Tue Oct 12, 2010 12:06 am
They only have it solved for certain deployment scenarios.
If you have a switch with 24 ports you can inspect all ARP and DHCP traffic and determine what MAC/IP address combination sits behind each switchport. Let's say user A sits behind port 1, and the switch notes that. Then user B connects to port 2 and spoofs user A's MAC and IP address. The switch sees that, knows that the MAC/IP combination should be behind port 1, and shuts down port 2 and generates an alert. That works great, and could work on RouterOS in scenarios where clients connect to different ports on the same broadcast domain. Now let's say there's an unmanaged hub or switch connected to port 1 on a switch that does ARP and DHCP inspection, and user A and the malicious user B both connect to that hub. At that point the switch doing inspection sees the same MAC/IP combination from both users, but they're both sourced from the same switchport. Both users will experience performance degradation unless it's a true hub that floods out all ports, but the switch doing the inspection doesn't know that because it isn't the thing directly connected to the users. The switch cannot tell that the frames are sourced from two different machines and doesn't generate an alert.
The same principle applies to APs - if user A and user B connect to the same radio the radio - being of a nature where it just transmits stuff into the air and receives stuff from the air - cannot tell that there are two users receiving the signals, or that the signal comes from two different machines. On wireless there is far less of a penalty for this, as a wireless radio is essentially a hub that just sends stuff that can be seen by anyone.
You can work around this by requiring more user authentication, but that simply isn't possible to deploy on open access systems such as Hotspots. Having users provide credentials used to generate per user encryption of signals defeats the purpose of having a system anyone can connect to. You also absolutely HAVE to have users connect directly to the device doing the inspection. It is generally speaking fairly rare that users connect directly to a router, and of course RouterOS is primarily a router or wireless AP.
I'm not saying RouterOS shouldn't do DHCP and ARP inspection, I'm just cautioning that the primary deployment purposes of RouterOS are ill suited for that function and that many times it will not solve your problem. But there are absolutely situations where having it would help. I'd also like to see 802.1x for the same reason - usually RouterOS isn't in a position where you'd do 802.1x against it, but sometimes it is and then it would be useful to have.