Community discussions

MikroTik App
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

[Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Sun May 29, 2022 3:44 pm

Say we have Router 1 whereby ports 1-5 are member of bridge A, and we have rp-filter=strict along with hardware offloading for all five ports.

End hosts are directly connected to bridge A or with the help of an L2 switch in-between, in which case traffic is transparent to the bridge anyway, and it has full capabilities to filter the traffic destined towards its MAC or otherwise (if we need to).

Now, let's say we are using a DHCP server on bridge A to serve IP addresses to clients directly connected to the ports or via an L2 switch using 192.168.0.0/22.
Now, the DHCP Server can be configured to lease statically or dynamically in either case, the DHCP Leases table maintains a list of hosts assigned an IP.

However, say that host 1 is assigned 192.168.0.2 either statically or dynamically via DHCP – Now host 1 can spoof the source IP to be 192.168.0.3 (or anything else within the subnet range) using tools like this: https://www.caida.org/projects/spoofer/

So in order to combat this, we can use bridge filters whereby we match src mac with src IP and drop the frame if src IP does not match 192.168.0.2, this will ensure we are strictly implementing BCP38 up-to host level.

Now, the above filtering method works well and does not impact CPU usage significantly in my testing. However, it has some problems that I am not able to solve:

1. Manually creating bridge filter rules to drop !src IP matching src MAC is not scalable if you have 1000+ hosts in a network.
2. Bridge filter rules cannot filter frames with IPv6 based on src address – Seems to be RouterOS limitation.

Now with IPv6, the problem is worse, if we are for example using a /64 on bridge A, whereby SLAAC is enabled and hosts can autoconfigure their addresses, how do we filter spoofed IPv6 addresses up to host-level? One idea is we can try to use scripting to fetch “reachable” addresses along with their MACs from IPv6>Neighbour and drop packets coming from the src MACs where src address is not matching what was fetched – But where do we drop if bridge filter does not support IPv6 src address? Even if we use IPv6>Firewall>Raw prerouting chain, this will be messy and have 1000+ rules for each host's MAC address and hence is not scalable.
/ipv6 address
add address=2600:1417:78::1/64 advertise=yes interface=Bridge_A comment="Example"
So the bottom-line questions are:
1. How to drop spoofed IPv4 packets coming from end hosts where DHCP Server is involved? Not just stopping it to within the limit of the subnet range using rp-filter=strict, but rather drop up to /32 prefix size.
2. How to drop spoofed IPv6 packets coming from end hosts where SLAAC is involved? Not just stopping it to within the limit of the subnet range (/64) using /ipv6 firewall raw's prerouting chain, but rather drop up to /128 prefix size.
3. In both 1 & 2 how do we mitigate ARP/NDP/MAC Address spoofing?
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Sun Jun 05, 2022 6:18 pm

Time bump – Anybody?
 
sup5
Member
Member
Posts: 359
Joined: Sat Jul 10, 2010 12:37 am

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Sun Jun 05, 2022 6:33 pm

Dhcp: add arp for leases
Interface: arp: reply-only
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Mon Jun 06, 2022 1:07 am

Dhcp: add arp for leases
Interface: arp: reply-only
That does not stop IP Spoofing from the hosts, it only stops fake leases from being able to send traffic. If a host has a valid lease, it can still spoof an IP address. That's why we have BCP38 and the solution is to drop !/32 address.

And how does that solve the IPv6 part of the problem, nor solve ARP/NDP/MAC Address spoofing?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Mon Jun 06, 2022 5:53 am

this kind of problems must be solved on acces-layer (switch, access-point, OLT, DLSAM)

in case of switches some vendors offer dynamic ARP inspection and binding to avoid spoofing, at date MikroTik does not offer this function
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Mon Jun 06, 2022 5:54 am

Dhcp: add arp for leases
Interface: arp: reply-only
that can help but with switch client isolation enabled
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Tue Jun 07, 2022 5:36 pm

this kind of problems must be solved on acces-layer (switch, access-point, OLT, DLSAM)

in case of switches some vendors offer dynamic ARP inspection and binding to avoid spoofing, at date MikroTik does not offer this function
Sure, say we solve MAC addressing spoofing on Layer 2 devices downstream. How do you propose we solve SLAAC-related /64 spoofing? That is at the router-level. And remember DHCPv6 on Tik does not support IPv6 address assignment to hosts, only direct PD.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Tue Jun 07, 2022 7:29 pm

BCP38 is not intended to block address spoofing on a NAT network or using a different address on a IPv6 /64 network.
It would not be able to do the latter, as "IPv6 privacy extensions" assigns random addresses to hosts over time. It would be impossible to differentiate between
a host that is normally doing "IPv6 privacy extensions" processing, and one that maliciously creates lots of different addresses.

