Community discussions

MikroTik App
 
soomanyquestions
newbie
Topic Author
Posts: 35
Joined: Sat Aug 20, 2016 6:35 pm

Feature Request: IP source guard / arp inspection

Sun Sep 02, 2018 3:21 am

Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.
 
Van9018
Long time Member
Long time Member
Posts: 519
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Feature Request: IP source guard / arp inspection

Thu Sep 06, 2018 9:37 am

This exists I believe. For your LAN interface, set arp mode to read-only.
If you want a statically set IP for a client, you'd first have to add his mac to the arp table with desired IP.
Everyone else must use their dynamic IP given by DHCP.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8383
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature Request: IP source guard / arp inspection

Thu Sep 06, 2018 2:58 pm

Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.
But what does DHCP Snooping do in RC? I thought it should do exactly that :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
soomanyquestions
newbie
Topic Author
Posts: 35
Joined: Sat Aug 20, 2016 6:35 pm

Re: Feature Request: IP source guard / arp inspection

Fri Sep 07, 2018 11:15 am

Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.
But what does DHCP Snooping do in RC? I thought it should do exactly that :)
Well the DHCP snooping feature in the newest RC only blocks rogue DHCP servers, nothing else :)
I just tested it in version 6.43rc66.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8383
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Feature Request: IP source guard / arp inspection

Fri Sep 07, 2018 11:39 am

Yeah, sounds like it has almost nothing to do with DHCP Snooping :) More like DHCP Server Screening...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
soomanyquestions
newbie
Topic Author
Posts: 35
Joined: Sat Aug 20, 2016 6:35 pm

Re: Feature Request: IP source guard / arp inspection

Sat Sep 08, 2018 12:51 am

Heres two links for anyone who is not quite sure what i'm talking about;
https://www.juniper.net/documentation/e ... guard.html
https://www.juniper.net/documentation/e ... ction.html
 
ccanto
just joined
Posts: 4
Joined: Mon Apr 22, 2019 11:36 am

Re: Feature Request: IP source guard / arp inspection

Mon Apr 22, 2019 12:27 pm

@Mikrotik: Your implementation of DHCP Snooping is a very good improvement in switch security. Good work.

Since you are already filtering DHCP packets with DHCP Snooping, would you consider adding a option like "Add DHCP Snooping ARP entry" to the DHCP Snooping options?

It could work (at least) by adding/updating a ARP entry whenever a DHCPACK is received from a "Trusted" port. Similar to the "add-arp" option in DHCP Server.

That, together with "arp-reply" would prevent rogue clients when the DHCP server is on another switch/router.
Best regards.
 
cyberzeus
just joined
Posts: 2
Joined: Mon Nov 13, 2017 3:11 am

Re: Feature Request: IP source guard / arp inspection

Mon Nov 04, 2019 11:35 pm

  • This is also available in Cisco-land as ip source verify and is applied at the interface level.
  • Like others have said here, while DHCP snooping is a great step forward in expanding the MT security toolset, that feature is very narrow in terms of the security it provides.
  • The more salient issue is when an attacker knows the client IP address. Neither DHCP snooping or read-only ARP are able to prevent such a spoof whereas as ip source verify can.
  • It is almost certain that implementing source verify requires DHCP snooping as the latter's database is typically what is queried to determine if a packet with a given SA is allowed through.
  • It is also important to provide the ability to add static IP-to-MAC mappings so that trusted sources w/ static IPs are allowed through. The command in Cisco-land is:
    --- ip source binding [ MAC_ADDRESS ] vlan [ VLAN_ID (optional) ] [ IP_ADDRESS ] interface [ INGRESS_INTERFACE ]
  • I definitely vote in favor of implementing this very important security feature.
 
AlexT
just joined
Posts: 23
Joined: Thu Mar 29, 2018 9:51 am

Re: Feature Request: IP source guard / arp inspection

Thu May 21, 2020 3:48 pm

Extremely needed function (primarily for CRS3XX series switches). @MikroTik, add it, please.

Who is online

Users browsing this forum: llubik, markos222, mtgate, roe1974, thsun and 138 guests