Technology Brief: IP-MAC-Port Binding

• Introduction
• Where to use IMPB?
• Understanding of IMPB mode
• Configuration examples
• Appendix: IMPB Evolution

Introduction

D-Link IP-MAC-Port Binding (IMPB) is a powerful, integrated authentication function that ensures the correctness of hardware (MAC address), software/user (IP address), and location (Connected port) for devices connected to the network. It monitors the information among the ARP, DHCP, ND or IPv4/v6 packets to make sure they are all from legal sources to prevent the data leakage from hackers faking the legal network devices.

Where to use IMPB?

By spoofing the gateway or PC IP or MAC address, hackers can easily paralyze the internet communication or stolen important data furtively. Now, many hackers’ tools can be found on the internet, and end users can also use these tools to get secret data.

D-Link IMPB function helps to quarantine illegal device or hackers intend to fake the IP or MAC address on legal devices at the edge of network. D-Link IMPB is suitable to be deployed at the edge switches or access layer of networks where sensitive data will be forwarded such as Finance, Military, Government or Telecom.

Understanding of IMPB mode

The following are IMPB modes which are globally applicable to the whole switch systems:

ARP inspection:

ARP inspection is to snoop the ARP packets for security check. If the ARP info is allowed, the host’s MAC will be programmed to L2 Forwarding Database (FDB) with allowed, or otherwise the host’s MAC will be programmed to the L2 FDB with drop. That is with ARP inspection the security access control is based on Layer 2 MAC address.In ARP inspection, only ARP packets are checked, it will check as following

Ethernet Header: Source Address

ARP Payload: Sender HW Address and Sender Protocol Address

 

 

IP inspection:

This mode provides strict security for IP level traffic. If IP inspection is enabled, the statically configured IMPB entries with IP inspection will be applied to the switch’s hardware ACL table, if the IP inspection is disabled, the ACL entries will be removed from the hardware ACL table. In IP inspection, IP packets are checked.

Checking IP packet is as follows:

Ethernet Header: Source Address.

IP Header: Source Address

 

 

PS: IP inspection is designed to work and co-exist with ARP inspection.

When IP Inspection is enabled, and ARP Inspection is disabled, all non-IP packets (L2 packets, ARP…) will be forwarded by default.

 

Strict state and Loose state

In ARP inspection, it is also separatedinto two states: Strict state and Loose state

IMPB can be enabled on a per port basis, when IMPB is enabled on a port; the administrator shall specify the port as strict state or loose state. In strict state, by default the port is blocked; the host must be authenticated to send traffic. In loose state, by default the 1st ARP packet from the port will be forwarded, the host can send traffic until it is detected and blocked.

Strict state is used to ensure the best security. There may be some network design side effect in certain condition that requires loose state when you experienced connectivity issue with strict state. Thus, you can switch to loose state for troubleshooting. When IPv6 are enabled, only strict state can be enabled.

Before IMPBv3.9 version, strict state and loose state are used for both ACL mode and ARP mode. After IMPBv3.9, strict state and loose state are only used for ARP inspection. (More details about ACL mode and ARP mode, please refer to “Appendix: IMPB Evolution”)

  

DHCP/DHCPv6 Snooping:

This mode is used to build IMPB entries automatically. DHCP snooping is designed for IPv4, DHCPv6 snooping is designed for IPv6. When DHCP/DHCPv6 snooping is enabled, the switch will snoop DHCP packets on IMPB enabled ports. The switch will build IMPB entries automatically and program to L2 FDB and hardware ACL table. The IMPB entries may age when L2 FDB ages or DHCP lease time expires. The DHCP server shall be connected to a trusted interface (IMPB disabled ports), this is mandatory to make sure the DHCP server functions get processed properly. If the DHCP server is connected to IMPB enabled ports, the DHCP server is mandatory to be legal under IMPB (must be in IMPB’s whitelist); otherwise the DHCP server packets will be dropped. Administrators can configure the maximum IMPB auto-learning entries for a port. The Auto learned entries may be programmed into L2 FDB or hardware ACL depending.

 

 ND Snooping:

ND (Neighbor Discovery) is used for IPv6 Stateless Address Auto-configuration. When using ND, IPv6 hosts should be plug & play, no manual configuration, and finally not requiring DHCP server. In IPv4, ARP packets is checked and mapped layer 2 MAC address and layer 3 IP address. In IPv6, ND is replaced by ARP. ND is used NS (Neighbor Solicitation) and NA (Neighbor Advertisement) packet for duplicate address detection.

