What Is DAI?

Why Do We Need DAI?

Networks are susceptible to various types of ARP spoofing attacks. A common ARP spoofing attack is a man-in-the-middle (MITM) attack.

In an MITM attack, an attacker establishes separate connections with two communication ends and exchanges data between them. The two communication ends consider that they are directly communicating with each other, whereas in fact the attacker has taken control of the entire session. During the process, the attacker can intercept all packets exchanged between the two ends and insert new ones.

The following figure shows an MITM attack scenario. The attacker poses as UserB to send a spoofed ARP packet to UserA, which records an incorrect ARP entry for UserB. In this way, the attacker can easily obtain data exchanged between UserA and UserB, compromising the security of data exchanged between them.

To defend against MITM attacks, you can enable DAI, which prevents authorized users' data from being intercepted.

How Does DAI Work?

DAI defends against MITM attacks by using a binding table. When enabled with DAI, the device compares the source IP address, source MAC address, interface, and VLAN information in a received ARP packet against binding entries. If they match, the device considers the packet valid and forwards it. If they do not match, the device considers the packet invalid and discards it.

DAI applies only to DHCP snooping scenarios where static binding entries exist. The device enabled with DHCP snooping automatically generates DHCP snooping binding entries when DHCP users go online. For users with static IP addresses, the device does not generate DHCP snooping binding entries, and so you need to manually add static binding entries. The following table describes the static binding table and dynamic DHCP snooping binding table.

The following figure shows the DAI mechanism. When a malicious host sends a spoofed ARP packet to the switch, the switch discards the packet because it does not match the binding table. This prevents the ARP table on the switch from being incorrectly updated.

After DAI is deployed on a device, if an attacker connects to the device and attempts to send spoofed ARP packets, the device detects the attack based on the binding table and discards the ARP packets accordingly.

Application Scenario of DAI

The following figure shows an application scenario of DAI. DHCP users UserA, UserB, and UserC on a LAN are connected to the gateway through the switch to access the Internet.

When UserA, UserB, and UserC exchange ARP packets after going online, the users and gateway create corresponding ARP entries. If an attacker initiates an attack by sending spoofed ARP packets in the broadcast domain, the gateway or UserA, UserB, and UserC will modify their ARP entries. In this situation, the attacker can easily obtain information about UserA, UserB, and UserC or even prevent them from accessing the Internet.

To address this issue, you can configure DAI on the access device. DAI allows the switch to compare the source IP address, source MAC address, ARP packet receiving interface, and VLAN information of the received ARP packet against binding entries. If they match, the device considers the ARP packet valid and allows the packet to pass through. If they do not match, the device considers the ARP packet invalid and discards the packet. In this way, DAI helps effectively prevent MITM attacks.

Differences Between DAI and IPSG

Both DAI and IPSG use a binding table (static binding table or DHCP snooping binding table) to filter packets. The following table lists the differences between the two.

IPSG cannot prevent address conflicts. For example, when a malicious host steals an authorized online host's IP address, the ARP request packets sent by the malicious host will be broadcast to the online host, causing an address conflict. Therefore, to prevent IP address conflicts, you can configure both IPSG and DAI.