In the present network environment, the Address Resolution Protocol (ARP) is a lower layer protocol in the Transmission Control Protocol/Internet Protocol (TCP/IP) stack. The purpose of ARP is to translate IP addresses to Media Access Control (MAC) addresses which are Ethernet physical addresses. Communication between network devices uses MAC addresses but TCP/IP based applications use IP addresses. All data packets based on IP addressing need to be finally encapsulated in MAC addressing based Ethernet frames for transmission. Therefore, when a network device is in communication, the network device must resolve the peer MAC address from the peer IP address via a protocol. The protocol that executes the resolution is ARP.
To achieve faster address translation, an ARP-enabled network device always adopts the ARP cache technology to cache a certain number of address mapping relationships in a local table structure which is generally called the ARP cache table (ARP table for short). ARP cache entries have two sources: one is dynamical generation according to ARP messages, which means the device may learn the mapping between an IP address and an MAC address from an ARP request or an ARP response to generate a dynamic ARP cache entry; the other is static manual configuration. To keep the validity of dynamic ARP cache entries, the dynamic entries are aged in a certain time. Statically configured entries are not aged. Their addition or removal depends on manual operations.
ARP protocol processing is complex. Normally, the forwarding plane receives an ARP message and forwards the message to the control plane for processing. The control plane generates an ARP cache entry and delivers the entry to the ARP cache table of the forwarding plane. The forwarding plane uses the ARP cache entry to encapsulate and send messages. In the prior art, the ARP processing provides only simple mapping between higher layer protocol addresses and lower layer physical addresses without any security authentication of such mapping. In a complex network environment like Internet access, such simplicity and openness give chances for address spoofing attacks. The ARP spoofing attack generally aims to steal private information about a user. The attacker sends ARP requests or responses carrying incorrect address mapping to pollute the ARP cache table of a network device. As a result, the network device sends data packets to wrong physical address. The network device may be a gateway or a host, or any other network device. To defend the ARP cache table of the network device against address spoofing attacks, the prior art provides the following solutions:
(1) Sticky ARP
After the sticky ARP features are enabled, an ARP cache entry learned from either an ARP request or an ARP response is not updated until the entry is aged. After being aged, the ARP cache entry is deleted and a new learning process begins. The solution is simple but results in a problem. That is, once an ARP cache entry is generated by the network device according to an ARP attack message which arrives earlier than a legal ARP message, the host is not able to create a correct ARP cache entry in the network device, so that the use of the host is impacted and that ARP spoofing is not defended.
(2) Active Verification
After the network device receives an ARP request or an ARP response, the network device always sends an ARP request to the IP address carried in the received ARP message to verify the address mapping. If the address does not exist, the network device does not receive an ARP response from the IP address. If the MAC address in the ARP cache entry corresponding to the IP address is spoofed, the network device receives an ARP response which carries a different MAC address. In whichever case, the network device is aware of the spoofing and can therefore perform corresponding processing. The weakness of this solution is that such verification is performed on ARP messages from every IP address. If no spoofing attacks happen, the solution causes a waste of network bandwidths and impacts the network performance.
To conclude, during the implementation of the present invention, the inventor finds that the prior art has at least the following problem: the existing solutions to the defending against ARP spoofing attacks lack reliable and effective verification and causes a waste of network bandwidths and impact the performance if no spoofing attacks happen.