MAC Address Validation for Subscriber Interfaces Overview
MAC address validation enables the router to validate that received packets contain a trusted IP source and an Ethernet MAC source address.
Configuring MAC address validation can provide additional validation when subscribers access billable services. MAC address validation provides additional security by enabling the router to drop packets that do not match, such as packets with spoofed addresses.
When subscribers log in, they are automatically assigned IP addresses by DHCP. With MAC address validation enabled, the router compares the IP source and MAC source addresses against trusted addresses, and forwards or drops the packets according to the match and the validation mode.
Supported Types of Subscriber Interfaces
MAC address validation is supported on statically or dynamically created Ethernet interfaces and demux interfaces as follows:
When the router is configured for a normal (non-enhanced) network services mode, MAC address validation is supported on both DPCs and MPCs. The router can be populated completely with one or the other type of line card, or have a mix of both types. Normal network services mode is the default.
When the router is configured for Enhanced IP Network Services mode or Enhanced Ethernet Network Services mode, MAC address validation is supported only on MPCs. If the router has both DPCs and MPCs, or only DPCs, you cannot configure the chassis to be in enhanced mode.
MAC address validation is optimized for scaling when the router is in enhanced network services modes. Enhanced network services modes affect other features, such as multicast and firewall filters, so you must take that in to consideration when deciding whether to configure enhanced mode. For more information about the enhanced network service modes, see Network Services Mode Overview.
In normal network services mode, you can use the show interfaces
statistics interface-name command to display
a per-interface count of the packets that failed validation and were
dropped. In enhanced network services mode, this command does not
count the dropped packets; you must contact Juniper Networks Customer
Support for assistance in collecting this data.
Trusted Addresses
A trusted address tuple is a 32–bit IP address and a 48–bit MAC address. Prefixes and ranges are not supported.
The IP source address and the MAC source address used for validation must be from a trusted source.
All static ARP addresses configured through the CLI are trusted addresses; dynamic ARP addresses are not considered trusted addresses.
Addresses dynamically created through an extended DHCP local server or extended DHCP relay are also trusted addresses. When a DHCP server and client negotiate an IP address, the resulting IP address and MAC address tuple is trusted. Each DHCP subscriber can generate more than one address tuple.
Each MAC address can have more than one IP address, which can result in more than one valid tuple. Each IP address must map to one MAC address.
Types of MAC Address Validation
You can configure either of two types or modes of MAC address validation, loose or strict. The behavior of the two modes varies depending on how well the incoming packets match the trusted address tuples. The modes differ only when the IP source address alone does not match any trusted IP address. Table 1 compares the behavior of the two modes. Dropped packets are considered to be spoofed.
Incoming Packet Addresses Match Trusted Address Tuple |
Loose Mode Action |
Strict Mode Action |
|---|---|---|
|
Forwards packet |
Forwards packet |
|
Drops packet |
Drops packet |
|
Forwards packet |
Drops packet |
Configuring strict mode is a more conservative strategy because it requires both received source addresses to match trusted addresses.
When you configure MAC address validation for IP demux interfaces in a dynamic profile and specify either loose or strict validation, the resulting behavior is always loose validation. To enable strict behavior for a dynamic IP demux interface, you must configure strict validation for both the IP demux interface and the underlying interface.