Established Member
Posts: 994
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Securing Layer 2 Broadband Networks

[ Edited ]

Hello folks,

 

Coming from other mainstream vendors, I have high expectations for the featureset and security expectations for the layer 2 network that faces broadband customers. Edgeswitch does a fairly decent job as it has many of the critical features that are needed to accomplish a secure layer 2 shared-access multi-tenant network. However, I am missing two mechanisms that are critical for a couple of different scenarios. Please see below:

 

Scenario 1: Customer Configures IP Statically When They Should Be DHCP

In this scenario, the customer configures a static IP on their device either maliciously or out of ignorance. Allowing for this type of change poses risk of impacting service to the actual customer that the IP belongs to or allowing the customer to use a public IP or IP specific to a particular service when they are not paying for it. On other vendor equipment we get around this by enforcing DHCP-only addressing by leveraging DHCP snooping and dynamic ARP inspection. DHCP snooping is available (great) but dynamic ARP inspection (DAI) is not. This being said, there's no way to enforce DHCP on a particular port/VLAN and therefore no way to guaruntee any prevention mechanism from one customer setting their IP incorrectly as static.

 

Scenario 2: Customer Needs To Configure IP Statically On A Shared DHCP VLAN

In this scenario, we have a customer that cannot support a dynamic IP on their equipment. Therefore, the customer needs to be able to configure a static IP on their equipment. This means a mechanism needs to be in place to "verify" that the static IP (from ARP frames) that is in use is authorized to be used on the network. In other vendor equipment, this is handled with a DHCP leasequery to the upstream DHCP server. If the response contains an IP/MAC binding that matches that of the IP/MAC seen in the ARP inspection, then the host is allowed to communicate on the port using the static IP. To be honest, the implementation of scenario 2 will also resolve the needs in scenario 1 above.

 

This all being said, I am hoping that others realize how this is a major problem in shared-access (multi-tenant) layer 2 networks as it's not possible to secure them from these types of scenarios with UBNT gear. Does UBNT understand this issue and have any feature development planned to institute this into Edgeswitch/uFiber/AirOS software?

Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches
Established Member
Posts: 994
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Re: Securing Layer 2 Broadband Networks

Ubiquiti Employee
Posts: 2,776
Registered: ‎05-08-2017
Kudos: 489
Solutions: 400

Re: Securing Layer 2 Broadband Networks

Hi @Joyn,

 

We have seen the requests for these features and have added them to our internal tracker. The EdgeSwitch team is currently looking into the possibilities of adding DAI, IP Source Guard and ARP access-lists to the platform.

 

Ben

 


 

Ben Pin | Ubiquiti Support

Established Member
Posts: 994
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Re: Securing Layer 2 Broadband Networks

Nice! I know you get this a lot but is there any ETA? Please also consider the leasequery function as that is distinctly different than DAI, IP Source Guard and ARP access-lists.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches
Ubiquiti Employee
Posts: 2,776
Registered: ‎05-08-2017
Kudos: 489
Solutions: 400

Re: Securing Layer 2 Broadband Networks

We are looking into the possibility of adding these features but I'm afraid that there is no ETA yet.

 

Won't a static IP Source Guard binding have the same effect as the DHCP lease query?

 

Ben

 


 

Ben Pin | Ubiquiti Support

Established Member
Posts: 994
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Re: Securing Layer 2 Broadband Networks

Yes but at the expense of maintaining entries in discrete devices vs. everything centrally in the DHCP server.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches
Highlighted
Established Member
Posts: 994
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Re: Securing Layer 2 Broadband Networks

[ Edited ]
Ubiquiti Employee
Posts: 2,776
Registered: ‎05-08-2017
Kudos: 489
Solutions: 400

Re: Securing Layer 2 Broadband Networks

I guess you already saw the release post :-) 

 

If anyone else stumbles on this topic, please have a look here (link requires beta access).

 

-Ben

 


 

Ben Pin | Ubiquiti Support