This mode is also used to build IMPB entries automatically. When ND snooping is enabled, the switch will snoop ND packets (based on NS packets) on IMPB enabled ports. The switch will build IMPB entries automatically and program to L2 FDB. The IMPB entries may age when ND lease time expired.

Administrator also can configure the maximum ND snooping auto-learning entries for a port.

 

 

Implemented steps:

1. Provide user configurable database to save IMPB entries. However, the size of the database is dependent on the switch’s chipsets memory size.

Chipsets memory size means: -

1.1) L2 MAC addresses depend on FDB size.

1.2) IP inspection is based on the switch’s ACL capacity

The table is sorted by IP address. User can statically create and configure a pair of MAC, IP address and port number entry and/or dynamically create the entry of MAC, IP address and port number with DHCP snooping enabled or ND snooping enabled.

2. There are existing ARP and IP inspection. We can capture the ARP packets and IP packets to look at step1's database and check if the pair (IP address, MAC address) of the packet is authorized or unauthorized. Authorized host’s packets are forwarded and unauthorized host’s packets are blocked.

3. IMPB control can be enabled or disabled on a per port-basis with strict state or loose state in APR inspection. Therefore, the user can select this feature as IP-MAC-PORT address checking as enabled or disabled on each port.

4. The statically configured IMPB entries will be saved.

PS: IMPB and port trunk function are mutually exclusive. That is, if a port is enabled as IMPB port, it cannot be configured as a port trunk member. Likewise, if the specific port is a trunk member, it cannot be enabled as an IMPB port.

Configuration examples

Example 1:

Simulation: Port 1 of SW1 connect to PC1 (IPv6 address), the examples will show how to configure IMBP entries with strict mode of APR inspection manually

Note: Please make sure your account is administrator, operator or power-user

 

 

1. To setup PC1 to IMPB whitelist

admin#create address_binding ip_mac ipv6address 2012::3420 mac_address 00-00-01-00-00-01 ports 1

 

1. To show IMPB whitelist for checking

admin#show address_binding ip_mac all

Command: show address_binding ip_mac all

 

 M(Mode) - D:DHCP, N:ND S:Static ACL - A:Active I:Inactive

 

 IP Address                MAC Address     M  ACL Ports

 --------------------------------------- ------------------------- ---- ------ ---------

 2012::3420               00-00-01-00-00-01 S     I   1             

 

Total Entries : 1

 

1. Configure port 1 to strict mode of ARP inspection

admin#config address_binding ip_mac ports 1 arp_inspection strict

 

1. To show IMBP Configuration on port1

admin#show address_binding ports  1

Command: show address_binding ports 1

 

 

 ARP: ARP Inspection   IP: IP Inspection

 

 Port   ARP      IP     Protocol Zero IP   DHCP Packet  Stop Learning

                                                        Threshold/Mode

 ----- -------- --------  ----- ---------  -----------  --------------

 1     Strict   Disabled  All   Not Allow  Forward      500/Normal

 

1. Finally, if we want to delete this entry from IMPB whitelist

admin#delete address_binding ip_mac all

 

Example 2:

Simulation: Port 1 of SW1 connect to DHCPv6 server, port 2-10 connect to DHCPv6 client, the examples will show how to configure IMBP entries automatically.

Note: Please make sure your account is administrator, operator or power-user.

 

1.To enable DHCPv6 snooping

admin#enable address_binding dhcp_snoop ipv6

2.Because port 2-28 are for DHCP client, they need enable IMPB, so we setup port 2-10 using ARP inspection

admin#config address_binding ip_mac ports 2-10 arp_inspection strict

 

3.To show IMPB binding status

admin#show address_binding ports  

Command: show address_binding ports

 

 

 ARP: ARP Inspection   IP: IP Inspection

 

 Port         ARP              IP                  Protocol      Zero IP         DHCP Packet         Stop Learning

                                                               Threshold/Mode

 -----          --------           --------           -----               ---------         -----------                  --------------

