CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina

9/23/20032 Ethernet Most widely used LAN technology Low cost and high flexibility Versions of different speed: 10Mbps, 100Mbps, Gigabit Use globally unique media access control (MAC) address (hardware address) for every interface card

9/23/20033 Use of Hardware Address Need an address to send a message to receiver on same Ethernet IP address is not usable because network layer does not listen to wire Use hardware address to identify receiver’s interface Need to resolve receiver’s hardware address from receiver’s IP address

9/23/20034 Address Resolution Protocol Protocol maps each IP address to corresponding hardware address in subnetwork For computer i to get hardware address of computer j, i broadcasts a rqst message with IP address of j to the subnetwork Internet i j r default router switch rqst(ipa.j)

9/23/20035 Address Resolution If j sees a rqst message from i with its IP address, j sends a rply message with its IP address and hardware address to i Internet i j r default router switch rply(ipa.j,hda.j)

9/23/20036 Functions of ARP Three functions of ARP Resolving IP addresses Supporting dynamic assignment of addresses Detecting destination failures

9/23/20037 ARP Spoofing Attack To stop traffic from i to j, an adversary sends to i a spoofed rply message with IP address of j and a non-existent hardware address Internet i j A r default router switch rply(ipa.j,hda.x)

9/23/20038 Another ARP Spoofing Attack To stop traffic from i to default router r, an adversary sends to i a spoofed rply message with IP address of r and its own hardware address Internet i j A r default router switch rply(ipa.r,hda.A)

9/23/20039 Countering ARP Spoofing Attacks Proposed solutions include ARPWATCH and static ARP caches Insufficiencies of proposed solutions ARPWATCH does not support dynamic assignment of IP addresses Static ARP caches does not support dynamic assignment of IP addresses and detection of destination failures

9/23/ Need for Secure Address Resolution When a computer receives a message m, it needs to determine whether m was indeed sent by claimed source, or was inserted, modified, or replayed by an adversary Use secure address resolution protocol between each computer and a secure server

9/23/ Architecture of Secure Address Resolution Protocol

9/23/ Adversary The adversary can perform three types of actions to disrupt communication between server s and any computer h[i] on the Ethernet Message loss Message modification Message replay

9/23/ Secure Address Resolution Protocol Use three mechanisms to counter adversary actions timeouts to counter message loss shared secrets to counter message modification nonces to counter message replay

9/23/ Invite-Accept Protocol Periodically, server s sends out an invt message to every computer on Ethernet Every up computer is required to send back an acpt message including its IP address and hardware address s updates its address database according to received acpt messages

9/23/ Request-Reply Protocol When a computer needs to resolve a destination’s hardware address, it sends a rqst message to server s If destination’s hardware address is still valid, s sends back a rply message with address information If destination’s hardware address is not valid anymore, s sends back a rply message with no address information

9/23/ Extensions Four extensions of secure address resolution protocol Insecure address resolution Backup server System diagnosis Address resolution across multiple Ethernets

9/23/ Next Class IPsec Authentication Header (AH) Encapsulation Security Payload (ESP) key management Read Chapter 16