DHCP Snooping and Neighbor Discovery inspection

Table 1. Dynamic Host Configuration Protocol Snooping and Neighbor Discovery Inspection product support
Feature	Product	Release introduced
DHCP Snooping(IPv4)	5320 Series	Fabric Engine 8.6
	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	5720 Series	Fabric Engine 8.7
	7520 Series	Fabric Engine 8.10
	7720 Series	Fabric Engine 8.10
	VSP 4900 Series	VOSS 8.1
	VSP 7400 Series	VOSS 8.0
DHCP Snooping (IPv6)	5320 Series	Fabric Engine 8.6
	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	5720 Series	Fabric Engine 8.7
	7520 Series	Fabric Engine 8.10
	7720 Series	Fabric Engine 8.10
	VSP 4900 Series	VOSS 8.1
	VSP 7400 Series	VOSS 8.0
Neighbor Discovery Inspection (IPv6)	5320 Series	Fabric Engine 8.6
	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	5720 Series	Fabric Engine 8.7
	7520 Series	Fabric Engine 8.10
	7720 Series	Fabric Engine 8.10
	VSP 4900 Series	VOSS 8.1
	VSP 7400 Series	VOSS 8.0

DHCP Snooping

DHCP Snooping is a Layer 2 security feature, that provides network security by filtering untrusted DHCP messages received from the external network causing traffic attacks within the network. DHCP Snooping is based on the concept of trusted versus untrusted switch ports. Switch ports configured as trusted can forward DHCP Replies, and the untrusted switch ports cannot. DHCP Snooping acts like a firewall between untrusted hosts and DHCP servers.

The switch supports:

DHCP Snooping for both IPv4 and IPv6.
Neighbor Discovery (ND) inspection for IPv6.

Security is critically important in an access network because various devices can connect to an access network that may not be administratively controlled by a single administrator. Stateless Address Autoconfiguration (SLAAC) and Duplicate Address Detection (DAD) mechanisms used by IPv6 are more vulnerable to attacks from a malicious user. If any person, intentionally or unintentionally, configures an IP address on the device interface wrongly and advertises that IP address as one‘s own address during DAD mechanism initiated by other device, DAD initiated devices cannot assign this address. If a malicious user replies to all the DAD IP addresses as own address, none of the devices in the access network can assign any IP addresses to their interfaces. Thus, DoS attacks can be easily carried out by the malicious user making the entire network unfunctional. In another kind of attack, a malicious user can try to poison the neighbor cache of a host by sending ND packets with bogus MAC address which is learnt by other hosts into their neighbor table. Due to the infiltration of the bogus MAC address in the host‘s neighbor table, the packets destined to its neighbor is sent to the bogus MAC address and is eventually dropped or received by an unintended host.

In general, these kinds of attacks are carried out by sending different Neighbor Discovery (ND) packets – either through solicited ND packet exchanges or as a result of unsolicited ND packet exchanges triggered due to an event like the expiry of ND timers. These packets carry interface IP address information and link-layer address information. Other devices use this information to build their neighbor table for forwarding traffic to or through the malicious device. As part of ND inspection mechanism, ND (specifically, NS, NA, and redirect) packets from only trusted hosts are allowed to pass through and the packets from untrusted hosts are dropped in the switch itself. Other network devices can safely use ND mechanisms for correctly assigning IP address to their interfaces resulting in a smooth traffic flow.

For validating the ND packets, the switch must first learn the trusted information by various mechanisms and store the information in a DHCP binding table. If the switch receives ND packets on an untrusted port, the packets are validated against entries in the DHCP binding table. If the ND packets pass the validation, the packets are forwarded. If the packets fail the validation, they are dropped in the switch itself. This process avoids invalid NA packets from propagating beyond the access switch.

