Community discussions

MikroTik App
 
mducharme
Trainer
Trainer
Topic Author
Posts: 1142
Joined: Tue Jul 19, 2016 6:45 pm

Request: Better visibility regarding SLAAC in V7

Wed Jun 24, 2020 5:24 am

This is still happening in ROS v7:
IPV6-slaac-mikrotik.PNG
This is not only confusing but is a potential security issue. Since the device can ping ipv6.google.com, this means two things. First, the device has a global IPv6 address that does not appear in the IPv6->Addresses list. Second, the device has an IPv6 default route that doesn't appear in IPv6->Routes.

I really worry that this issue could lead to users not realizing that their device is in fact open on the Internet on IPv6, when it actuality, it is, resulting in insufficient security precautions being taken. Are there any plans to address this issue?

Thanks!
You do not have the required permissions to view the files attached to this post.
 
User avatar
mozerd
Member
Member
Posts: 496
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Request: Better visibility regarding SLAAC in V7

Wed Jun 24, 2020 3:00 pm

I am not running v7 but I do understand that v7 has the same capabilities as v6.47 ... I use ipv6 SLAAC and my address list does show all my global addresses
ipv6Add.GIF
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Request: Better visibility regarding SLAAC in V7

Wed Jun 24, 2020 7:29 pm

It's when the router gets address using SLAAC, i.e. it behaves as client. You need "/ipv6 settings set accept-router-advertisements=yes" (or yes-if-forwarding-disabled) to enable it.

It should of course be fixed, acquired addresses and routes should be visible. Additionally it should be configurable per-interface and not globally. As a most simple example what it would be good for, I can have connection to main ISP (regular routing with delegated prefix) and then another ISP just for backup management access where single SLAAC address for router is all I need, but I want the router to get it only on that one interface.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
mducharme
Trainer
Trainer
Topic Author
Posts: 1142
Joined: Tue Jul 19, 2016 6:45 pm

Re: Request: Better visibility regarding SLAAC in V7

Thu Jun 25, 2020 9:25 pm

I am not running v7 but I do understand that v7 has the same capabilities as v6.47 ... I use ipv6 SLAAC and my address list does show all my global addresses
As Sob says, I meant when the device receives an address via SLAAC, not when it provides one. In my case I have a MikroTik AP in addition to my router, and it gets an address via SLAAC. When it receives an address and a route via SLAAC, it doesn't show you what they are. They are there, because the device can get online, and you can figure out what the address is by manually taking the first half of the subnet address and attaching the second half of the link-local, but it really should show these things instead of hiding the fact that it has a global v6 address. In certain cases this can be a security issue. Also, then there is an IPv6 default route that does not appear in the routing table, so how do you know which IPv6 default route the device is actually using?
 
User avatar
mozerd
Member
Member
Posts: 496
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Request: Better visibility regarding SLAAC in V7

Thu Jun 25, 2020 9:54 pm

In my case I have a MikroTik AP in addition to my router, and it gets an address via SLAAC. When it receives an address and a route via SLAAC, it doesn't show you what they are.
Following is my ipv6 routes pic that shows all the routes I am using:
ipv6routing.GIF
Compare my ipv6 config against yours ...perhaps it may help
/ipv6 dhcp-client
add add-default-route=yes comment="delgate ISP-assigned prefix" interface=\
    ether1 pool-name=rogers-ipv6 prefix-hint=::/56 request=address,prefix \
    use-peer-dns=no
/ipv6 nd
set [ find default=yes ] interface=ether1 mtu=1500 ra-lifetime=none \
    reachable-time=5m
add hop-limit=64 interface=vlan10 reachable-time=5m
add hop-limit=64 interface=vlan20 reachable-time=5m
add hop-limit=64 interface=vlan40 reachable-time=5m
/ipv6 nd prefix default
set preferred-lifetime=4h valid-lifetime=4h
/ipv6 settings
set accept-router-advertisements=yes
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Topic Author
Posts: 1142
Joined: Tue Jul 19, 2016 6:45 pm

Re: Request: Better visibility regarding SLAAC in V7

Thu Jun 25, 2020 10:57 pm

Following is my ipv6 routes pic that shows all the routes I am using:
ipv6routing.GIF

Compare my ipv6 config against yours ...perhaps it may help
You are using DHCPv6-PD client, that has always worked fine. I am talking about SLAAC, it is not the same thing. The DHCPv6 client is adding the default route you otherwise would not have. I'm talking about cases where you are not using DHCPv6 client.

Try disabling your DHCPv6 client. You will find that even though the address and routes disappear, that your router can still ping IPv6 addresses on the Internet even though it has no apparent global address or default route. It actually has both a global address or default route in this case, but it is like a secret hidden global address that it doesn't show you, and a secret default route that it doesn't show you.
 
linGeRvanTAt
just joined
Posts: 4
Joined: Sun Feb 21, 2021 2:31 pm

Re: Request: Better visibility regarding SLAAC in V7

Tue Feb 23, 2021 11:24 am

Can you share a ticket ID, so I can +1 this?

@MikroTik as motivation, use-cases, or expected user experience:
I lost one hour because of this. Thanks to this post from mducharme, I was confident enough to go for try-and-error.
  1. My first problem was, RouterOS might have created an IPv6 randomly (via Privacy Extensions; RFC 3041). How shall I know RouterOS uses a stable address via the IPv6 prefix and Modified EUI-64?
  2. My second problem was, for now exactly 10 years, we have IPv6 in consumers’ hands. For example, Apple macOS does it automatically the way the IETF protocol designers envisioned it in RFC 2461 exactly 22 years ago. Although I went for the QuickSet ‘WISP AP’ / bridge, why do I have to enable IPv6 manually? Consequently, I did not know whether it is enabled and what was assigned. Furthermore, such double-checking is required because there are networks with faulty routers advertising invalid IPv6 prefixes. OK, that would be visible on a computer within that network as well; what if I VPN into that RouterOS?
  3. My third problem is, that because I could not determine it yet, how does RouterOS get its DNS server: Does it extract RDNSS, and when that does not exist (or the RA flag O is set) does it ask via DHCPv6 automatically? Or does RouterOS not do DNSv6 at all and just DNSv4?
OK, Microsoft Windows, Apple macOS, and other UNIX systems like Ubuntu are consumer software. Nevertheless, a non-consumer software should not be worse in user experience, on default – except there is a good reason. The current situation is like flying blind. So, these were my three reasons (plus one hour wasted) for a +1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7233
Joined: Mon Jun 08, 2015 12:09 pm

Re: Request: Better visibility regarding SLAAC in V7

Tue Feb 23, 2021 12:05 pm

I fully agree that this is not right! It was probably the result of some dirty hack to add a client for SLAAC to RouterOS, as in normal Linux it works as expected (you can see the address and route using "ip -6 addr" and "ip -6 route").
It should show the address and route as a D (dynamic) item in address and route lists, like it does in so many other situations.

Of course in hindsight SLAAC was a bad idea. The IPv6 group should just have gone for making DHCPv6 the standard and only way (besides static configuration) for obtaining IP address and other configuration info on a network. That would have made things so much easier, and the "privacy extensions" hack would have been unnecessary.
 
mducharme
Trainer
Trainer
Topic Author
Posts: 1142
Joined: Tue Jul 19, 2016 6:45 pm

Re: Request: Better visibility regarding SLAAC in V7

Thu Feb 25, 2021 7:20 am

Can you share a ticket ID, so I can +1 this?
It was Ticket# 2018052922002772 but that was from their old OTRS system. They have since moved to JIRA.

Who is online

Users browsing this forum: Seán and 8 guests