Community discussions

Search found 50 matches

by buraglio
Tue Apr 02, 2019 8:12 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

Dang, I was hoping I was wrong. Looking like probably not. nb With extreme fragmentation, it can result in no contiguous memory that satisfies the malloc() or realloc() and you either segfault in userland or (I'd imagine) panic in the kernel, hence the reboot even with memory theoretically available...
by buraglio
Tue Apr 02, 2019 5:17 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

More testing has yielded more data. This has not been properly replicated by anyone else that I know of, so take it as plausible hypothesis. I think I found more fallout from the ipv6 flaw: boxes that have their ND cache or their ipv6 route cache run up but not to the point of OOM reload experience ...
by buraglio
Mon Apr 01, 2019 8:13 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

I tested null routing with ip-filter enabled and it still drives the cache up. What I don't know is if /ip rp-filter also covers IPv6. If it doesn't then there appears to be no way to enable ipv6 RPF checking. Don't do full tables on CCRs. They are terrible at it. Why? Is work fine, i receive FV and...
by buraglio
Mon Apr 01, 2019 8:11 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

I understand how things work in "the infosec world". I have stated above how I describe this and I stand by my comments. Unauthenticated Denial of Service is just as I described it, and it is not exclusively in the domain of security vulnerability. It can definitely be leveraged that way, but the sa...
by buraglio
Mon Apr 01, 2019 6:35 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

I have come pretty close to being able to exhaust the route cache "in the wild" (a controlled real network built for this purpose), meaning on gear attached to a public network. I am sure I can do it, but I want to know who else tried this. There is an old thread that implies some of this was trigge...
by buraglio
Sun Mar 31, 2019 9:52 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

Dumb question, have you validated that this is remotely exploitable outside of a contained lab?
by buraglio
Sun Mar 31, 2019 9:10 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

If I understand correctly, you null route the offending host /128 (or /64) and the exhaustion still occurs, correct? If you null route the attacker IP address on the device that is transiting the traffic, does the OOM still occur? I am assuming that all routers are a mikrotik? I am working on this n...
by buraglio
Sun Mar 31, 2019 8:28 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

I can replicate both issues. This is very, vey easy to execute using simple, opensource pen-testing tools and is pretty effective at making a box reload, or under smaller load stop transiting traffic until the event stops. I do not consider this a security flaw at all. It's a very unfortunate implem...
by buraglio
Sun Mar 31, 2019 6:56 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

Can anyone verify in what order uRPF and route cache writes are processed? I suspect this is largely a solved problem, this was an issue in the early days of IPv6.
by buraglio
Sun Mar 31, 2019 1:42 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

Ideally this is how I would handle this. Again, we're super late in the game. 1. disclosed the environment hardware, in detail, that was used to test and confirm the the issue in. 2. have both validated it with a trusted, embargoed outside source(s). Ideally one is the vendor, clearly that didn't ha...
by buraglio
Sat Mar 30, 2019 5:58 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

No, I get it, it's not my first rodeo with zero-day or high priority CVE, or with giving talks on any number of high sensitivity or previously embargoed subjects. I agree that you have said you provided the details to them and that handling has also been poor from their side, I trust that happened i...
by buraglio
Sat Mar 30, 2019 5:50 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

Fair point, and great job on providing v6 back that far - few ISPs have that foresight. It's hard to infer context from a forum, and this thread runs the line of going "full-on UBNT forum" as it touches on a lot of peoples long held beliefs. Again, people should do what works for them. I'm just disa...
by buraglio
Sat Mar 30, 2019 5:39 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

The ugly baby is how this has been dealt with over time, it isn't anyones process or workflow. Read my previous post. I stand by my statement - this has been handled poorly on all sides and because of this unnecessarily bad and totally avoidable mis-handling if it, we're forced to treat it like a ze...
by buraglio
Sat Mar 30, 2019 4:44 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

Totally disabling IPv6 before the details of the bug as well as how to exploit it are even public is over-reactionary and knee-jerk extreme, especially since MT has said that a fix will be available before the disclosure. As a relative outsider that has been involved in this kind of thing in the pas...
by buraglio
Fri Mar 29, 2019 6:45 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40016

Re: UKNOF 43 CVE

I've been watching this quietly since it started. One of these CVEs, while important to note, is pretty straightforward to replicate with off the shelf, open source tools. I suspect the other is as well but I have not yet done so. MT should definitely address this and add testing of neighbor table i...
by buraglio
Wed Nov 21, 2018 4:34 pm
Forum: Forwarding Protocols
Topic: State of Openflow
Replies: 13
Views: 6786

