Community discussions

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
 
Neilson
Member Candidate
Member Candidate
Posts: 174
Joined: Tue Nov 06, 2012 10:42 pm
Location: Auckland, New Zealand

Re: v6.45beta [testing] is released!

Mon Mar 18, 2019 6:26 pm

I installed the latest Beta 6.45Beta16 on an hAP ac lite (Coming from 6.45Beta11).

Reboot to install packages
Reboot to update routerboot
- wlan2 interface disappears
Reboot again
- wlan2 interface appears again

So for other users this may need a further reboot.

Mikrotik may want to run this test themselves to see if reproducible. I can make a supout if needed.

Regards
Alexander
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 880
Joined: Tue Oct 11, 2005 4:53 pm

Re: v6.45beta [testing] is released!

Tue Mar 19, 2019 6:47 pm

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated.
In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostname is always needed to achieve VPN/Online Cameras/RDP. But when it comes to doing an IPSec VPN setup with a Mikrotik router, the hostnames can't be used as you can't enter them into sa-dst-address, thereby forcing you to go make a script and putting that script on a scheduler.

Edit: Non-road warrior basically.
++
 
Zoolander06
just joined
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: v6.45beta [testing] is released!

Wed Mar 20, 2019 4:37 pm

So I gave a try to the new vendor class identifier matcher feature, it works well but it's quite limited : one can only reserve a pool of IPs to a certain type of devices.
It would be nice to be able to send different options to certain devices.
Example : I have Yealink and Cisco IP phones on my network, each one need a different TFTP server name (option 66) to provision, but I can only set one per dhcp server.
With this beta version I can control which IP my phones will have, but I still can't specify a distinct option 66 for each type.

Or am I missing something ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5909
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Thu Mar 21, 2019 2:39 pm

You can specify DHCP option set per DHCP network.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 12:47 pm

Version 6.45beta19 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta19 (2019-Mar-22 07:30):

Changes in this release:

*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1) (CLI only);
*) certificate - removed DSA (D) flag;
*) ike1 - improved stability for transport mode policies on initiator side;
*) ike2 - added support for ECDSA certificate authentication (rfc4754);
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - renamed "rsa-signature" authentication method to "digital-signature";
*) smb - fixed possible buffer overflow;
*) sms - added USSD message functionality under "/tool sms" (CLI only);
*) ssh - do not generate host key on configuration export;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
Mikrotiker
just joined
Posts: 10
Joined: Wed Oct 05, 2005 4:08 pm

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 2:48 pm

after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot
Wireless interface disappeared

Routerboot update, reboot
Wireless interface disappeared

reboot
Wireless interface disappeared

Log: DefConf gen: Unable to find Wireless interface(s)

I will send you a supout with the reference to this thread.

I did a downgrade to 6.45beta16 and everything is back and running. except the remote unit.
Last edited by Mikrotiker on Fri Mar 22, 2019 4:36 pm, edited 1 time in total.
 
Zoolander06
just joined
Posts: 22
Joined: Thu Jan 03, 2019 5:26 pm

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 3:56 pm

You can specify DHCP option set per DHCP network.
You're right, but I usually need all my phones to be on the same network.
I think I could make some subnets, maybe it would work, but it would be easier and more logical to set the options in the vendor class identifier matcher, or in the pool.

Thank you for answering me :)
 
kitit
just joined
Posts: 4
Joined: Mon Aug 03, 2015 11:13 am

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 4:25 pm

after the update to 6.45beta19 the wireless interface can no longer be found.

Model: SXT HG5 ac

Code: Select all

ROS Update, reboot
Wireless interface disappeared

Routerboot update, reboot
Wireless interface disappeared

reboot
Wireless interface disappeared

Log: DefConf gen: Unable to find Wireless interface(s)
RouterBOARD 962UiGS-5HacT2HnT

In Log: 15:26:21 script,warning DefConf gen: Unable to find wireless interface(s)

Wireless 5GHz not found in interafaces
 
User avatar
ArtursL
MikroTik Support
MikroTik Support
Posts: 6
Joined: Wed Jul 05, 2017 4:50 pm

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 7:21 pm

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2277
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 7:42 pm

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.
Downgrading back to 6.45beta16 or earlier returns the interface.
Thank you Mikrotiker and kitit for reporting.
The same problem on AR5008 (711GA-5HnD). Please check it.
LAN, FTTx, Wireless. ISP operator
 
dhoulbrooke
newbie
Posts: 45
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatane, New Zealand

Re: v6.45beta [testing] is released!

Fri Mar 22, 2019 7:46 pm

Hi Arturs,

In RouterOS 6.45beta19 there is a known bug that 5GHz WLAN interface disappears. Affects only specific devices - those that have wireless 5GHz interface-type=Atheros AR9888.

The 5GHz interface disappears on the wAP ac also.
 
User avatar
arnis128
just joined
Posts: 2
Joined: Mon Aug 29, 2016 1:03 pm
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Sat Mar 23, 2019 11:50 am

Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: v6.45beta [testing] is released!

Sun Mar 24, 2019 5:26 pm

Same here! I'm afraid this update killed my old rb751 :(
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Sun Mar 24, 2019 11:33 pm

Thanks for adding ECDSA certificates!
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
wispmikrotik
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Tue Apr 25, 2017 10:43 am

Re: v6.45beta [testing] is released!

Mon Mar 25, 2019 2:42 pm

Hi, all!
I can confirm, that 5ghz band does not work on RouterBOARD M33G with Athereros 5008 pci-e card installed.

