Community discussions

MikroTik App
 
Bareh17
just joined
Topic Author
Posts: 1
Joined: Wed Jun 09, 2021 9:53 am

Dynamic ARP Inspection (DAI) configuration on RouterOS

Wed Jun 09, 2021 11:01 am

Hi all,

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the-middle” attacks. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped. DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in the database built by DHCP snooping

What is the configuration required to implement this technique? (DHCP snooping and trusted ports already configured).
 
User avatar
ekarin
Trainer
Trainer
Posts: 34
Joined: Fri Jun 01, 2018 9:12 pm
Contact:

Re: Dynamic ARP Inspection (DAI) configuration on RouterOS

Sat Apr 01, 2023 8:29 am

I think MikroTik has not yet designed DHCP snooping table, therefore DAI would be difficult to add into MikroTik switches. I think DHCP snooping of MikroTik just checks DHCP Offer messages from DHCP servers without DHCP snooping table created. Another reason is that adding DHCP snooping table into existing switch hardware would not be possible. If it is easy to add that, MikroTik would come up with the word "Coming Soon".
I think this feature is very important if MikroTik desires MikroTik switches to be widely used in global markets due to a rising number of layer2 attacks that affects the business trustworthy. So far, MikroTik switches is now promising but when I found there is no DAI in comparison to Cisco switches, I feel not fully say it is promising to any small/medium/enterprise network.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Dynamic ARP Inspection (DAI) configuration on RouterOS

Sat Apr 01, 2023 8:47 pm

Yes, Dynamic ARP Inspection (DAI), is another standard wide feature not supported by MikroTik switches

i am very sure MikroTik has this in the radar
I hope in close future we will see it

but

I think today the priority is towards Layer 3 Hardware Acceleration features which are too much more relevant to scalate MikroTik ISP infrastructure so, is a world of finite things, we cannot get everything at once
 
User avatar
ekarin
Trainer
Trainer
Posts: 34
Joined: Fri Jun 01, 2018 9:12 pm
Contact:

Re: Dynamic ARP Inspection (DAI) configuration on RouterOS

Tue Apr 04, 2023 7:12 am

I agree. L3 HW Offloading is a must. Two years ago, L3 HW Offloading feature is only avaiable in CRS317. Now I can use in CRS328/326. I tested the throughput performance with L3 HW Offloading enabled. It works! It is promising to implement for core switch. I plan to test MLAG as well.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dynamic ARP Inspection (DAI) configuration on RouterOS

Tue Apr 04, 2023 11:04 am

Why you resurrect years old topic instead of help current user problems?

Like this:
viewtopic.php?t=195007
 
User avatar
ekarin
Trainer
Trainer
Posts: 34
Joined: Fri Jun 01, 2018 9:12 pm
Contact:

Re: Dynamic ARP Inspection (DAI) configuration on RouterOS

Fri Apr 28, 2023 11:06 am

Why you resurrect years old topic instead of help current user problems?

Like this:
viewtopic.php?t=195007
Sorry. We have the problem on ARP poisioning, not wirelesss. Now we can workaround to provide the function of DAI already.

Who is online

Users browsing this forum: GoogleOther [Bot], JDF, netmas, patrikg, RHWwijk, scoobyn8 and 91 guests