Feature Request: IP source guard / arp inspection

soomanyquestions · Sun Sep 02, 2018 3:21 am

Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.

Van9018 · Thu Sep 06, 2018 9:37 am

This exists I believe. For your LAN interface, set arp mode to read-only.
If you want a statically set IP for a client, you'd first have to add his mac to the arp table with desired IP.
Everyone else must use their dynamic IP given by DHCP.

Chupaka · Thu Sep 06, 2018 2:58 pm

Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.

But what does DHCP Snooping do in RC? I thought it should do exactly that

soomanyquestions · Fri Sep 07, 2018 11:15 am

Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.
But what does DHCP Snooping do in RC? I thought it should do exactly that

Well the DHCP snooping feature in the newest RC only blocks rogue DHCP servers, nothing else

I just tested it in version 6.43rc66.

Chupaka · Fri Sep 07, 2018 11:39 am

Yeah, sounds like it has almost nothing to do with DHCP Snooping

More like DHCP Server Screening...

soomanyquestions · Sat Sep 08, 2018 12:51 am

Heres two links for anyone who is not quite sure what i'm talking about;
https://www.juniper.net/documentation/e ... guard.html
https://www.juniper.net/documentation/e ... ction.html

ccanto · Mon Apr 22, 2019 12:27 pm

@Mikrotik: Your implementation of DHCP Snooping is a very good improvement in switch security. Good work.

Since you are already filtering DHCP packets with DHCP Snooping, would you consider adding a option like "Add DHCP Snooping ARP entry" to the DHCP Snooping options?

It could work (at least) by adding/updating a ARP entry whenever a DHCPACK is received from a "Trusted" port. Similar to the "add-arp" option in DHCP Server.

That, together with "arp-reply" would prevent rogue clients when the DHCP server is on another switch/router.
Best regards.

cyberzeus · Mon Nov 04, 2019 11:35 pm

This is also available in Cisco-land as ip source verify and is applied at the interface level.
Like others have said here, while DHCP snooping is a great step forward in expanding the MT security toolset, that feature is very narrow in terms of the security it provides.
The more salient issue is when an attacker knows the client IP address. Neither DHCP snooping or read-only ARP are able to prevent such a spoof whereas as ip source verify can.
It is almost certain that implementing source verify requires DHCP snooping as the latter's database is typically what is queried to determine if a packet with a given SA is allowed through.
It is also important to provide the ability to add static IP-to-MAC mappings so that trusted sources w/ static IPs are allowed through. The command in Cisco-land is:
--- ip source binding [ MAC_ADDRESS ] vlan [ VLAN_ID (optional) ] [ IP_ADDRESS ] interface [ INGRESS_INTERFACE ]
I definitely vote in favor of implementing this very important security feature.

AlexT · Thu May 21, 2020 3:48 pm

Extremely needed function (primarily for CRS3XX series switches). @MikroTik, add it, please.

Feature Request: IP source guard / arp inspection

Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Re: Feature Request: IP source guard / arp inspection

Who is online