IPSG

What Is IPSG?

IP Source Guard (IPSG) enforces filtering of source IP addresses at Layer 2 interfaces. Utilizing a binding table, IPSG manages the correlation between data such as IP and MAC addresses of network hosts. Through packet information analysis against this table, IPSG thwarts attempt by malicious entities to employ counterfeit IP addresses for impersonation of authenticated users. Furthermore, IPSG safeguards against unauthorized network access or attacks perpetrated by entities using falsified IP addresses.

Why Do We Need IPSG?

As networks expand and become more integral to daily operations, the prevalence of attackers seeking to exploit them increases, significantly impacting network security. These attackers often resort to forging the IP addresses of authorized users in order to gain illicit access to networks. Consequently, legitimate users may find themselves unable to access network resources, and sensitive data becomes vulnerable to interception. Such attacks, known as IP address spoofing attacks, involve the manipulation of source IP addresses.

IPSG effectively thwarts these threats by cross-referencing packet data with a binding table, thereby detecting and preventing IP address spoofing attacks.

The implementation of IPSG offers several advantages:

• It establishes secure network environments and ensures the continuity of network services.

• It reduces the expenses associated with maintaining the normal operation of networks and safeguarding information integrity.

How Is IPSG Implemented?

IPSG Binding Tables

IPSG maintains a binding table that logs the correlation between source IP addresses, source MAC addresses, VLANs, and inbound interfaces. When an IPSG-enabled Layer 2 interface receives IP packets, it compares the packet information with the binding table and only allows packets that have a matching entry.

Table 1 outlines two types of binding tables: static and dynamic binding tables.

Once the binding table is created, the IPSG-enabled device applies ACL rules to the designated interface or VLAN based on the binding table and then evaluates all IP packets against these ACL rules. Only packets that comply with the ACL rules are permitted to pass through. When changes are made to the binding table, the device reapplies the ACL rules.

Typically, IPSG is set up on interfaces or VLANs of a user-side access device.

• When IPSG is activated on a user-side interface, it scrutinizes all IP packets received by the interface against the binding entries.

• When IPSG is activated in a user-side VLAN, it evaluates the IP packets received by all interfaces in the VLAN against the binding entries.

• If the user-side access device doesn't support IPSG, you can configure IPSG on the interfaces or VLANs of the upper-layer device.

IPSG Interface Roles

IPSG can only be configured on Layer 2 physical interfaces or in VLANs. It inspects packets solely on untrusted interfaces with IPSG enabled, assuming all interfaces are untrusted by default (except for specified trusted interfaces). The trust and untrust designations in IPSG align with those in DHCP snooping. Moreover, these designations are also applicable for IPSG based on a static binding table.

The following illustrates interface roles in IPSG:

• Interface1 and Interface2 are untrusted interfaces with IPSG enabled, subject to IPSG checks on received packets.

• Interface3 is an untrusted interface with IPSG disabled, making it vulnerable to attacks as no IPSG checks are performed on packets received via this interface.

• Interface4 is a user-specified trusted interface, exempt from IPSG checks on received packets and thus less susceptible to attacks.

IPSG Filtering

A binding entry comprises four components: IP address, MAC address, VLAN ID, and inbound interface. IPSG examines received packets against all components in a static binding entry. For entries in a dynamic binding table, specific components against which IPSG conducts checks must be specified. Table 2 presents common check methods.

IPSG Implementation

The following diagram illustrates IPSG implementation. When an unauthorized host masquerades as an authorized host by using the latter's IP address to transmit packets to the Device, the Device rejects these packets as they don't match any binding entries.

Typical Applications of IPSG

IPSG Based on a Static Binding Table

A static binding table requires manual creation. Hence, IPSG based on such a table is suitable for LANs hosting only a small number of hosts with fixed IP addresses. In the diagram, the IP addresses, MAC addresses, VLAN IDs, and inbound interfaces of PC1 and PC2 are manually entered into the IPSG binding table. All interfaces on Device A are assigned to VLAN 10, and IPSG is activated for VLAN 10. Consequently, only IP packets originating from PC1 and PC2 are permitted to traverse DeviceA to the network, while other PCs cannot access the intranet even if connected to unused interfaces.

IPSG Based on a Dynamic Binding Table

IPSG relying on a dynamic binding table is suitable for LANs with numerous hosts or where hosts obtain IP addresses via DHCP. As depicted, DHCP snooping is enabled for VLAN 10 on DeviceA's interfaces, and the interface linked to the DHCP server is designated as trusted. Hosts acquire IP addresses from a legitimate DHCP server, and these addresses, along with the hosts' MAC addresses, VLAN IDs, and inbound interfaces, constitute a dynamic DHCP snooping binding table. This setup prevents hosts configured with unauthorized static IP addresses from gaining network access.