However, BCP38 is intended to solve spoofing of a completely different address, belonging to another network outside your own.
E.g. you have been rightfully assigned IPv4 address 1.2.3.4 and now you send with source address 4.5.6.7.
That is easy to block using some firewall filters that prevent source addresses outside the expected subnet.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 12:27 am

BCP38 is not intended to block address spoofing on a NAT network or using a different address on a IPv6 /64 network.
It would not be able to do the latter, as "IPv6 privacy extensions" assigns random addresses to hosts over time. It would be impossible to differentiate between
a host that is normally doing "IPv6 privacy extensions" processing, and one that maliciously creates lots of different addresses.

However, BCP38 is intended to solve spoofing of a completely different address, belonging to another network outside your own.
E.g. you have been rightfully assigned IPv4 address 1.2.3.4 and now you send with source address 4.5.6.7.
That is easy to block using some firewall filters that prevent source addresses outside the expected subnet.
BCP38 is a guideline for ingress/egress filtering, it is not a configuration terminology or technology. Strict BCP38 filtering means stopping upto /32 and /128 IP prefix size spoofing, which is ideal.

You are proposing “firewall filters” which is what I said in OP – It is not scalable. How do we drop spoofed IPv6 addresses within the /64 in-coming from hosts if there are at least 1000 hosts?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 11:01 am

You are proposing “firewall filters” which is what I said in OP – It is not scalable. How do we drop spoofed IPv6 addresses within the /64 in-coming from hosts if there are at least 1000 hosts?
I already explained: that is impossible, and it also isn't what you are supposed to do within the context of BCP38.
When you have a /64 on a network you firewall filter all source addresses outside the /64 on that network. Not individual addresses for hosts.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 11:46 am

You are proposing “firewall filters” which is what I said in OP – It is not scalable. How do we drop spoofed IPv6 addresses within the /64 in-coming from hosts if there are at least 1000 hosts?
I already explained: that is impossible, and it also isn't what you are supposed to do within the context of BCP38.
When you have a /64 on a network you firewall filter all source addresses outside the /64 on that network. Not individual addresses for hosts.
We have no problem doing that on other vendors. Why is it an issue for Tik?

Example: https://infocenter.nokia.com/public/775 ... slaac.html
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 12:52 pm

What is the relevance of that link? it tells you how to setup SLAAC in that Nokia router. It can be done in MikroTik as well, by adding an address to a network and setting it to advertise=yes.
What appears to be a bit lacking in RouterOS is the handling of change of the prefix, which is inconvenient when you get a dynamic IPv6 prefix from the provider.
But that is not really related to this topic.
I do not see in the linked documentation that this router would make any effort to filter addresses that have not been claimed, or to cross-check source IP addresses against known MAC addresses.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 1:10 pm

What is the relevance of that link? it tells you how to setup SLAAC in that Nokia router. It can be done in MikroTik as well, by adding an address to a network and setting it to advertise=yes.
What appears to be a bit lacking in RouterOS is the handling of change of the prefix, which is inconvenient when you get a dynamic IPv6 prefix from the provider.
But that is not really related to this topic.
I do not see in the linked documentation that this router would make any effort to filter addresses that have not been claimed, or to cross-check source IP addresses against known MAC addresses.
What are you smoking? The document shows we can manage AAA/RADIUS for IPv6 SLAAC on Nokia. From there we can dynamically script to fetch NDP Table and filter based on src mac linking to GUA. Or simply use the RADIUS information in back-end on per MAC basis for L3 filtering of Src IPv6+MAC

Please, Mr Expert, tell me how do we do that on MikroTik with step-by-step documentation?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 1:16 pm

When you are going to do custom scripting anyway, you can do the same thing in MikroTik.
I consider it a waste of time and effort, but go on with it!
Or do as you claim in other topics, just switch over to another manufacturer where "everything is better".
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 1:43 pm

When you are going to do custom scripting anyway, you can do the same thing in MikroTik.
I consider it a waste of time and effort, but go on with it!
Or do as you claim in other topics, just switch over to another manufacturer where "everything is better".
You are the one claiming that MikroTik supports SLAAC RADIUS. The scripting needs SLAAC RADIUS.

And without a doubt, I'm switching eventually, until then, I'm trying to make do with CrapTik.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Question] How to implement strict BCP38 upto /32 (IPv4) and /128 (IPv6) level on RouterOS?

Wed Jun 08, 2022 1:51 pm

No, I am not claiming that. I think you can do scripting to readout the ND table and adjust a firewall accordingly.
Of course it makes no sense, but you are the one wanting to do it.

Who is online

Users browsing this forum: Amazon [Bot], bertus, Bing [Bot], mogiretony, PaulB, Ramalama and 95 guests