Community discussions

MUM Europe 2020
 
log
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Fri May 28, 2010 11:37 am

DHCP Snooping (feature request)

Mon May 30, 2011 3:04 pm

Hi.
Is there any chance to add "DHCP Snooping" function? It's very usefull so I would like to have it.
Thanks in advance for reply.
 
User avatar
Letni
Member
Member
Posts: 375
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: DHCP Snooping (feature request)

Mon May 30, 2011 6:10 pm

I am not seeing what is missing?

According to http://en.wikipedia.org/wiki/DHCP_snooping

One of the primary concerns is ARP spoofing.
In MT you can Add ARP for Leases and set ARP on the DHCP-Server interface to reply-only.

The other key point is.
Ensure that only authorized DHCP servers are accessible.
This can already be done under DHCP-Server --> Alerts.

-Louis
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: DHCP Snooping (feature request)

Mon May 30, 2011 6:29 pm

That only protects the router from ARP spoofing. DHCP snooping databases can protect all other network users from each other. Also, getting an alert when a rogue DHCP server is present is very different from it never being allowed to hand out rogue leases in the first place.

That said there is currently only one SwitchOS model, and it's under $50. It's virtually guaranteed that chip set can't implement DHCP snooping.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
Letni
Member
Member
Posts: 375
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: DHCP Snooping (feature request)

Mon May 30, 2011 7:27 pm

I would expect MT to say that you have not designed your network properly if this is a concern to you. *just saying* Please elaborate on how you would implement this and what functionality do you think MT is currently missing. Also, what it would do to help the community. Make a case not just a request if you are serious.

To your second point though of rougue DHCP server should not be handing out IP's. Would a simple firewall rule fix that issue for you.
Example.

/ip firewall filter add action=drop chain=forward dst-port=67 protocol=udp src-mac-address=!DH:CP:SE:RV:MA:C1

-Louis
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: DHCP Snooping (feature request)

Mon May 30, 2011 10:09 pm

First of all, this is a request for SwOS, so IP firewall filter rules don't solve any of these issues - no one seriously is going to use bridged router ports and turn on the IP firewall for bridges, they simply don't perform well enough compared to 5 wire speed switched gig ports that the RB250GS offers. Using a switch chip on a router also doesn't allow you to use the IP firewall.

So one simple benefit would be blocking rogue DHCP servers on switched edge ports. The alarm built into RouterOS as a layer 3 gateway on such broadcast domains is useful, but occurs after the fact. Being aware that there is a rogue DHCP server does nothing to prevent the rogue DHCP server from announcing itself as a gateway to other switched hosts until you've taken it offline.

DHCP snooping also allows the switch to collect MAC and IP address information about devices behind its ports. That in turn allows it to block frames/packets that shouldn't occur.

By way of example for ARP spoofing: let's say we have a router at 10.1.0.1 with MAC 0000.0000.0001. Connected to it is a switch that in turn has hosts 10.0.0.2 with MAC 0000.0000.0002 and 10.0.0.3 with MAC 0000.0000.0003. Host .2 wants to get out to the Internet and knows that its default gateway is .1. That is on the same subnet, so it will talk to it directly, and to find out the gateway's MAC address it sends an ARP request for .1. Host .3 is a malicious user and listens for the ARP request. He sends back an ARP reply claiming that the MAC address for .1 is his own, 0000.0000.0003. Because he is closer to the host sending the request his reply gets there first. Host .2 sends all his traffic to the MAC address of .3 now, which looks at all the traffic before sending it on to MAC 0000.0000.0001. Malicious host .3 is now a transparent man in the middle, being able to sniff all the traffic from .2 out of the network. Host .2 is none the wiser.

If the network was DHCP only (or static mappings had been defined) and the switch was running DHCP snooping it would know that host 3 is pretending to be someone he is not, and can drop the malicious, spoofed ARP reply.

That is only one kind of attack possible to prevent when the switch has such a table of MAC and IP to port mappings available.

This is NOT something caused by a network "not being designed properly". These attacks have been well known for years and are direct consequences of how Ethernet and TCP/IP and DHCP implementations work. Mitigation features are present in virtually all top of rack/access layer/IDF switches suitable for enterprise deployment.

That said, an RB250GS isn't that, and I doubt this feature is implementable in the hardware that powers these switches.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
log
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Fri May 28, 2010 11:37 am

Re: DHCP Snooping (feature request)

Tue May 31, 2011 9:35 am

Fewi answered for me :)
IMO rb250gs could have only rouge dhcp block function, notification is not necessary.
Just i.eg. port 1 trusted, 2-5 untrusted and thats all, as simple as possible.
 
User avatar
Letni
Member
Member
Posts: 375
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: DHCP Snooping (feature request)

Thu Jun 02, 2011 2:22 pm

I may be expecting to much out of this. But I did some reading and came up with this.
http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features
My interpretation is that you can run rules in the switch chip therefore creating a rule that redirects boots packets from un-trusted ports to the CPU where you can log and drop them.

-Louis
 
log
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Fri May 28, 2010 11:37 am

Re: DHCP Snooping (feature request)

Fri Jun 03, 2011 9:43 am

IMO it can be done because Dhcp snooping is L3 function like ACL list in currently SwOS.
 
log
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Fri May 28, 2010 11:37 am

Re: DHCP Snooping (feature request)

Wed Jun 08, 2011 11:18 am

I did some "researches" and using ACL can do the trick:
rb.jpg
"Signal" cable at first port, clients at 2 - 5.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 4 guests