Hi,
I want to do some programming interacting with MikroTik and have taken a look at this presentation and the Net_RouterOS API.
Very simply, I have a question of what protocol is being used by the Net_RouterOS API to communicate with the MikroTik: is it SSH? SMTP? or something else? It is important for me to know as I am looking for the most lightweight solution possible over a lossy network.
Thanks.
Thanks for checking out my presentation.
As the first slide says, the RouterOS API is really a custom Layer7 (i.e. “application layer”) protocol. I.e. another protocol on the level of HTTP, SSH, SMTP and the like, except it’s a proprietary one, defined by MikroTik.
The protocol itself is very lightweight… In fact too lightweight… Most features are to be implemented by API clients, but many API clients (especially at the time) don’t take good care of providing application developers with conveniences for even the simple things, and hence the title of my presentation. Since the presentation, I’ve seen some more good developments with API clients in languages other than PHP.
Thank you very much for getting back to me. I am quite new to networking so I especially appreciate the level of detail you have provided.
Am I correct in understanding that using these kinds of API means that some functionality from the MikroTik cannot be exploited?
Yes and no.
If you can do something with the command line (Telnet, SSH, or the “New Terminal” window from Winbox and Webfig), you can almost always do it in an analogous way from the API protocol. In the few cases the API protocol doesn’t allow something, there’s possible workarounds that can be implemented, either by the API client itself, or by the application developer. There’s rare instances when a thing is doable with Winbox or Webfig, but not with the command line, and those same instances are therefore also not doable with the API protocol.
There are a few basic rules of thumb about how you can figure out the analog in API, but the thing most people most frequently have trouble with is unnamed arguments. When you’re at the command line and type a command, you can press “?” to see all arguments it takes. Certain arguments can optionally have their name omitted, and the first, second, etc. values you provide will be treated as the value for said arguments. The names of those arguments can be seen surrounded with “<” and “>”. Unlike the command line, the API protocol requires all argument names, including those that could be unnamed in the command line.
Thanks for your help and explanations.
Do you have any comments/information that you can provide on how secure this proprietary protocol is? May I use this protocol with sensitive data?
The non-ssl version of the protocol (service name “api”) sends and receives everything in plain text, except the password when you login, which is sent and checked in a CHAP-like authentication manner (making that part difficult to brute force).
Using the SSL version (service name “api-ssl”) with PHP has some stability issues due to bugs with PHP itself… If you want to send or receive sensitive data over an API connection, it would be best to setup an encrypted VPN (e.g. OpenVPN) between the router and client device, and use the non-ssl API over it. As long as the VPN itself is secure, the API data you send and receive over it will be just as secure.
Also, like every other protocol, you can add extra layers of security by whitelisting certain IPs from which the protocol can be accessed, using a non-default port for it, using a non-default username and setting up minimal group permissions.
I’ve question guys
In large networks like using 50+ Mikrotik router if we want to implement a php webapp to read from all the routers what is the best scenario we should use to get fast result?