MAC Address Validation for Subscriber Interfaces Overview
MAC address validation enables the router to validate that received packets contain a trusted IP source and an Ethernet MAC source address.
Configuring MAC address validation can provide additional validation when subscribers access billable services. MAC address validation provides additional security by enabling the router to drop packets that do not match, such as packets with spoofed addresses.
When subscribers log in, they are automatically assigned IP addresses by DHCP. The router detects the valid IP source and MAC source addresses for incoming packets and forwards the packets regardless of which subscriber originated the packet.
Supported Types of Subscriber Interfaces
MAC address validation is supported on statically created Ethernet interfaces and dynamically created IP demux interfaces on MX Series Ethernet Services Routers.
Trusted Addresses
A trusted address tuple is a 32–bit IP address and a 48–bit MAC address. Prefixes and ranges are not supported.
The IP source address and the MAC source address used for validation must be from a trusted source.
All static ARP addresses configured through the CLI are trusted addresses; dynamic ARP addresses are not considered trusted addresses.
Addresses dynamically created through a DHCP local server or DHCP relay are also trusted addresses. When a DHCP server and client negotiate an IP address, the resulting IP address and MAC address tuple is trusted. Each DHCP subscriber can generate more than one address tuple.
Each MAC address can have more than one IP address, which can result in more than one valid tuple. Each IP address must map to one MAC address.
Types of MAC Address Validation
You can configure two types of MAC address validation:
- Loose—Forwards packets when both the IP source address
and the MAC source address match one of the trusted address tuples.
Drops packets when the IP source address matches one of the trusted tuples, but the MAC address does not support the MAC address of the tuple. The system processes this packet as spoofed.
Continues to forward packets when the source address of the incoming packet does not match any of the trusted IP addresses.
- Strict—Forwards packets when both the IP source
address and the MAC source address match one of the trusted address
tuples.
Drops packets when the MAC address does not match the tuple's MAC source address, or when IP source address of the incoming packet does not match any of the trusted IP addresses.
When you configure MAC address validation for demux interfaces in a dynamic profile and specify either loose or strict validation, the resulting behavior is always loose validation. To enable strict behavior for a dynamic demux interface, you must configure strict validation for the underlying interface.