10-28-2018 01:04 PM - edited 10-28-2018 01:06 PM
Coming from other mainstream vendors, I have high expectations for the featureset and security expectations for the layer 2 network that faces broadband customers. Edgeswitch does a fairly decent job as it has many of the critical features that are needed to accomplish a secure layer 2 shared-access multi-tenant network. However, I am missing two mechanisms that are critical for a couple of different scenarios. Please see below:
Scenario 1: Customer Configures IP Statically When They Should Be DHCP
In this scenario, the customer configures a static IP on their device either maliciously or out of ignorance. Allowing for this type of change poses risk of impacting service to the actual customer that the IP belongs to or allowing the customer to use a public IP or IP specific to a particular service when they are not paying for it. On other vendor equipment we get around this by enforcing DHCP-only addressing by leveraging DHCP snooping and dynamic ARP inspection. DHCP snooping is available (great) but dynamic ARP inspection (DAI) is not. This being said, there's no way to enforce DHCP on a particular port/VLAN and therefore no way to guaruntee any prevention mechanism from one customer setting their IP incorrectly as static.
Scenario 2: Customer Needs To Configure IP Statically On A Shared DHCP VLAN
In this scenario, we have a customer that cannot support a dynamic IP on their equipment. Therefore, the customer needs to be able to configure a static IP on their equipment. This means a mechanism needs to be in place to "verify" that the static IP (from ARP frames) that is in use is authorized to be used on the network. In other vendor equipment, this is handled with a DHCP leasequery to the upstream DHCP server. If the response contains an IP/MAC binding that matches that of the IP/MAC seen in the ARP inspection, then the host is allowed to communicate on the port using the static IP. To be honest, the implementation of scenario 2 will also resolve the needs in scenario 1 above.
This all being said, I am hoping that others realize how this is a major problem in shared-access (multi-tenant) layer 2 networks as it's not possible to secure them from these types of scenarios with UBNT gear. Does UBNT understand this issue and have any feature development planned to institute this into Edgeswitch/uFiber/AirOS software?
10-28-2018 01:08 PM
10-28-2018 06:00 PM
We have seen the requests for these features and have added them to our internal tracker. The EdgeSwitch team is currently looking into the possibilities of adding DAI, IP Source Guard and ARP access-lists to the platform.
Ben Pin | Ubiquiti Support
10-28-2018 06:31 PM
10-29-2018 05:20 PM
We are looking into the possibility of adding these features but I'm afraid that there is no ETA yet.
Won't a static IP Source Guard binding have the same effect as the DHCP lease query?
Ben Pin | Ubiquiti Support
10-29-2018 08:13 PM
02-11-2019 03:32 AM - edited 02-11-2019 03:40 AM
I am bumping this request. This is the number one feature that is missing from Edgeswitches for us. In addition to the previous feature requests listed back in October, here are some additional pages discussing/requesting this feature:
When can we get an ETA/this on the radar?
02-14-2019 06:17 PM