Individual computers of an Ethernet or other LAN network commonly have two addresses. The first address is an Internet Protocol (IP) address, which is a virtual network address assigned via a software source application. The IP address is used, for example, to form IP packets. However, each computer also has a physical address commonly known as the Medium Access Control (MAC) or also known as a hardware address. The MAC hardware source and destination addresses are necessary to prepare Ethernet headers to send data. Thus, in order for computers in an Ethernet network running IP to communicate, headers of individual frames require a source (sender) hardware address, and a destination (target) hardware address. This requires that a source computer station preparing to send a datagram to another station on the network know the correspondence between virtual IP addresses and physical hardware addresses.
There is a standard protocol known as the Address Resolution Protocol (ARP) that was initially designed to resolve Ethernet MAC addresses. Internet Request for Comments (RFC) 826 describes an ARP protocol for resolving Ethernet addresses, the contents of which are hereby incorporated by reference. RFC 826 describes a protocol to dynamically resolve correspondences between a network protocol address and a MAC address. ARP is not limited to operation on Ethernet; it is used to map IP addresses to MAC addresses on all types of broadcast-capable LAN networks. ARP includes a technique to request address resolution information, and a cache to temporarily save recently resolved MAC addresses.
Referring to prior art FIG. 1, an ARP cache 100 comprises a table of correspondences between IP addresses 110 and MAC addresses 120. A local ARP cache 100 is maintained by a computer to map protocol addresses to hardware addresses. Conventionally, each time a computer receives an address resolution response it automatically updates ARP cache 100 with the sender's protocol address and hardware address. ARP cache 100 commonly has a finite size and is periodically flushed to eliminate obsolete entries.
Referring to prior art FIG. 2, when a source application 205 in a computer station prepares a message having data 220 to be sent to a destination IP address 210 a lookup is performed by a MAC module 230 of the ARP cache 100 to determine a destination MAC address. If there is a cache hit for the destination MAC address 240, the destination MAC address is added to the frame that is sent out to the network.
However, if there is no cache entry in ARP cache 100 for the destination IP address, the source computer station broadcasts an ARP request message to the network. Referring to prior art FIG. 3, the ARP message format includes fields for a sender's hardware address, sender's protocol address, target hardware address, target protocol address, hardware address type, protocol address type, hardware address length, protocol address length, and operation.
The broadcast ARP request message includes a source IP address, a source MAC address, and a target IP address. The broadcast ARP request message is a request for the computer that has the target IP address to respond back with its MAC address. The source computer then waits for a reply. The target station sends a unicast ARP reply to the source computer station with its IP address and its MAC address. The ARP cache 100 is updated and the source computer is now able to send a frame to the target.
However, there is a significant security issue associated with ARP. It is possible for ARP replies to be spoofed. Spoofing is a form of security breach in which a hacker masquerades as another user. In the context of LAN networks, spoofing includes inserting forged frames into the data stream. In ARP spoofing, a malicious entity creates forged ARP replies to corrupt the ARP cache with forged MAC addresses.
In one version of ARP spoofing, an ARP spoofer sends an unsolicited ARP reply with a spoofed MAC address for the IP address of a target computer. The recipient computer automatically updates its ARP cache 100 being updated with the spoofed MAC address. When the recipient computer tries to send data to the target computer, it ends up using the spoofed MAC address provided by the spoofer. This permits the spoofer to intercept communications intended for the MAC address of the target computer. Additionally, ARP spoofing may be used to poison an ARP cache with erroneous MAC addresses so that data is lost.
ARP spoofing may also be used to initiate so-called “man in the middle” attacks, in which the spoofer creates spoofed MAC addresses in the ARP caches of a source computer and a destination computer which places the spoofer's computer in the middle of data flow between a source and target. Thus, if computer “A” wishes to send data to computer “B”, a spoofer operating out of a computer “C” may place themself in the middle by creating a first spoofed MAC address in the ARP cache of computer A that fools computer A into sending data meant for computer B to computer C, and by creating a second spoofed MAC address in the ARP cache of computer B that fools computer B into sending data meant for computer A to computer C.
Other types of address resolution caches that are used to store an address resolution from a network protocol address to another type of address required to deliver data may be subject to similar types of spoofing. For example, IP Version 6 (IPv6) includes a neighbor discovery protocol. Address resolution in IPv6 is described in RFC 2461, the contents of which are hereby incorporated by reference. Address resolution in IPv6 includes the sending of multicast Neighbor Solicitation messages that include an IPv6 address of a target. A node having the IPv6 address responds with a Neighbor Advertisement indicating its IPv6 address and its link-layer address, where a link layer address is a link-layer identifier of an interface (e.g., IEEE 802 addresses for Ethernet and other LAN networks and E.164 addresses for ISDN networks). Additionally, a node may send an unsolicited Neighbor Advertisement to announce a link-layer address change.
In IPv6, a resolved link-layer address becomes an entry in a neighbor cache in the node. The link layer address resolution in IPv6 is thus analogous to ARP and the neighbor cache is analogous to the ARP cache. Consequently, the neighbor cache of IPv6 is potentially subject to analogous types of spoofing attacks in which a spoofer sends forged unsolicited Neighbor Advertisement messages with spoofed link-layer addresses.
Therefore, an improved apparatus, system, and method to prevent spoofing of an address resolution cache is desired.