anvari
Ethernet
Most widely used LAN technology
Low cost and high flexibility
Versions of different speed:
10Mbps, 100Mbps, Gigabit
Use globally unique media access
control (MAC) address (hardware
address) for every interface card
9/28/2004
2
Use of Hardware Address
Need an address to send a message
to receiver on same Ethernet
IP address is not usable because
network layer does not listen to wire
Use hardware address to identify
receiver’s interface
Need to resolve receiver’s hardware
address from receiver’s IP address
9/28/2004
3
Address Resolution Protocol
Protocol maps each IP address to corresponding
hardware address in subnetwork
For computer i to get hardware address of computer j,
i broadcasts a rqst message with IP address of j to the
subnetwork
i
rqst(ipa.j)
switch
default
router
r
Internet
j
9/28/2004
4
Address Resolution
If j sees a rqst message from i with its IP
address, j sends a rply message with its
IP address and hardware address to i
i
rply(ipa.j,hda.j)
switch
default
router
r
Internet
j
9/28/2004
5
Functions of ARP
Three functions of ARP
Resolving IP addresses
Supporting dynamic assignment of
addresses
Detecting destination failures
9/28/2004
6
ARP Spoofing Attack
To stop traffic from i to j, an adversary sends
to i a spoofed rply message with IP address of
j and a non-existent hardware address
i
switch
default
router
r
Internet
j
A
9/28/2004
rply(ipa.j,hda.x)
7
Another ARP Spoofing Attack
To stop traffic from i to default router r,
an adversary sends to i a spoofed rply
message with IP address of r and its
own hardware address
i
switch
default
router
r
Internet
j
A
9/28/2004
rply(ipa.r,hda.A)
8
Countering ARP Spoofing
Attacks
Proposed solutions include ARPWATCH
and static ARP caches
ARPWATCH monitors transmission of rqst
and rply messages over Ethernet and check
them against a database of (IP addr,
hardware addr) pairings
Static ARP cache stores permanent (IP addr,
hardware addr) pairings of trusted hosts to
avoid sending rqst and rply messages over
Ethernet
9/28/2004
9
Insufficiencies of Proposed
Solutions
ARPWATCH does not support
dynamic assignment of IP
addresses
Static ARP caches does not support
dynamic assignment of IP
addresses and detection of
destination failures
9/28/2004
10
Need for Secure Address
Resolution
When a computer receives a message
m, it needs to determine whether m
was indeed sent by claimed source, or
was inserted, modified, or replayed by
an adversary
Use secure address resolution
protocol between each computer and
a secure server
9/28/2004
11
Architecture of
Secure Address Resolution
Protocol
h[i]
s
Applications
Transport
Network
Applications
Transport
Network
Subnetwork
hn[i]
hr[i]
Interface
invite-accept protocol
request-reply protocol
Subnetwork
sn
write arrays
ipa, hda, valid
sr
Interface
Ethernet
9/28/2004
12
Adversary
The adversary can perform three types
of actions to disrupt communication
between server s and any computer h[i]
on the Ethernet
Message loss
Message modification
Message replay
9/28/2004
13
Secure Address Resolution
Protocol
Use three mechanisms to counter
adversary actions
timeouts to counter message loss
shared secrets to counter message
modification
nonces to counter message replay
9/28/2004
14
Invite-Accept Protocol
Periodically, server s sends out an
invt message to every computer on
Ethernet
Every up computer is required to
send back an acpt message including
its IP address and hardware address
s updates its address database
according to received acpt messages
9/28/2004
15
Invite-Accept Protocol
s h[0..n-1]: invt(nc, md)
where md=MD(nc;scr[0])||MD(nc;scr[1])||…||
MD(nc;scr[n-1])
h[i] s: acpt(nc, ipa[i], hda[i], d)
where d=MD(nc;ipa[i];hda[i];scr[i])
9/28/2004
16
Request-Reply Protocol
When a computer needs to resolve a
destination’s hardware address, it sends
a rqst message to server s
If destination’s hardware address is still
valid, s sends back a rply message with
address information
If destination’s hardware address is not
valid anymore, s sends back a rply
message with no address information
9/28/2004
17
Request-Reply Protocol
h[i] s: rqst(nc, ipa[j], d)
where d=MD(nc;ipa[j];scr[i])
If found,
s h[i]: rply(nc, ipa[j], hda[j], d)
where d=MD(nc;ipa[j];hda[j];scr[i])
If not found,
s h[i]: rply(nc, ipa[j], 0, d)
where d=MD(nc;ipa[j];0;scr[i])
9/28/2004
18
Extensions
Four extensions of secure address
resolution protocol
Insecure address resolution
Backup server
System diagnosis
Address resolution across multiple
Ethernets
9/28/2004
19
Next Class
IPsec
Authentication Header (AH)
Encapsulation Security Payload (ESP)
key management
9/28/2004
20