Enhancements

Release M.10.43 Enhancements

Protection Against IP Source Address Spoofing

Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access. An attacker that is able to send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized.

Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if they contain a known IP source address and MAC address binding for the port.

Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through statically configured IP source bindings to create internal, per-port lists. The internal lists are dynamically created from known IP-to-MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address.

Differences Between Switch Platforms

There are some differences in the feature set and operation of Dynamic IP Lockdown, depending on the switch on which it is implemented. These are listed below.

There is no restriction on GVRP on 3500/5400 switches. On 2600/2800/3400cl switches, Dynamic IP Lockdown is not supported if GVRP is enabled on the switch.

Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP snooping limit of 8,000 entries.

Switch

Number of Hosts

Comments

 

 

 

3500/5400

64 bindings per port

 

Up to 4096 bindings per switch

3400cl/2800

32 bindings per port

 

Up to 32 VLANs with DHCP snooping

 

enabled

This limit is shared with DHCP snooping because they both use the snooping database.

This is not guaranteed as the hardware resources are shared with QoS.

2600

8 bindings per port

This is not guaranteed as the hardware

 

Up to 8 VLANs with DHCP snooping

resources are shared with QoS.

 

enabled

 

 

 

 

A source is considered “trusted” for all VLANs if it is seen on any VLAN without DHCP snooping enabled.

On the ProCurve switch series 5400 and 3500, dynamic IP lockdown is supported on a port configured for statically configured port-based ACLs.

127