 1   Disabled Disabled          All              Not Allow  Forward      500/Normal

 2   Strict   Disabled          All              Not Allow  Forward      500/Normal

 3   Strict   Disabled          All              Not Allow  Forward      500/Normal

 4   Strict   Disabled          All              Not Allow  Forward      500/Normal

 5   Strict   Disabled          All              Not Allow  Forward      500/Normal

 6   Strict   Disabled          All              Not Allow  Forward      500/Normal

 7   Strict   Disabled          All              Not Allow  Forward      500/Normal

 8   Strict   Disabled          All              Not Allow  Forward      500/Normal

 9   Strict   Disabled          All              Not Allow  Forward      500/Normal

• Strict   Disabled          All              Not Allow  Forward      500/Normal

 

4.To show IMPB entries for checking IMPB rule

admin#show address_binding ip_mac all

Command: show address_binding ip_mac all

 

 M(Mode) - D:DHCP, N:ND S:Static ACL - A:Active I:Inactive

 

 IP Address                MAC Address     M  ACL Ports

 --------------------------------------- ------------------------- ---- ------ ---------

 2012::3422               00-00-01-00-00-02 D     I   2             

 2012::3423               00-00-01-00-00-03 D     I   3

 2012::3424               00-00-01-00-00-04 D     I   4

Total Entries : 3

 

5.Finally, if we want to delete all DHCPv6 entry.

admin#clear address_binding dhcp_snoop binding_entry ports allipv6

Appendix: IMPB Evolution

With the advancements in network/security technology, the features in switches are also becoming more intelligent and smarter:

D-Link’s IMPB started with ARP mode in its 1st version.

To reinforce IMPB’s security, ACL mode was further introduced in the 2nd version.

To address the 1st ARP inspection requirement, version 2.5 was then introduced.

In the next follow up, DHCP Snooping was launched as the version 3 for automation in generating IMPB database.

To strengthen and offer more flexible choices, Strict or Loose state was made available on version 3.2.

In version 3.3/3.4, are introduced respectively to ensure the robustness and resiliency of IMPB.

The version 6 supports IPv6.

For implementation, we suggest you to use/update to the latest IMPB for the best security.

More details please see as following

 

IMPB v1.0

MAC-IP binding means only the pair of the client's MAC-IP is valid then this client can gain access to the switch. This function can be implemented by the following steps:

1. Provide user configurable database to save MAC-IP bindings. (The maximum IMPB entries are dependent on the switch’s chipsets memory size.). IP address is the search key of IMPB table. Therefore, the IP address shall be unique in IMPB database.

2. Capture client's IP packet. To prevent the switch’s system overhead from overloading, broadcast ARP packets are being captured instead, which are already captured by the CPU.

3. Look at step1's database and check if the pair (MAC, IP) of the received ARP packet is in the IMPB list or not. If this pair is in conflict or not in the list, it will be treated as unauthorized. For an unauthorized host, the MAC address will be configured on to hardware L2 table as 'source discard' and 'destination discard'. The address may be aged out or modified when the switch receives ARP packets.

4. Enable/Disable checking MAC-IP Binding control is via per port-basis. Which means the user can apply this feature as MAC-IP address checking as enabled or disabled on each port. If the port is in MAC-IP Binding disabled state, the ARP checking is bypassed

 

There are some things we need to notice

1. If a client never transmit broadcast ARP packet, the switch will not be aware of the client because it will only know the client upon receiving its broadcast ARP packet (e.g. configure a static ARP entry for default gateway at the client site), then this method doesn't work properly.

2. Static ARP address is exclusive with IMPB. If a user creates an IMPB entry, and there is an identical IP address entry in ARP database, the switch will show a warning message (“The static ARP entry cannot be created due to duplication with an IMPB entry”) and log it. The user is required to resolve this conflict manually because it may cause the configured entries to behave abnormally.

3. Static MAC address is exclusive with IMPB. If the user creates an IMPB entry, and there is an identical MAC address entry in FDB, the switch will show a warning message (“The static FDB entry cannot be configured as an IMPB entry.”) and log it. The user is required to resolve this conflict manually because it may cause the configured entries to behave abnormally.

4. IMPB address and Port Security can NOT be enabled at the same time.

 

IMPB v2.0

This version is supported ACL mode. When the administrator enables IMPB ACL mode, all IP packets shall be blocked on IMPB enabled ports. The administrator shall create IMPB entries for those authorized hosts to access IP networks.

