End hosts are directly connected to bridge A or with the help of an L2 switch in-between, in which case traffic is transparent to the bridge anyway, and it has full capabilities to filter the traffic destined towards its MAC or otherwise (if we need to).
Now, let's say we are using a DHCP server on bridge A to serve IP addresses to clients directly connected to the ports or via an L2 switch using 192.168.0.0/22.
Now, the DHCP Server can be configured to lease statically or dynamically in either case, the DHCP Leases table maintains a list of hosts assigned an IP.
However, say that host 1 is assigned 192.168.0.2 either statically or dynamically via DHCP – Now host 1 can spoof the source IP to be 192.168.0.3 (or anything else within the subnet range) using tools like this: https://www.caida.org/projects/spoofer/
So in order to combat this, we can use bridge filters whereby we match src mac with src IP and drop the frame if src IP does not match 192.168.0.2, this will ensure we are strictly implementing BCP38 up-to host level.
Now, the above filtering method works well and does not impact CPU usage significantly in my testing. However, it has some problems that I am not able to solve:
1. Manually creating bridge filter rules to drop !src IP matching src MAC is not scalable if you have 1000+ hosts in a network.
2. Bridge filter rules cannot filter frames with IPv6 based on src address – Seems to be RouterOS limitation.
Now with IPv6, the problem is worse, if we are for example using a /64 on bridge A, whereby SLAAC is enabled and hosts can autoconfigure their addresses, how do we filter spoofed IPv6 addresses up to host-level? One idea is we can try to use scripting to fetch “reachable” addresses along with their MACs from IPv6>Neighbour and drop packets coming from the src MACs where src address is not matching what was fetched – But where do we drop if bridge filter does not support IPv6 src address? Even if we use IPv6>Firewall>Raw prerouting chain, this will be messy and have 1000+ rules for each host's MAC address and hence is not scalable.
Code: Select all
/ipv6 address
add address=2600:1417:78::1/64 advertise=yes interface=Bridge_A comment="Example"
1. How to drop spoofed IPv4 packets coming from end hosts where DHCP Server is involved? Not just stopping it to within the limit of the subnet range using rp-filter=strict, but rather drop up to /32 prefix size.
2. How to drop spoofed IPv6 packets coming from end hosts where SLAAC is involved? Not just stopping it to within the limit of the subnet range (/64) using /ipv6 firewall raw's prerouting chain, but rather drop up to /128 prefix size.
3. In both 1 & 2 how do we mitigate ARP/NDP/MAC Address spoofing?