>> DAI, dynamic ARP inspection, helps to mitigate an ARP spoofing attack.DAI works similarly to DHCP snooping.Switch ports are once again classified as trusted or untrusted.Trusted ports, in this case, will be ports connecting to other switches.Ports connecting hosts will be untrusted.The switch intercepts and inspects ARPs arriving on untrusted ports.Switches won't inspect ARP frames arriving on trusted ports, but rather will assumethat the neighboring switch also was performing DAI on all of its ports.When an untrusted port gets an ARP reply, the switch cross-references the MACand IP addresses reported in the ARP fields.You can statically configure entries, as would be the case for servers connected to switches,since they shouldn't be using DHCP but, rather, static configuration.For clients using DHCP, though, the switch can cross-reference address pairsfrom the DHCP snooping database.Yes, the same database used by DHCP snooping.If DAI was enabled in the story we just went through, when Host C sends his ARP claimingthat the MAC address of the gateway, 10.0.0.99, is Host C's MAC address, CCC,the switch would look at the DHCP snooping database and say, "Wait a minute.I don't see an entry that maps 10.0.0.99 to CCC.It's not in the static bindings, either."The switch, at that point, simply discards the ARP.DAI allows for further validations on the contents of ARP reply frames.By default, only the MAC and IP addresses contained within the ARP reply are validated.This doesn't take into account the actual MAC addresses containedin the ethernet header of the ARP reply.To validate that an ARP reply is coming from the address listed in the ARP fields,you can enable DAI validation to cross-reference the source MAC address in the ethernet headerto the sender MAC address in the ARP reply.Cross-reference the destination MAC address in the ethernet headerto the target MAC address in the ARP reply.Check that invalid or unexpected addresses are not present.
转载于:https://www.cnblogs.com/sec875/articles/10049550.html