The ACL access entries created by IMPB ACL mode will only block IP packets; therefore those non-IP packets cannot be blocked. The IMPB ACL mode still cannot block the first ARP packet. In order to improve this, IMPB v2.5 is introduced to address this issue.

 

IMPB v2.5

This version is supported ARP inspection. IMPB enabled ports shall block the packets forwarding coming from an unknown MAC address source. For IMPB enabled ports, new MAC address’ packets will be dropped by default except broadcast ARP packets, which will be trapped to the CPU for software processing. If the software determines the receiving ARP packets are the first ARP from the clients (detected as a new MAC) and valid [the 3-tuple of (IP, MAC and Port) is matched], the software will forward them to the proper ports. Whenever the software receives a new unauthorized MAC, this MAC will be written to the switch hardware's L2 table and mark it as 'source discard' and 'destination discard'. If the new MAC is authorized, this MAC is written to the hardware's L2 table for normal forwarding. The software shall continuously be snooping ARP packets on IMPB enabled ports, for example, when a blocked client may be unblocked later due to the correct ARP being received.

The major difference between IMPB v2.5 and previous versions of IMPB is that IMPB enabled port will drop the packets from unknown source MAC address and the software will process the ARP packets, and hence, the first ARP packets from the client will be processed and forwarded by the software if it is determined to be an authorized host.

 

Note:

1. "Auto-Recovery" mechanism

Due to the fact that IMPB process is based on ARP packet, it is reasonable, for a MAC, which was previously marked as unauthorized, be now granted as authorized from its broadcast of valid ARP packet to the switch. The software can now examine whether the client is valid via the received broadcast ARP packets. Once the switch received an ARP with the valid pair of (IP, MAC, Port), the blocked MAC will now be cleared. However, if the host doesn't send ARP packets, the blocking situation won't be eliminated. The current workaround that this switch uses is a time-based auto recovery mechanism. Once the countdown timer is up [user configurable time interval from 1 ~ 65535 sec], the deleted block entries, will be cleared, and the switch will re-learn the ARP packet to authenticate the port again.

2. Allow Zero-IP

Some devices (e.g. D-Link's Access Point) send ARP requests with zero IP (sender protocol address is 0.0.0.0), which causes the senders’ MACs, to be blocked.

To address this problem, a new command is provided to allow zero IP. When this function is enabled, the switch doesn't block the MAC address of devices that are sending ARP with sender protocol address as zero.

 

IMPB v3.0/v3.1

This version supports DHCP snooping. It introduces an automatic mechanism to snoop on the trusted DHCPACK packets to dynamically identify and build the 3-tuple (IP, MAC, Port) information to reduce the administrator's effort.

The trusted DHCP server(s) need be configured to make this function work effectively and correctly. If the port's DHCP-MAC-Port Binding is enabled, this port is regarded as "untrusted". The administrator must configure the ports to which DHCP servers are connected as trusted. To reduce the Switch's overhead, it derives the 3-tuple (IP, MAC, Port) from the DHCP packets received on the "trusted ports" only.

The DHCP snooping feature dynamically builds and maintains the database using information extracted from the intercepted DHCP messages. The automatic-learned database is shared with the original copy, which is statically configured by the administrator. If the newly learned dynamic pair conflicts with the statically configured database, the static configuration created by the administrator has a higher priority. If the administrator configures an entry, which is already in the dynamic learned database, the dynamic entry shall be replaced by the static entry.

If the IMPB database is full, new entry can't be added whether it is static or dynamic.

 

 

 

Specification of IMPB Auto Mode:

DHCP snooping is also referred to as "auto mode" which is the global configuration and only apply for IMPB enabled port.

The switch derives 3-tuple (IP, MAC, Port) from DHCP packets received from trust ports only. An IMPB disabled port is a trust port.

It is obvious you can't enable an IMPB on a port, which is a DHCP snooping trust port. The word "trust" used here is only for explaining a concept, and there is no configuration provided. In other words, an IMPB enabled port is an un-trusted port.

Currently IMPB does not support the switch's embedded DHCP server.

DHCP snooping binding table (auto learning entries):

If the dynamically learned pair conflicts with static configuration, the static configuration has a higher priority.

The database contains an entry for each un-trusted host with a leased IP address, if the host is associated with a port that has IMPB enabled. The database does not contain entries for hosts connected through trusted or non-IMPB ports.

