Agenda
• Why IP address and MAC address
• How packets are delivered through the network
• The address resolution mechanism (ARP) and how it works
• Vulnerabilities and cyberattacks to ARP
• Defense by network security Dynamic ARP Inspection
• Korenix products with advanced cybersecurity features
2. Agenda
• Why IP address and MAC address
• How packets are delivered through the network
• The address resolution mechanism (ARP) and how it works
• Vulnerabilities and cyberattacks to ARP
• Defense by network security – Dynamic ARP Inspection
• Korenix products with advanced cybersecurity features
4. IP Address vs. MAC Address
MAC Address
(Media Access Control Address)
• Unique hardware identifier
• Unchangeable
• Used for communication
on a specific type of
network media and within
a network segment
IP Address
(Internet Protocol Address)
• Logical network address
• Configurable by user
• Used for inter-network
communication, to find the
route through the network
from sender to receiver
5. How It Works
Sender IP: IPsupport
Receiver IP: IPPLC
Sender IP: IPsupport
Receiver IP: IPPLC
Sender IP: IPsupport
Receiver IP: IPPLC
Sender IP: IPsupport
Receiver IP: IPPLC
Sender MAC: MACSupport
Receiver MAC: MACA
Sender MAC: MACA
Receiver MAC: MACB
Sender MAC: MACB
Receiver MAC: MACC
Sender MAC: MACC
Receiver MAC: MACPLC
Router A Router B Router C
Support
IPsupport
MACsupport
PLC
IPPLC
MACPLC
Network segment A
Ethernet
B
FDDI
C
Token Ring
D
Wifi
6. Address Resolution
• ARP (Address Resolution Protocol), a
critical mechanism in IP networking to
find out the mapping between a MAC
address and an IP address
…
IPIP Address →
MAC Address →
7. ARP REQUEST (broadcast)
To everyone,
I am MAC1, IP1. What is the MAC of IP3 ?
How ARP Works
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
Port MAC
1 MAC1
Sender IP: IP1
Receiver IP: IP3
Sender MAC: MAC1
Receiver MAC: ?
MAC address table
ARP table
8. How ARP Works
ARP RESPONSE (unicast)
To IP1:
I am IP3, and my MAC is MAC3
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP3 MAC3
IP MAC
IP1 MAC1
Port MAC
1 MAC1
Port MAC
1 MAC1
3 MAC3
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
Sender IP: IP1
Receiver IP: IP3
Sender MAC: MAC1
Receiver MAC: ?
9. How ARP Works
IP MACIP MACIP MAC IP MAC
Port MAC
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP3 MAC3
IP MAC
IP1 MAC1
Port MAC
1 MAC1
Port MAC
1 MAC1
3 MAC3
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
Sender IP: IP1
Receiver IP: IP3
Sender MAC: MAC1
Receiver MAC: MAC3
10. Gratuitous ARP
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP MAC
IP3 MAC3
IP MAC
IP1 MAC1
Port MAC
1 MAC1
3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
ARP RESPONSE (broadcast)
This is IP4, MAC4
Port MAC
1 MAC1
3 MAC3
4 MAC4
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
11. Vulnerabilities and Cyberattacks
• ARP spoofing
• Hijacking attack
• DoS attack
• Man-In-The-Middle attack
• Broadcasting
• No encryption
• No validation
• No authentication
12. Host X
IPx
MACx
ARP Spoofing
IP MAC
IP3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
ARP RESPONSE (broadcast)
This is IP1, MACx
Port MAC
1 MAC1
3 MAC3
4 MAC4
IP MAC
IP1 MAC1
IP MAC
IP1 MACx
Port MAC
1 MAC1
3 MAC3
4 MAC4
5 MACx
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
13. Hijacking Attack
IP MAC
IP3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
Port MAC
1 MAC1
3 MAC3
4 MAC4
IP MAC
IP1 MAC1
IP MAC
IP1 MACx
Port MAC
1 MAC1
3 MAC3
4 MAC4
5 MACx
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
IP MAC
IP1 MACx
IP4 MAC4
Host X
MACx
IPx
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
Sender IP: IP3
Receiver IP: IP1
Sender MAC: MAC3
Receiver MAC: MACx
14. Denial-of-Service Attack
IP MAC
IP3 MAC3
IP MAC
IP3 MAC3
IP4 MAC4
Port MAC
1 MAC1
3 MAC3
4 MAC4
IP MAC
IP1 MAC1
IP MAC
IP1 MAC1
IP4 MAC4
IP MAC
IP1 MAC1
IP4 MAC4
Host X
IPx
MACx
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
Switch
IP5
MAC5
ARP RESPONSE (broadcast)
This is IP2, MAC1
This is IP3, MAC1
This is IP4, MAC1
…
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
IP MAC
IP1 MAC1
IP2 MAC1
IP3 MAC1
IP4 MAC1
… MAC1
Port MAC
5 MAC1
3 MAC3
4 MAC4
19. Host X
IPx
MACx
!
!
!
How DAI Works
ARP
I am MACx, IP1
I/O
IP2
MAC2
HMI
IP1
MAC1
PLC
IP3
MAC3
Gateway
IP4
MAC4
IP MACIP MACIP MAC IP MAC
Port MAC
!
Port IP MAC
1 IP1 MAC1
2 IP2 MAC2
3 IP3 MAC3
4 IP4 MAC4
27. Summary
• ARP is one of the most fundamental mechanism of IP networking, but is
insecure by nature. Malicious user can simply hack a network without
advanced skills.
• Defense by network security is a more practical approach to protect ARP.
Network switches with Dynamic ARP Inspection help protect the system
against ARP spoofing, reduce hijacking, DoS, man-in-the-middle attacks.
• Addressing IEC62443 the security standard, Korenix has implemented
Dynamic ARP Inspection which helps to secure the most fundamental
network operation