ARP inspection

1. 1Korenix Technology www.korenix.com
IEC62443 Cyber Security Series (2) –
Protect the Fundamental of
IP Networking
Executive Summary
Cyberthreats have become severe concern for industrial automation. The IEC62443
standard, Security for Industrial Automation and Control Systems, defines the security
requirements from component level, system level, to policy and procedures level, as a
guidance for product vendors, system integrators, and asset owners. This document,
addressing ARP protocol and how to protect against cyberattacks, is a reference for
whom it may concern network security at the system level of IEC62443.
Why IP Address and MAC Address?
IP networking has become the dominant technology for industrial data communication.
With proper configuration, network hosts can communicate among one another without
knowing how many network segments or what type of physical medias (copper, fiber, or
wireless…) the data travels through. It is because the TCP/IP model is designed to be
hardware independent and the conversion between IP address and MAC address.
According to the TCP/IP model, the IP address resides in the Internet Layer while the MAC
address belongs to the underlying Link Layer. The two layers have their own functions:
TECHNICAL NOTE
JJ Sun, PSM

2. 2Korenix Technology www.korenix.com
Layer Functions Address
Internet Layer  Defines the internet addressing structure (IP
address)
 Defines the mechanisms for end-to-end
communication and how to route packet
through network segments
IP address
(Logical, configurable)
Link Layer  Defines the hardware addressing of physical
network interfaces (MAC address)
 Defines various types of transmission medias
as network segment, and how data propagates
within a single network segment
MAC address
(Fixed, global unique)
In short, the IP address is logical and configurable for end-to-end communication;
whereas the MAC address is a fixed, physical address for identifying a network interface
for transmission within a network segment.
The diagram above illustrates how IP and MAC addresses work together to finish an end-
to-end communication involving several network segments. An IP packet, from HMI (IPA)
and to PLC (IPD), is transmitted segment-by-segment: first from MACA to MACB1 over
Ethernet, then from MACB2 to MACC1 over fiber, and from MACC2 to MACD over wireless in
the end.

3. 3Korenix Technology www.korenix.com
Address Resolution Protocol (ARP)
Since logical IP communication is carried out by physical MAC addresses, it requires the
Address Resolution Protocol (ARP), to resolve IP address into MAC address.
The ARP protocol is a request-response protocol. It is used by a network host to know the
IP-to-MAC mapping of the other hosts on the same subnet. This is how it works:
Host A (IP 10.0.0.1, on switch port 1) would like to communicate with Host B (IP 10.0.0.2,
on switch port 2). Host A broadcasts an ARP REQUEST to all devices on the subnet, asking
who has the MAC address of IP 10.0.0.2. All devices receive the request, but only Host B
answers by an ARP RESPONSE with its MAC address. Host A gets the answer, resolves the
IP-to-MAC mapping and starts communicating with Host B.
Please note that, all hosts receiving ARP messages automatically cache the IP-to-MAC
binding information in its ARP table; whilst the switch caches the port-to-MAC mapping in
its MAC address table. These knowledges about the network are kept and refreshed for
sending data among hosts within the same subnet.

4. 4Korenix Technology www.korenix.com
ARP may also be as simple as an announcement, called Gratuitous ARP. A host simply
broadcasts its IP and MAC address binding without being requested. This is a way to
refresh or update all other hosts’ ARP table if its binding has changed.
ARP Vulnerabilities
ARP is a fundamental protocol of IP networking, however, it is not protected by any
cybersecurity mechanisms, such as validating the source or the content of the messages.
A malicious user can send ARP response to a request with incorrect information, or simply
does an ARP announcement without being requested. A spoofed ARP message overwrites
hosts’ ARP table and switches’ MAC address table, resulting in changing the packet
destination. This is known as ARP Spoofing or ARP Cache Poisoning.
The below diagram shows a scenario how easy Host C (10.0.0.3, on switch port 3) grabs
the IP packets aiming at Host B. A malicious user from Host C issues a gratuitous ARP,
announcing a fabricated IP-to-MAC binding (B’s IP address and C’s MAC address), which
overwrites the information cached in all hosts’ ARP table and the switch’s MAC address
table. This attack leads subsequent IP packets aiming at Host B be forwarded to Host C.

5. 5Korenix Technology www.korenix.com
Attackers very often use ARP Spoofing to redirect traffic as starting point of other attacks,
such as, inspecting the content (spying), or modifying the content before forwarding to
the actual destination (man-in-the-middle attack), or taking over the role of default
gateway to stop communication (deny-of-service attack).
Various ARP spoofing attack software is available from internet. To launch an attack is no
more difficult than downloading and installation.
Prevent ARP Attacks
There are applications to detect and prevent ARP attacks, however, these applications are
neither integrated in industrial automation devices, nor designed for patching. Therefore,
defending industrial systems against ARP spoofing greatly relies on a mechanism named
Dynamic ARP Inspection (DAI).
Dynamic ARP Inspection is a network security feature on advanced Ethernet switches or
routers. It intercepts ARP messages, validates IP-to-MAC bindings, forwards valid
messages and discards invalid ones. It ensures that only correct binding information can
come into the network, thus prevents ARP attacks.

6. 6Korenix Technology www.korenix.com
The validation is based on a trusted database, which stores correct bindings. The
database can be created and maintained dynamically by DHCP Snooping, manually
configured by administrators, or mixed.
The diagram above shows how Dynamic ARP Inspection works: Host A sends an ARP
request. The switch intercepts and compares the source IP and the source MAC address
of the message to the trusted database. The message is forwarded because the binding is
correct. The ARP spoofing attack from Host C is dropped because the IP-to-MAC binding
does not match.
Conclusion
IP address must be resolved into MAC address before a message can be sent. The Address
Resolution Protocol (ARP), serving for this purpose, is a fundamental of IP networking.
However, it is not secure and the attacks to its vulnerabilities threaten the very basic
operation of modern industrial data communication. The network security feature,
Dynamic ARP Inspection, plays an important role to defend against the ARP attacks.
Addressing IEC62443, Korenix has been continuously implementing cutting edge
cybersecurity technologies, including DHCP Snooping, Dynamic ARP Inspection, IP Source
Guard, TACACS+, multi-level authentication and so on, which provide robust and secure
solution as your core of industrial data communication.
Korenix Technology, a Beijer group company within
the Industrial Data Communication business area, is a
global leading manufacturer providing innovative,
market-oriented, value-focused Industrial Wired and
Wireless Networking Solutions
Web: www.korenix.com
Email: sales@korenix.com
Phone: +886 28911 1000
Address: 14F, No.213, Sec. 3, Beixin Rd.,
Xindian Dist., New Taipei City 23143, Taiwan