 

DHCP snooping feature updates the database whenever the switch intercepts specific DHCP messages. For example, it adds an entry to the database when the switch receives a DHCPACK message from the DHCP server. It removes the entry in the database when the IP address leasing time expires.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, and port information associated with the host. The lease time is newly filed compared with the original provided information.

IMPB v3.1 provides a configurable parameter (max_entry) to limit the maximum number of hosts, which are allowed to connect to a port (via DHCP) concurrently.

This parameter is based on a per port setting and used only to limit entries which are automatically learned. To allow the clients to receive DHCP server's ACK packets, the switch configure the IMPB entry to hardware and increase the counts whenever it receives the DHCPREQUEST packets from clients. The entry will be removed and the count will be decreased if the client's DHCPREQUEST packet does not receive DHCP server ACK packet in a specific interval.

DHCP packets allowed by DHCP snooping over IMPB ports are:

DHCPDISCOVER

DHCPREQUEST

DHCPRELEASE

DHCPDECLINE

DHCP packets snooped by DHCP snooping over IMPB disabled ports (for DHCP server) are:

DHCPOFFER

DHCPACK

DHCPNAK

DHCPLEASEQUERY

The administrator can specify the option of "no_limit" to not limit the maximum entries. This number doesn't guarantee the vacancy of a port. In other words, if the total number of all the ports is up to the supporting entries (per device), no new entries can be learned even a specific port's auto learned number is not up to “max_entry”.

A command has been provided to clear auto-learned entries. Once an entry is cleared, the host needs to obtain its IP again to allow the switch to re-learn the entry.

On IMPB enabled ports, the DHCP server's packets are copied to CPU for IMPB software processing. The hardware will forward the DHCP packets if the IMPB port mode is in Loose state. The hardware will drop all packets if the port mode is in Strict state. When a DHCP client (IMPB enabled port) sends a DHCPDISCOVER packet, it will be dropped, the authentication will always fail.

To solve the issue, an administrator can enable or disable forward_dhcppkt to control the forwarding of DHCPDISCOVER packet on a per-port basis. If forward_dhcppkt is enabled, the software will always forward DHCPDISCOVER packets. The Administrator shall enable forward_dhcppkt when the port is configured as Strict mode.

When DHCP Snooping is turned on, forward_dhcppkt will always be snooped first then forwarded.

Under v3.0, the default behavior is to forward DHCP packets. Whereas in v3.1, an option is made available to disable it.

Note:

1. This feature is closely related to DHCP relay. The processing of DHCP packets still depends on the configuration of DHCP Relay. On IMPB enabled ports, the software shall process DHCP packets ahead of DHCP relay, and if the DHCP packet is from an un-trusted interface (IMPB enabled ports), the packets shall be dropped if it is from unauthorized hosts. The DHCP packets shall be forwarded to the DHCP relay for processing if it is from an authorized host.

2. It is strongly recommended to only enable the edge port for IMPB. It is a good practice to disable IMPB on a port where the downstream is exiting an IMPB enabled Switch.

 

IMPB v3.2

This version is Introduced Strict & Loose state.

Because the address learning of an IMPB enabled port is totally controlled by software in previous versions (v3.1) and the process learned a MAC address only via ARP packet or DHCP, it caused a problem when a host never sends ARP or DHCP packet. The host can't gain access right even it has a legal 3-tuple (IP-MAC-Port). This mechanism was inconvenient for legal users, especially in this case, if the legal entry is aged-out in L2 FDB due to no traffic; the host will be blocked before the Switch receives ARP or DHCP packet again from the same host.

To avoid this problem, the Switch provides:

Strict state:

Before the switch confirms a host is legal, it is denied by default. The switch checks the following types of packets (received at the port) to determine whether the host is legal or not.

-All IP and ARP packets with unknown MAC addresses.

-For packets with known MAC address, all ARP packets destined to the Switch (including broadcast/multicast or even the destination MAC is the switch itself).

-All DHCP packets when DHCP snooping is enabled at the port.

-In Strict mode, we need to check ARP and IP packets with IMPB database to block or permit the host.

 

Loose state

Before switch confirms a host is legal, it is permitted by default. The switch checks the following types of packets (received at the port) to determine whether the host is legal or not:

-All IP and ARP packets, which are destined to the Switch (including broadcast/multicast or even the destination MAC is the switch itself).

