How can the firewall feature Prohibit IP Spoofing cause valid user failures?

Aruba Employee

Question:  How can the firewall feature Prohibit IP Spoofing cause valid user failures?

 

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

Note: This article combines previous KB articles on this subject.

Prohibit IP Spoofing is enabled by default on a Aruba controller, and is a nonglobal command, which means it is independent of the Master configuration. This feature prevents two unique client-MAC addresses from using the same IP address. The newest client is denied from the user table and the client traffic is dropped.

Trigger: IP traffic from a new client-MAC is using an existing IP address already registered to another client-MAC found in the user table. This validation is performed before adding any IP address and MAC to the user table and for each ARP request and response.

Enabling and Disabling the Prohibit IP Spoofing Feature

You can configure Prohibit IP Spoofing from either from the CLI (in config mode) or the WebUI.

Using the CLI:

To enable:

(config) #firewall prohibit-ip-spoofing

(config) #write mem

To disable:

(config) #no firewall prohibit-ip-spoofing

(config) #write mem

Using the GUI:

Configuration Tab > Advanced Services > Stateful Firewall > Global Settings

 

1039_image1.jpg

 

Verifying Whether Prohibit IP Spoofing Is Enabled or Disabled

Using the CLI:

Login to the Aruba controller and enter the following CLI command:

#show firewall

Global firewall policies
------------------------
Policy Action Rate
------ ------ ----
Enforce TCP handshake before allowing data Disabled
Prohibit RST replay attack Disabled
Deny all IP fragments Disabled
Prohibit IP Spoofing Enabled

Monitor ping attack Disabled
Monitor TCP SYN attack Disabled
Monitor IP sessions attack Disabled
Deny inter user bridging Disabled
Log all received ICMP errors Disabled
Per-packet logging Disabled
Session mirror destination Disabled
Disable Stateful SIP Processing Disabled
Allow tri-session with DNAT Disabled
Disable FTP server No
GRE call id processing Disabled
Session Idle Timeout Disabled
VOIP proxy arp Disabled
WMM content enforcement Disabled
Session VOIP Timeout Disabled
Session mirror IPSEC Disabled

Using the GUI:

Configuration Tab > Advanced Services > Stateful Firewall > Global Settings

 

1039_image1.jpg

 

 

Conditions that Prevent Valid Users from Triggering Prohibit IP Spoofing

Specific timers are configurable in the ArubaOS that are part of the master configuration and are pushed to each local controller.

 

#show aaa timers

User idle timeout = 5 minutes <<<<<<this will be discussed>>>
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes

 

1039_image2.jpg

 

 

So, the IP spoofing detection checks to see if an entry for the IP address seen from a new user client-MAC is already in use by valid user client-MAC address found in the user table.

This "valid" user table entry is checked every 5 minutes (by default) if the client becomes inactive. When the client acknowledges the icmp messages sent by the controller the User-Idle-Timer clock is reset for this user-table entry.

Based on these two operational conditions, a network configuration can exist whereas the system administrator, in charge of the DHCP scope for the clients, has altered the DHCP lease time to a value equal or less than that of the controller User-Idle-Timer. This change in the lease time to such a low value is performed at times when the IP pool is near exhaustion or for security reasons.

DHCP Lease Renewal

After 50% of the lease time has passed, the client attempts to renew the lease with the original DHCP server that it obtained the lease from using a DHCPREQUEST message. Any time the client boots and the lease is 50% or more passed, the client attempts to renew the lease. At 87.5% of the lease completion, the client attempts to contact any DHCP server for a new lease. If the lease expires, the client sends a request as in the initial boot when the client had no IP address. If this fails, the client TCP/IP stack stops functioning.

Results

When a new client or existing client associates to the Aruba system it requires a DHCP exchange for an IP address. If the DHCP pool is being used is flushing inactive leases frequently enough, the client may acquire a IP address that still exists in the Aruba user table and has NOT yet aged out due the User-Idle-Timer. This IP address triggers an IP spoofing event and the valid client is denied.

Corrective Measures

  • Increase the DHCP lease time to a value greater than that of the default User-Idle-Timer = 5 minutes.

DHCP lease time= 15 minutes

User-idle-timeout = 5 minutes

  • Decrease the User-Idle-Timer to a value less than 1/2 the DHCP lease time.

DHCP lease time= 5 minutes

User-idle-timeout = 2 minutes

  • Increase the DHCP scope of the IP address distribution, eliminating the FIFO lease releases on the DHCP server
  • Disable IP Spoofing

 

Version history
Revision #:
1 of 1
Last update:
‎07-03-2014 04:34 PM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.