Question: How can the firewall feature Prohibit IP Spoofing cause valid user failures?
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Note: This article combines previous KB articles on this subject.
Prohibit IP Spoofing is enabled by default on a Aruba controller, and is a nonglobal command, which means it is independent of the Master configuration. This feature prevents two unique client-MAC addresses from using the same IP address. The newest client is denied from the user table and the client traffic is dropped.
Trigger: IP traffic from a new client-MAC is using an existing IP address already registered to another client-MAC found in the user table. This validation is performed before adding any IP address and MAC to the user table and for each ARP request and response.
Enabling and Disabling the Prohibit IP Spoofing Feature
You can configure Prohibit IP Spoofing from either from the CLI (in config mode) or the WebUI.
Using the CLI:
To enable:
(config) #firewall prohibit-ip-spoofing
(config) #write mem
To disable:
(config) #no firewall prohibit-ip-spoofing
(config) #write mem
Using the GUI:
Configuration Tab > Advanced Services > Stateful Firewall > Global Settings
Verifying Whether Prohibit IP Spoofing Is Enabled or Disabled
Using the CLI:
Login to the Aruba controller and enter the following CLI command:
#show firewall
Global firewall policies
------------------------
Policy Action Rate
------ ------ ----
Enforce TCP handshake before allowing data Disabled
Prohibit RST replay attack Disabled
Deny all IP fragments Disabled
Prohibit IP Spoofing Enabled
Monitor ping attack Disabled
Monitor TCP SYN attack Disabled
Monitor IP sessions attack Disabled
Deny inter user bridging Disabled
Log all received ICMP errors Disabled
Per-packet logging Disabled
Session mirror destination Disabled
Disable Stateful SIP Processing Disabled
Allow tri-session with DNAT Disabled
Disable FTP server No
GRE call id processing Disabled
Session Idle Timeout Disabled
VOIP proxy arp Disabled
WMM content enforcement Disabled
Session VOIP Timeout Disabled
Session mirror IPSEC Disabled
Using the GUI:
Configuration Tab > Advanced Services > Stateful Firewall > Global Settings
Conditions that Prevent Valid Users from Triggering Prohibit IP Spoofing
Specific timers are configurable in the ArubaOS that are part of the master configuration and are pushed to each local controller.
#show aaa timers
User idle timeout = 5 minutes <<<<<<this will be discussed>>>
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
So, the IP spoofing detection checks to see if an entry for the IP address seen from a new user client-MAC is already in use by valid user client-MAC address found in the user table.
This "valid" user table entry is checked every 5 minutes (by default) if the client becomes inactive. When the client acknowledges the icmp messages sent by the controller the User-Idle-Timer clock is reset for this user-table entry.
Based on these two operational conditions, a network configuration can exist whereas the system administrator, in charge of the DHCP scope for the clients, has altered the DHCP lease time to a value equal or less than that of the controller User-Idle-Timer. This change in the lease time to such a low value is performed at times when the IP pool is near exhaustion or for security reasons.
DHCP Lease Renewal
After 50% of the lease time has passed, the client attempts to renew the lease with the original DHCP server that it obtained the lease from using a DHCPREQUEST message. Any time the client boots and the lease is 50% or more passed, the client attempts to renew the lease. At 87.5% of the lease completion, the client attempts to contact any DHCP server for a new lease. If the lease expires, the client sends a request as in the initial boot when the client had no IP address. If this fails, the client TCP/IP stack stops functioning.
Results
When a new client or existing client associates to the Aruba system it requires a DHCP exchange for an IP address. If the DHCP pool is being used is flushing inactive leases frequently enough, the client may acquire a IP address that still exists in the Aruba user table and has NOT yet aged out due the User-Idle-Timer. This IP address triggers an IP spoofing event and the valid client is denied.
Corrective Measures
- Increase the DHCP lease time to a value greater than that of the default User-Idle-Timer = 5 minutes.
DHCP lease time= 15 minutes
User-idle-timeout = 5 minutes
- Decrease the User-Idle-Timer to a value less than 1/2 the DHCP lease time.
DHCP lease time= 5 minutes
User-idle-timeout = 2 minutes
- Increase the DHCP scope of the IP address distribution, eliminating the FIFO lease releases on the DHCP server
- Disable IP Spoofing