DHCP Snooping and ND inspection feature protects the network from the following types of attacks:

User misconfigurations: Host assigns an address which should not be used by the recipient device. ND inspection blocks this address in the access switch because binding entry does not exist for that address for that host.
DAD spoofing: Malicious user claims that the address is taken even if it is not.
NUD spoofing: Malicious host responds to NUD NS packets indicating that the address is still reachable via that host even if that neighbor is actually not reachable.
ND cache poisoning: Malicious user sends different (invalid) link-layer addresses for a target IP address causing other hosts in the network to program bogus MAC for a given IP neighbor, as a result of which, the traffic gets black-holed or misused by malicious host.

DHCP Binding Table

DHCP Snooping builds and maintains a binding table, this binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and port information that correspond to the local untrusted ports of the switch. When the switch receives a DHCPRELEASE or DHCPDECLINE broadcast message, DHCP Snooping performs a lookup of the MAC address in the binding table to determine if the port information in the binding table matches the port on which the message was received. If the port information matches, the DHCP packet is forwarded, otherwise it is dropped.

Trust Bindings

A switch enabled with the Neighbor Discovery inspection feature allows NA packets through, if the packets are from a trusted host. To allow or deny Neighbor Advertisement (NA) packets, trust bindings must be established using following methods:

Configuring the port connected to a device (or host) as trusted.
Building a DHCP binding table which contains entries from trusted devices (or hosts) only. This DHCP binding table is used for validating NA packets.

This method of trust binding involves 2 processes:
- IP address learning (snooping) process
  In this process an IP address is learnt through a trusted means and a DHCP binding table is built. The switch supports the DHCP binding table entry learning by:
  - Statically configuring the entries
  - Dynamically learning by DHCP Snooping packets
- NA packet validation (inspection) process
  
  This process uses the DHCP binding table entries which are populated as part of IP address learning process to validate the incoming NA packets.

After the DHCP binding tables are built, the information gathered using trust binding is used to validate the ND packets. If the ND packets cannot be validated using this information, they are considered as packets received from an un-trusted host and are dropped by the switch.

Restrictions

In addition to the FHS restrictions, DHCP Snooping and ND inspection have the following restrictions:

Link-local address validation is not supported under ND inspection. Thus, an First Hop Security (FHS) enabled switch is vulnerable to attackers who try to attack with link-local addresses.
As a 5-second timer is used to cleanup expired DHCP binding table entries, the expired DHCP binding table entries can remain in the DHCP binding table for up to 5 seconds after they expire.
If an FHS-enabled switch gets rebooted, all the dynamically-learned binding entries get flushed and those entries need to be re-learned for ND inspection to pass. However, when the switch is rebooted, DHCP clients connected to it do not re-initiate DHCP learning, due to which, the switch cannot learn these assigned IP addresses. As a result, ND inspection fails for these addresses. To overcome this problem either DHCP client must learn the IP address again through DHCP mechanisms or the administrator must add static entries for these addresses.
For IPv6, DHCP binding table entries learned through DHCP are not removed from the DHCP table on DHCP clients that release these addresses. The administrator must manually remove these entries after the addresses are released.
A dynamic DHCP binding table entry is learned only using the DHCP mechanism. For other modes of address configuration on the host, a relevant DHCP binding table entry must be configured on the FHS switch so that ND packets from such host are not blocked due to ND inspection processing.
DHCP Snooping is not supported on:
- DHCP Relay switch
- Etree
- Private VLANs
DHCP Snooping is supported on Split Multi-Link Trunking (SMLT) only if the SMLT ports are DHCP Snooping trusted.
As a best practice, do not configure DHCP Snooping on core switches.
Configure ip dhcp-snooping trusted only on the port that connects to the DHCP Server.
You can configure DHCP Snooping on separate switches in the following scenarios:
- on the switch where the DHCP server connects on the DHCP server VLAN.
- on the switch where the DHCP client connects on the DHCP client VLAN(s).
You can configure DHCP Snooping only on the switch where the DHCP server connects and only on a DHCP server VLAN.
If DHCP clients connect to the same switch as the DHCP server, you can configure DHCP Snooping on the client VLANs.
A best practice is to connect the DHCP server and DHCP clients to different switches.