Tuesday, December 21, 2010

Networking Tidbit of the Day - Self-Defending Networks

This following presumes a bit of knowledge of networking, including DHCP, MAC Addresses (watch the capitalization and don't confuse with Apple Macs, relevant later), and Ethernet switching.

Some years back Cisco Systems kept running these kind of annoying ads with the CEO's daughter doing bad stuff on the network and the network preventing damage from happening. While very hand-wavy and low on details, there has in fact been a push over the past decade to add more intelligence towards the edge of the network to sanity-check what's going on and prevent some malicious activity or just malfunctions from affecting other users.

In that vein, one of the shiny features that Ethernet switch vendors started to offer a few years back is called DHCP Snooping. The basic idea is that the Ethernet switch sees when a computer boots up and requests an IP address, then keeps track of the response, and makes sure the computer on a given port only uses the IP address it's supposed to have. Additional benefits come from having a mapping between a physical switchport and IP address without having to correlate various other tables.

It also catches a couple of other oddities, as it happens, as evidenced by the logs this morning:

Dec 21 09:40:02 EST: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPREQUEST, chaddr: 0025.4b8e.xxxx, MAC sa: 0025.4bab.yyyy


Ugly gobbledygook, right? What it means is that the switch saw a DHCP request come in for a MAC (hardware) address (chaddr) different from the address that sent it (MAC sa). The idea behind the block is that there are very few legitimate reasons why one computer should act as a representative for another; the computer wanting an IP address should ask for it itself.

And, indeed, looking up the first six digits from those MAC addresses reveals that the computer in question is an Apple, which explains what's going on (if you happen to know how some Macs do their networking.) The machine is a laptop, which has a wireless network interface (Airport) with one MAC address and a wired interface with another MAC address. The Apple in question tries to get addresses for both of its interfaces, both the wireless and wired, and the way Steve Jobs has decided this should work is to send any requests like this out all of the the interfaces; the wired interface requests IP addresses both for itself and the Airport, and the Airport requests addresses both for itself and the wired interface. This makes sense in a home or small business where all networks are the same segment, but it breaks badly in an enterprise where this is not the case.

The Ethernet switch sees the wired interface send out a request for an address for the wireless interface, and refuses to forward this request, which from our point of view is the right thing to do, because if the Airport in the laptop manages to get an address from the wired network, it won't work, and then an unhappy faculty/student/staff will be calling the helpdesk.