Re: State of Openflow

Please MikroTik staff, any news about OpenFlow 1.3 or higher? I only need a date: 2018, 2019, 2020, ... SDN is here and we need to know if we can go forward with MikroTik or change to another manufacturer. Thanks. Any update? If this is ever going to happen it needs to meet a handful of requirement...
by buraglio
Fri Dec 22, 2017 4:26 pm
Forum: Forwarding Protocols
Topic: State of Openflow
Replies: 13
Views: 6786

Re: State of Openflow

Any news about OpenFlow 1.3 or higher? All the described features are in our todo list, thank you for raising the questions. At the moment there is no specific timeframe, when features will be available. My guess is that since OpenFlow has mostly being leveraged in datancenters and enterprise netwo...
by buraglio
Mon Nov 27, 2017 6:21 am
Forum: General
Topic: Feature Request: zerotier vpn
Replies: 16
Views: 5844

Re: Feature Request: zerotier vpn

Agreed, ZT + MT would be freaking amazing. I'd be more than willing to help alpha this.
+1 using ZT since the start its amazing and would be a great addition to mikrotik.
by buraglio
Wed Jul 19, 2017 8:10 pm
Forum: Wireless Networking
Topic: Disable CAPs
Replies: 2
Views: 4905

Re: Disable CAPs

It seems as if this was more simple than I expected.
[admin@wap1] /interface wireless cap> set enabled=no
by buraglio
Wed Jul 19, 2017 7:51 pm
Forum: Wireless Networking
Topic: Disable CAPs
Replies: 2
Views: 4905

Disable CAPs

I have a few wAP AC units that are currently configured for CAPsMAN management via an external CCR. I see how to enable that mode, but how do I disable it? I tried just doing the same process again but didn't have much luck. Hopefully I am just overlooking something simple.

Thanks!
nb
by buraglio
Fri Jul 07, 2017 4:36 pm
Forum: General
Topic: My IPv6 Triage List for ROS
Replies: 48
Views: 5476

Re: My IPv6 Triage List for ROS

[quote="maznu"]Excellent thread. I would like to add: IPv6 route rules and VRF The ability to do /ipv6 route rule routing-mark="foo" ... (and corresponding /ipv6 route routing-mark="foo" ... ) would be fantastic. Even older Linux kernels support this already (3.2.0 test box seems to have it), so we ...
by buraglio
Fri Jul 07, 2017 4:30 pm
Forum: General
Topic: Can SSH keys be listed or printed using CLI?
Replies: 3
Views: 502

Re: Can SSH keys be listed or printed using CLI?

Is there a command to print or at least list existing public SSH keys installed? I cannot see them using /export The best way I have found for getting basic information is "/user ssh-key print detail" but it's not the content, which is obviously not ideal. You can see content of files like certific...
by buraglio
Fri Jul 07, 2017 4:27 pm
Forum: General
Topic: Can SSH keys be listed or printed using CLI?
Replies: 3
Views: 502

Re: Can SSH keys be listed or printed using CLI?

Is there a command to print or at least list existing public SSH keys installed? I cannot see them using /export Best I've found is , but it's no /user ssh-keys print detail t the content, which is obviously not ideal. You can see content of files like certificates with /file print detail , but as ...
by buraglio
Fri Jul 07, 2017 4:26 pm
Forum: General
Topic: Can SSH keys be listed or printed using CLI?
Replies: 3
Views: 502

Re: Can SSH keys be listed or printed using CLI?

Is there a command to print or at least list existing public SSH keys installed? I cannot see them using /export Best I've found is /user ssh-keys print detail , but it's not the content, which is obviously not ideal. You can see content of files like certificates with /file print detail , but as f...
by buraglio
Wed Jul 05, 2017 9:07 pm
Forum: General
Topic: CAPsMAN with VPLS
Replies: 1
Views: 296

Re: CAPsMAN with VPLS

I also forgot to mention that CAPsMAN seems to work fine with simple lan bridging, but I'd like to have consistency in the overlay, thus the desire to do VPLS.

nb
by buraglio
Wed Jul 05, 2017 9:06 pm
Forum: General
Topic: CAPsMAN with VPLS
Replies: 1
Views: 296

