up

2020-01-29

There are kinda four layers:

• IP Source Guard
• DAI
• DHCP
• Port Security

Each level provides additional security for the layer above.

• Resource Exhaustion on the Switch
  • Send from lots of MACs to fill the forwarding table
• DHCP Resource Exhaustion
  • Send lots of requests to eat all the IPs
• DHCP Rogue Server
  • Set Default Gateway to something attacker controlled
  • Set DNS Server to something attacker controlled
  • wrong IP

Protect against DHCP shenanigans by using DHCP Snooping

• Offer / Ack / Nak can only come from trusted server
• Attackers cannot release your lease for you
• Checks CHADDR matches actual source - maybe?
• Can also verify ARP replies (Dynamic Arp Inspection)

Dolev-Yao Adversary - user of the network can spoof, tamper, use own crypto key, cannot break other crypto.

It’s so cold in here Wear a jacket next class