Calculate ACL with suitable mask
Last week i stumbled over a miracle, how to calculate the appropriate mask for a special ip range.
My colleagues and i discussed arp inspection and a strange associated acl setting method.
I never ever see a acl like this:
deny ip 0.0.0.1 255.255.255.0 mac any log
permit ip any mac any
I decide to set the mask to 255.255.252.0 for a 22 bit range. My colleagues disagree with my decision
and they forced me to explain. But i can’t. So – i have to do a deeper look into calculation a mask/wildmask.
ARP inspection prevents a client that is connected to an access port from responding with its MAC address although it does not have the IP address that is queried. The process known as ARP spoofing is used for conscious attacks on the network or user (such as Man in the Middle attacks).
A ‘Man in the Middle’ attacker can send arp replies and therefore manipulate the cam table.
Hosts automatically respond to apr replies. The aim is to prevent these. Attacker on the edge/access ports
have to be prevented from being a gateway address. In our case the digit 1 in the fourth octet.
The features are currently used in the ‘static’ version for checking ARP replies to ARP requests according to the default gateway.
An access list is configured that prevents the ARP replies for the default gateway address of the VLANs (*.*.*.1/24) to access ports. At the same time, the uplink ports are configured as ‘trusted’ so that ARP replies from the VLAN interfaces are possible. This ensures that only the VLAN interfaces can reply to ARP requests according to a VLAN’s default gateway.
A common wild mask or inverse mask starts from the right site with active bits. But it is possible to use a mask/wildmask of the choice you want to use respectively what you calculate for your special purposes.
Access-list and wildmask are calculated with AND and XOR logical gates.
With this background we start to calculate ‘any old’ ip address.
10.232.52.1 = 00001010.11101000.00110100.00000001
AND Result = 00000000.00000000.00000000.00000001
0.0.0.1 = 00000000.00000000.00000000.00000001
255.255.255.0 = 11111111.11111111.11111111.00000000
XOR Result = 11111111.11111111.11111111.00000001
I choose the ip address 10.232.52.1. It is the attackers ip address on the edge/access port section.
In the first step i calculate the given ip address of the attacker and the ip address of my ACL
with the AND logic gate. The result of the AND operation is 0.0.0.1. Perfect.
In the next step i take the result and calculate it against the wildmask with the given ACL.
The result is. 255.255.255.1.
Which ip address match the ACL? Every digits in the first, second and third octet.
Only the fourth octet match at number 1. Our gateway address for any possible ip address.
Therefore – we are right with our calculation example.
Logic Gates Compendium: