Understanding IP-MAC Binding

This section describes the mechanism for IP spoofing, ARP spoofing, and IP-MAC binding as well as the relationship among address binding table, ARP table, and MAC address table.

Principles of IP Address Spoofing

In IP address spoofing, an attacker uses the IP address of another host on the network to escape certain IP address-based security policies (for example, access control and accounting) on gateway devices. Figure 1 shows a typical attack example.

Figure 1 Example of IP address spoofing

Principles of ARP Spoofing

In ARP spoofing, an attacker forges ARP packets to change the ARP entries of gateway devices or other hosts on the network, and therefore obtains the packets originally sent to these devices or hosts.

Since switches select egresses based on MAC address in data-link layer forwarding, ARP spoofing mainly aims to change the ARP entries on the switching device, so that the switching device maps the IP address of the attacked to the MAC address of the attacker based on the changed mapping. Consequently, the packets originally sent to the attacked are sent to the attacker, which can attain the private information of the attacked.

Figure 2 shows a typical attack example.

Figure 2 Example of ARP spoofing

Principles of IP-MAC Address Binding and Attack Defense

To configure IP-MAC address binding on the device, the administrator needs to know the correct mapping between IP addresses and MAC addresses. The device automatically collects the mapping between IP addresses and MAC addresses through ARP probe and performs the IP-MAC address binding.

For IP-MAC address binding, an address binding table should be established on the device. The administrator can add entries to the table through configurations. When receiving an IP packet, the device extracts the source IP address from the packet header, searches the binding table for the corresponding MAC address, and compares the bound MAC address with the actual one in the frame header. If the two MAC addresses are inconsistent, the packet is assumed as illegitimate and discarded. Packets whose source IP addresses are not in the address binding table pass the IP-MAC binding check.

Figure 3 and Figure 4 show the principles of IP-MAC address binding-based defense against IP address spoofing and ARP spoofing.

Figure 3 Principle of address binding-based defense against IP address spoofing

Figure 4 Principle of address binding-based defense against ARP spoofing

The two types of defense have the following defects:

The bindings should be manually added by the administrator one by one, which is time-consuming and arduous in the case of mass hosts.
An attacker may forge IP and MAC addresses at the same time.

Figure 5 shows the position of IP-MAC address binding check in the forwarding process. The device checks the IP-MAC mapping relationship during the analysis of the link-layer frame. Therefore, the check can identify packets in time.

Figure 5 Position of IP-MAC address binding check in the forwarding process

Relationship Among the Address Binding Table, ARP Table, and MAC Address Table

The following tables involving IP or MAC addresses are available on the device:

Address binding table: records the mapping relationship (between IP addresses and MAC addresses) configured by the administrator. The table can be modified only through configurations.

Upon receiving a packet, the device checks the mapping relationship between the source IP address and source MAC address of the packet according to the table.
ARP table: records the mapping relationship (between IP addresses and MAC addresses) automatically learned by ARP. The administrator can manually add static entries to the table.

When sending packets, the device searches the table for the destination MAC addresses based on the destination IP addresses of packets.
MAC address table: records the mapping relationship between egresses and the MAC addresses of the other devices on the network.

When forwarding link-layer frames through the switching interface, the device searches the table and determines the egress for sending the packet according to its destination MAC address.

According to the previous analysis, the address binding table is used to check packet validity, and the ARP table and MAC address table are used to search for destination MAC addresses and egresses to send packets.

Figure 6 shows the relationship between the address binding table and the ARP table.

Figure 6 Relationship between the address binding table and ARP table

When the IP address and MAC address binding function is enabled, the address binding entry is prior to the ARP entry.

**Table 1** Principles of creating the address binding entry and static ARP entry
Condition 1	Condition 2	Result
Address binding is enabled.	An address binding entry whose VPN instance and IP address are identical with the existing ARP entry is created.	Address binding entries can coexist with static ARP entries. However, because the address binding function is enabled, the static ARP entries with the same VPN instances and IP addresses as address binding entries do not take effect.
Address binding is enabled.	An ARP entry whose VPN instance and IP address are identical with the existing address binding entry is created.
Address binding is not enabled.		When the address binding function is disabled, both entries coexist.