-All DHCP packets when DHCP snooping is enabled at the port.

-In Loose mode, we only need to check ARP packets with IMPB database to block the unauthorized host.

 

Note:

1. In Loose state, the address will be automatically learned by hardware. That causes some instabilities such as: if a host never sends IP or ARP packets, it can't be monitored by IMPB; first ARP packet will be flooded.

2. In IMPB v3.2 and previous versions, when an IMPB enabled port link is down, the entries which have been created by IMPB (learned by DHCP snooping) will be deleted. Besides, the Switch will sync FDB and IMPB entries every hour, provided the MAC address of a dynamic learned by DHCP snooping doesn't exist in the FDB, it will be removed from the database of IMPB.

IMPB v3.3

This version is support active/Inactive entries.

When an IMPB enabled port link is down, the dynamically created entries on this port will be deleted in IMPB v3.0 implementation. This method may cause the client's packets not being forwarded after the link of the port is up unless the client resends DHCP packet and gets a new IP address from the DHCP server again.

In most scenarios, clients are connected to either access switches or Hubs, and then these access switches or Hubs connect to the port of the switch that is running IMPB. So when the link between these access switches or Hubs and the switch is down, DHCP Snooping entries on this port are removed in response to this link down event. Please note, in light of the PC’s perspective, it is not aware of the switch's port link down event, so it never sends out DHCP request again. This problem caused the switch unable to snoop DHCP packet and build the corresponding entries.

To address this issue, IMPB v3.3 has the solution:

1. When the IMPB enabled port link is down, the entries that were created by IMPB v3.0 on this port will not be removed until the lease time of the entry is expired.

2. When the IMPB enabled port link is down, the entries will be set to inactive, as following:

 

IMPB can't use inactive entry to authorize the MAC address until the inactive entry becomes active entry, as following:

 

3. DHCP client's lease renewal:

The client will usually send unicast DHCP request packet to the DHCP server with a new lease time for renewing DHCP and if such unicast packets are not trapped by the Switch’s CPU, the Switch will not be aware to update the lease time of the IMPB entry. After the IMPB entry exceeded the lease time, this entry will be cleared/deleted and the client will lose connectivity to the networks.

To fix this problem, the Switch shall capture the unicast DHCP request packets, parses them and update the new lease time of the IMPB entry.

In IMPB v3.3, one ACL mask & rule will be utilized to capture unicast DHCP request packets for DHCP leasing renewal.

When the first port enables unicast DHCP request packets option, the switch will create one ACL mask and one ACL rule. After creating the ACL mask, all ports, which enable this option, are only required to create ACL rules. Thus, the Switch that supports IMPB v3.3 will spend one ACL mask and several ACL rules (depending on the number of ports which enable this option).

 

IMPB v3.4

This version is ACL mode enhancement.

In IMPB v3.4, Global ACL mode has been removed. However, users have the option to select either to enable or disable ACL mode on each port.

The default mode is still ARP mode.

When a port has been configured to use ACL mode, the operation will fail if the hardware ACL table is already full. It will remain functioning in ARP mode only.

Moreover, under ACL mode, when the ACL table is full, new dynamic entries cannot be created as well.

In this case, the switch will provide an error log when such issues occurr.

The ARP mode or ACL mode configuration selection for each IMPB entry has been removed.

In this version, IMPB entries' configuration will be based on each port settings.

IMPB entries can be programmed to ACL table and L2FDB if ACL mode is enabled, otherwise it will only program to L2FDB table only.

 

Backward compatibility:

1. When users upgrade the firmware which supports IMPB v3.4, and uses their existing configuration, the global ACL/ARP mode will not be taken into effect.

2. It will automatically convert each entry's ACL/ARP mode settings to IMPB v3.4 per port ACL/ARP mode as the following:

If all the IMPB entries of a port have been configured to use ACL mode, then its configuration will remain when the firmware is upgraded.

If there is no configuration or ACL mode configured for a port, then the default is ARP mode.

 

IMPBv3.5

This version supports stopped Learning Threshold. It can prevent the switch FDB from overloading in case of an ARP DoS attack, and the administrator can configure the threshold when a port should stop learning MAC addresses.

 

IMPBv3.61

ARP Inspection enhancement: When under Strict state, all unicast ARP packets are inspected (Please refer to IMPBv2.5 for better understanding).