CAPsMAN with VPLS

I've been fighting with getting CAPsMAN to work with a handful of RouterBOARD wAP G-5HacT2HnD using VPLS ass the L2 transport without much luck. MPLS/VPLS is working as expected and is able to transport LSPs to other non-wireless gear, but the hAC units seem to only support bridging with VLANs. I ha...
by buraglio
Wed Jul 05, 2017 4:26 pm
Forum: General
Topic: Capsman forwarding not compatible with IPv6
Replies: 9
Views: 2014

Re: Capsman forwarding not compatible with IPv6

Yes, I'm very, very familiar with IPv6 (but very much a novice when it comes to CAPsMAN). However, I think we're talking about two different things. My configuration is far more rudimentary than yours. I use CAPsMAN to manage a handful of last mile APs that hosts directly connect to, not that are CP...
by buraglio
Sat Jul 01, 2017 3:42 am
Forum: General
Topic: Capsman forwarding not compatible with IPv6
Replies: 9
Views: 2014

Re: Capsman forwarding not compatible with IPv6

Do you have an example config that isn't working? I've been using CAPSman with full dual stack for some time. I'm in the process of converting it all over to VPLS, but not forwarding IPv6 never popped up as an issue with me original config.

nb
by buraglio
Wed May 31, 2017 5:47 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Great info, thanks for sharing. Of course it should work OK with a bridge but there are known issues with bridges in a couple of recent versions and the easiest way to work around them is not use a bridge when you don't need it. And having a bridge just to put 4 ethernet ports in a bridge group that...
by buraglio
Tue May 30, 2017 5:41 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Come on, really??? Move all config from your bridge1 to ether2-master, make ether2-ether4 a slave of etner2-master and delete your bridge. I don't think that this is a well known caveat. For those that may have come from a more traditional layer3 switching background, or running Linux/Unix devices ...
by buraglio
Tue May 30, 2017 4:26 pm
Forum: General
Topic: Feature Request: IPerf
Replies: 50
Views: 10994

Re: Feature Request: IPerf

Ok, Mikrotik, can we have any rough statement to this? At least if iperf was denied, or if we can expect it in v7 since its beginning or in v6 yet since 6.39.2? :-) To add, iperf3 should be fairly easy to add - My understanding is that it's being ported to some CPE in the states. Along the same lin...
by buraglio
Thu Apr 06, 2017 11:32 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63572

Re: Feature request for v7.x

Another potentially easier option for implementing segment routing would be to implement IPv6-SR (and the SRH). I'd personally rather have IS-IS because I believe it is a significantly better protocol, but implementation if SRH would likely be easier since there is already an IPv6 stack and public c...
by buraglio
Thu Mar 16, 2017 5:21 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

It could well be that because I normally use a bridge only when it really cannot be avoided. The examples I gave all have the DHCP server on an ethernet port or at most on a VLAN interface. This is great info - I have seen that there seems to be an apprehension to using bridges, is there a reason f...
by buraglio
Thu Mar 16, 2017 4:40 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Interesting. In most of these cases the DHCP server is on a bridge. I'll check the admin-mac. I thought I had that set but there is a chance I am mis-remembering. Is this documented as undesirable or unsupported anywhere? Great info - thanks a bunch. nb I have seen this happen where the DHCP server ...
by buraglio
Thu Mar 16, 2017 2:58 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

I still maintain that the dhcp server isn't up to par. Or maybe it is your configuration that is not OK. I use the MikroTik DHCP server on several networks (often 2-4 networks on a single router) without any problem other than the occasional trouble with Apple clients. Sure, anything's possible. Ho...
by buraglio
Wed Mar 15, 2017 11:37 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Oh no, I wasn't clear. It just made it easy to reproduce in that I can update to that version and cause the behavior. It didn't solve it for a number of locations. I still maintain that the dhcp server isn't up to par. I'm moving almost everything to ISC at this point, which I know well and does qui...
by buraglio
Wed Mar 15, 2017 8:16 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Another data point: Upgrading to 6.38.5 seems to cause this behavior pretty to occur reliably for me on multiple platforms. Downgrading to the bugfix 6.37.5 fixes the issue.
by buraglio
Sat Mar 11, 2017 4:34 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Packet loss is a problem everywhere, but I am unconvinced that it is the issue since I replaced everything including fiber, twisted pair, ROS devices, patch cables and structured cabling. Dropping in a stand alone dhcp server solved the issue immediately and permanently. I also saw no evidence of pa...
by buraglio
Fri Mar 10, 2017 8:16 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

