Various network protocols are used to provide networking services to devices. One type of network protocol includes Inter-Layer Binding Protocols (ILBPs). An ILBP is a protocol that is used to inform network devices and clients of the binding between network addresses at different networking layers. For example, an ILBP can be used to convey information indicating a binding between an Open Systems Interconnection (OSI) Layer 2 (L2) network address and an OSI Layer 3 (L3) network address. Address Resolution Protocol (ARP) is an ILBP that is used to inform network devices and clients of the binding between a Media Access Control (MAC) address (which is an example of an L2 network address) and an Internet Protocol (IP) address (which is an example of an L3 network address). Another example of an ILBP is Neighbor Discovery (ND), which is used with Internet Protocol version 6 (IPv6).
Typically, ARP is used the first time that a first client wants to communicate with a second client on the network, the first client sends an ARP request containing the IP address of the second client. The second client will send an ARP reply that includes the MAC address and IP address of the second client, creating a binding between the IP address and the MAC address.
It is possible for a third client to craft and send an unsolicited, fake ARP reply to the first client in the above scenario. This fake ARP reply will specify that the third client has the IP address of the second client, but will specify the MAC address of the third client, creating a binding between the IP address of the second client and the MAC address of the third client. Any network devices and/or clients that receive the fake ARP reply may update an ARP cache to indicate that a binding exists between the IP address of the second client and the MAC address of the third client. The information in the ARP cache is used when determining the destination MAC address to use for a message having the IP address of the second client as its destination IP address. As a result, messages sent from the first client to the second client will be erroneously delivered to the third client, since the third client has represented itself as having the intended IP address.
The third client knows the true IP address and MAC address of the second client. Accordingly, after inspecting the messages that are erroneously delivered to the third client, the third client can resend those messages to the second client. Since the messages are still being received by the second client, the presence of the third client in the message stream may be hidden from the first and second clients. This scenario illustrates what is referred to as a “man in the middle” attack.
Another security risk that can occur with an ILBP such as ARP occurs when a malicious (or malfunctioning) client or network device sends a high rate of ARP messages on the network. The high rate of ARP messages may overwhelm the resources of a network device, causing that network device to malfunction or to cease operation. As these examples show, techniques for handling security risks involving ILBP traffic are desired.