 

IMPBv3.7

This version supports inactive entries lease time: If the client is under inactive status (PC sleep mode), the switch can detect “DHCP renew procedure” and change this entry from inactive to active status.

 

IMPBv3.8

Under ACL mode and strict state, when detecting an illegal ARP packet, the switch does not write an illegal MAC entry to the FDB table (before this version, an illegal MAC entry is written to the FDB table. FDB table will deny packets originating from this MAC). Instead, the ARP packets are monitored and filtered by strict state procedure.

ACL mode only runs with Strict state, there is no ACL mode + loose state combination.

Stop learning threshold is used by checking the number of illegal MAC entry in FDB table, since Strict state will not write an illegal MAC entry in FDB. This feature therefore, only works in loose state

Until IMPB3.81, it allows for showing IMPB blocked entries

 

IMPBv3.9

IMPBv3.9 removes ARP mode and ACL mode, instead of ARP inspection and IP inspection. In ARP inspection, all ARP packets will be checked. And in IP inspection, all IP packets will be checked. While the illegal packets will be dropped, legal packets will be forwarded. Strict mode and loose mode only can be enabled during ARP inspection

 

Backward compatibility:

1. While a previous IMPB enabled port is set to ACL mode, it will be set as IP inspection enabled.

2. While a previous IMPB enabled port is set to ARP mode, it will be set as ARP inspection enabled. Whether the port operates in loose or strict mode will depend on the previous configuration.

 

After IMPB3.9, it has a special version for DHCP snooping, called IMPBv3.93. It is supported the configuration of roaming mode.

In enable roaming mode, when the MAC address was authenticated on the specific port, switch will allow this authenticated MAC address change to another port

In disable roaming mode, when the MAC address which dynamic learned at one port will not have chance to move the other port until the IMPB entry aged out. (Traffic will be dropped)

IMPBv6

IMPBv6 is designed for IPv6 environment, binding the type of IPv6 address and MAC address together allows the transmission of data between the layers. IPv6 is a version of the Internet Protocol to replace current IPv4. It provides more address spaces than IPv4. IMPBv6 provide a host level source IPv6 address validation granularity. It is deployed on the switch and performs control protocol snooping to set up bindings between source IP address and corresponding anchors. It also allows manually configured binding, just like that the user can create static IPv6 binding entries, or dynamitic configured binding, just like DHCPv6 snooping or ND snooping.

 

 

Support DHCPv6 snooping and ND snooping

IPv6 support Stateful/ Stateless Address Auto-configuration. DHCPv6 is supported stateful and ND is supported stateless. IMPBv6 also support these modes.

In DHCPv6 snooping, when the client request IPv6 address from DHCPv6 server and  the server relays packet to client, IMPBv6 will snoop DHCPv6 packet and record its lease time into IMBP whitelist. If the lifetime expires or another client also setups the same IP address, the entry will be removed.

ND snooping is based on NS and NA packet. When the client uses IPv6 address, the client will send NS packet for checking this IPv6 address is unique or not. If someone also uses this IPv6 address, it will reply NA packet and the client will need to generate another IPv6 address for use. If nobody uses this IPv6 address (it means no NA reply), the client can use this IPv6 address. ND snooping is based on this mechanism. Whenever a NS is received from the host, if the address is not in IMPB whitelist and has a permitted prefix, it will generate a new entry and set the state of the entry to the IMPB whitelist. It also record the lifetime of this entry. Otherwise, if an NA response for the address is received from other nodes or the lifetime expires, it will delete the entry.

 

We also can enable both IPv4 and IPv6 address on a port. IMPB will check both packets on this port. If a client fails to pass either the IMPBv4 or IMPBv6 binding check, the client will not be able to access the network. When IMPBv6 is enabled on a port, it is recommended to enable ND/DHCP Snooping, or create a static IMPBv6 entry to allow the client to pass the IPv6 check. In IPv6 environment, only strict mode can be enabled in ARP inspection, loose mode cannot be enabled.

 

In this version, it also a special code, called IMPBv6.1. It is security enhancement. When a user was learned into IMPB whitelist, it should also check its NS and NA packets, too. Switch should check the following field to see if it can match IMPB whitelist’s information: source MAC address, source address in IPv6 header, Target address in ICMPv6 header. If any one of them are not matched, the switch should block this kind of packets.