Happens with IPv6 set to NOTRACK. It's not tracking causing this.As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
Happens with IPv6 set to NOTRACK. It's not tracking causing this.As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
So it is ND (also indicated by the name of the tool).Happens with IPv6 set to NOTRACK. It's not tracking causing this.As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
No, you're doing exactly the same thing MikroTik support did — that is, not reading the addresses that are being targetted. Despite using a tool for ND crashing, it is not ND which is causing the problem — it's just an easy to find tool which will send ICMPv6 packets to lots of different destination addresses.So it is ND (also indicated by the name of the tool).
I can confirm the problem, in one case forwarding of ipv6 traffic eats all the memory. There is also another case when kernel is crashing, but also can be related to low memory.
We will look into this problem.
To refer you back to my post, and why ND is not to blame (despite using an "ND exhaustion tool"):ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking)
The question I had for MikroTik was: why is the hAP ac2 crashing? The target subnet is connected to the hEX. The hEX is doing ND, the hAP ac2 is not doing ND. Yes, the hEX crashes (it should not — the IPv6 neighbor table should not grow without bound!). But the hAP ac2 also crashes, and for a different reason to ND exhaustion. Guess what? CCRs used for transit also crash. That means a customer of an ISP running MikroTik routers as their BGP edge can use the ND exhaustion tool (targeting a subnet "out on the Internet") and crash their own ISP's MikroTiks.RaspberryPi ---- hAP ac2 ---- hEX
If I run this on the Raspberry Pi:
XXXREDACTEDXXX 2a01:9e02:0:666::/64
Then the hAPac2 crashes.
@pe1chl thank you for your response.Not "someone access the router". When "some user" logs in to the router they cannot see this info. They have to be an administrator to see it.
The reason why this data is stored in plaintext is that it has to be available in plaintext for the protocols it is used for (IPsec, xCHAPx).
So you cannot store a hash value of those values.
This is an out-of-the-box configuration, plus IPv6, NOTRACK, and some static routes.I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different.
Fri Sep 14, 2018 9:45 amNow we're talking. I was subscribed to it until it stopped sending me emails, without me unsubscribing. Where can I find that list? That solves the complete issue. I just thought they've dropped the list.Email list
Is it this one? https://mikrotik.com/client/ecom_notify.php
I got that link from my last email from 2015, but removed the unregn query string parameter.
I can't find any "official" link to the URL I mentioned above. It appears to be part of the "Account" section, but I have no account on the mikrotik.com website (only on the forum).
Oh jesus christ. It's in big red at the bottom of the page... I'm a genius... as in stable genius...
Complete closure does not prevent attackers from trying though ...This tells me that you should close it 100% and use VPN.
Actually it is closed by the book, every possible measure taken. Cannot be 100% sure off course. This IP is known circulating in honeypots and its in every possible scam database, however this bot specifically works as a winbox scanner. By the way, the default port is changed also. Something to think about for those who think they secured their winbox.This tells me that you should close it 100% from outside and use VPN.
Yes it iscan you see if this works now?Site is quite slow here because it has an IPv6 address in DNS but IPv6 does not actually work for this server.