I mostly saw this with embedded devices, predominately based on linux - but there is no exclusivity. I saw it on some apple iOS based devices, some chromebooks, some MacOS based laptops and desktops and one Windows 7 VM. There were a number of static DHCP entries, and those are the ones that had mos...
by buraglio
Fri Mar 10, 2017 7:55 pm
Forum: General
Topic: Duplicate Address Detection Proxy
Replies: 1
Views: 688

Re: Duplicate Address Detection Proxy

RouterOS seems to support DAD, although I have been struggling to figure out how to clear it. I've done a lot of IPv6 deployments, I'd be happy to chat in the thread or offline if you'd like.

nb
by buraglio
Sun Feb 19, 2017 4:00 am
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63572

Re: Feature request for v7.x

IS-IS would be amazing . The ability to manage more than one routed protocol inside a single routing protocol that does not rely on the protocol it is routing for communication seems like a self evident great idea to me - but i don't have to code it and I get that building ISO/CLNS likely isn't stra...
by buraglio
Sun Feb 19, 2017 3:44 am
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

Yes, I have seen this behavior with 3 different routerboards in this environment over the last 18 or so months. A CRS, an RB2011 and an RB3011. The entire infrastructure is been replaced at this point with the exception of the structured cabling, which isn't in the critical path (and has been remove...
by buraglio
Sun Feb 19, 2017 3:23 am
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

I've tested these cables for continuity as well as attenuation and xtalk, they all test fine. In addition, there are clients attached via fiber (fiber also cleaned, scoped, and verified). I am not convinced that this is a physical issue since I have literally replaced everything in the path, with th...
by buraglio
Sat Feb 18, 2017 4:26 pm
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Re: Yet another "dhcp,warning offering lease without success" issue

That's a good thought. I typically start my troubleshooting at layer 1, I've replaced the cabling (twice) during the process of seeing this and cable tested each time. Stats on the interfaces to the RB looks reasonable: 0 name="ether1" driver-rx-byte=27 026 766 911 driver-rx-packet=30 917 562 driver...
by buraglio
Fri Feb 17, 2017 5:57 am
Forum: General
Topic: Yet another "dhcp,warning offering lease without success" issue
Replies: 38
Views: 13019

Yet another "dhcp,warning offering lease without success" issue

I've been plagued with this issue "feb/16 16:21:34 dhcp,warning vlan8-lan offering lease without success" and have yet to figure out what the root cause is. I have built and rebuilt 3 MT devices, a CRS125, a RB2011 and most recently an RB3011. The problem has shown up in the current version of ROS v...
by buraglio
Wed Jun 15, 2016 10:51 pm
Forum: Forwarding Protocols
Topic: State of Openflow
Replies: 13
Views: 6786

Re: State of Openflow

I'd love to seen an update on this. Anyone? 
by buraglio
Wed Jun 15, 2016 10:49 pm
Forum: Forwarding Protocols
Topic: Any plans to implement segment routing
Replies: 5
Views: 1527

Re: Any plans to implement segment routing

Segment routing seems to be the thing to do at the moment to build a mpls network. Any plans? Realizing that this is an old topic, I'd also be interested in it. Segment routing brings a large set of highly desirable features around traffic control and simplification of configuration and troubleshoo...
by buraglio
Mon Jan 18, 2016 4:19 pm
Forum: Forwarding Protocols
Topic: State of Openflow
Replies: 13
Views: 6786

Re: State of Openflow

I didn't find a config guide, I just worked it out myself. I've been using OpenFlow since 2009 so it wasn't unfamiliar. I'm willing to write up a guide if folks are interested, but the bulk of the work isn't in routerOS, it's the controller. If you're interested in what it's like running SDN in prod...
by buraglio
Sat Dec 19, 2015 5:43 pm
Forum: Beginner Basics
Topic: Intermittent local and remote connectivity
Replies: 0
Views: 910

Intermittent local and remote connectivity

I have a mikrotik CRS226-24G-2S+ that I am seeing some weird behavior with. I have 7 or so other mikrotik devices doing some other functions without issue, but my background is not in this hardware. I have almost 20 years in service provider backbone networking and I fear that some of my assumptions...
by buraglio
Mon Aug 10, 2015 6:05 pm
Forum: Forwarding Protocols
Topic: State of Openflow
Replies: 13
Views: 6786

Re: State of Openflow

I've been working with openflow since since the very early days, ~2009. I recently picked up some Mikrotik gear to start replacing a lot of old pfsense stuff. I'd like to start using the OpenFlow offering, but would really like to see something newer than 1.0. How is OpenFlow being implemented? Is i...