Also upgrade of any of my mipsbe (mAP 2n,mAP L-2nD) platform fails, because ipv6 package is broken.
-----------------
Mar/23/2019 10:54:24 system,error broken package system-6.45beta19-mipsbe.npk
Mar/23/2019 10:54:24 system,error can not install ipv6-6.45beta19: system-6.45beta19 is not installed, but is required
Mar/23/2019 10:54:24 system,info router rebooted
-----------------
Arnis
Hi,

Same problem in a mAP Lite, after restarting and testing again to install the version this is installed correctly. Verified the correct installation.

Greeting
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Mar 26, 2019 8:53 am

Version 6.45beta20 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta20 (2019-Mar-25 10:07):

Changes in this release:

*) certificate - made RAM the default CRL storage location;
*) ike1 - adjusted debug packet logging topics;
*) ipsec - fixed freshly created identity not taken in action;
*) lte - allow to specify URL for firmware upgrade "firmware-file" parameter;
*) sms - fixed long message parsing (introduced in v6.45beta19);
*) wireless - fixed 5GHz interface disappearing after upgrade (introduced in v6.45beta19);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Mar 26, 2019 9:41 pm

Will this be fixed please so that EC certificates can be used for IPSec auth?
Thank you for this in beta 19!

( now support for ed25519 would be great too... hint hint... )
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:03 pm

Version 6.45beta22 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta22 (2019-Mar-29 08:37):

Changes in this release:

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
*) certificate - added "key-type" field (CLI only);
*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) export - fixed SMS "allowed-number" compact export (introduced in v6.45beta);
*) fetch - added SFTP support;
*) ike2 - prefer SAN instead of DN from certificate for ID payload;
*) ipsec - added support for RADIUS accounting;
*) ipsec - fixed policies becoming invalid after changing priority;
*) snmp - added OID for neighbor "interface";
*) snmp - added "write-access" column to community print;
*) snmp - allow setting interface "adminStatus";
*) ssh - fixed multiline non-interactive command execution;
*) ssh - improved session rekeying process on exchanged data size threshold;
*) supout - added "kid-control devices" section to supout file;
*) userman - updated authorize.net gateway DNS name;
*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
eworm
Member
Member
Posts: 354
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:12 pm

*) fetch - added SFTP support;
Yes, can't wait to use this! Is there a way to use it with public key authentication?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
ludvik
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Mon May 26, 2008 4:36 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:34 pm

will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:40 pm

will it be backported to versions 6.40.x and 6.43.x?
Version 6.45beta22 has been released.

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);
Sorry, but CVE-2018-19299 is not fixed in 6.45beta22.
Marek
 
marekm
Member Candidate
Member Candidate
Posts: 195
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:43 pm

What's new in 6.45beta22 (2019-Mar-29 08:37):

!) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298);

*) w60g - prefer AP with strongest signal when multiple APs with same SSID present;
1. ipv6 - thanks for the CVE fixes, hope to see them in stable/long-term soon. Then, with this out of the way, please work on Delegated-IPv6-Prefix for PPPoE so many people can actually deploy IPv6 :)
2. w60g - does it try weaker APs in turn after it fails to connect to the strongest one? Could happen with wrong key, or exceeded limit of stations per AP (1 or 8 depending on license), or denied by MAC ACL (if ever implemented for w60g, as in 2.4/5GHz wifi).
 
msatter
Forum Guru
Forum Guru
Posts: 1158
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 1:53 pm

@markim the creator of the CVE states in the post above yours, that the first CVE 19299 was not fixed by this beta.

When Mikrotik is giving more info about this we will know if it is fixed in their eyes.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases no root required
 
marekm
Member Candidate
Member Candidate
Posts: 195
Joined: Tue Feb 01, 2011 11:27 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 2:30 pm

The two posts were written at about the same time. I guess there will be another beta to test soon...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24042
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 2:50 pm

Issues that were reported to Mikrotik have been fixed. Device no longer can be crashed. maznu, if you have any more details, please email support and explain what you meant.
No answer to your question? How to write posts
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 269
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 4:38 pm

and when release for stable channel ?!
 
Farseer
just joined
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 8:04 pm

@emils

Is the scenario sufficient for IPSec sa-dst/src-address hostname name usage?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8290
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Fri Mar 29, 2019 11:03 pm

and when release for stable channel ?!
As soon as it’s ready
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
kiler129
Member Candidate
Member Candidate
Posts: 221
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 6:48 am

Is there any plans to address the 5Ghz interface crash on RB4011?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 11:30 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Wed Jun 05, 2013 5:54 am

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:28 pm

it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:45 pm

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
I agree with the technical assessment above: if someone else tries to reach 1 million hosts in your network and you have less than 500Mb of free RAM, then your router will crash.

I believe MikroTik produces five devices which are not vulnerable in the configuration as shipped by MikroTik if those devices are used as transit routers (i.e. with full BGP IPv4 and IPv6 tables loaded).
Marek
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:48 pm

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
As a side note, now that MikroTik has publicly released full details about the vulnerability, I hope nobody is going to be worried about what I am presenting on April 9th. The content of the talk will not increase the risk to your networks.
Marek
 
jrpaz
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Wed Jun 05, 2013 5:54 am

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 3:50 pm

It's not on the security blog. I'm assuming it will be there sooner rather than later.
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: v6.45beta [testing] is released!

Sun Mar 31, 2019 5:31 pm

it can not be considered as a bug or vulnerability
That's not what they are saying here viewtopic.php?f=2&t=147048
They are talking about CCR's and CHR's crashing I don't know what more resources people need.
Actually there is at least one person in that thread that confirmed when taking their CHR from 300MB RAM to 3GB RAM the issue goes away. That does sound like a memory resource problem there. Let's just not assume that because they are running CHR they must have all the resources in the world. The youtube videos that were posted about this issue and showing the CHR crashing was a CHR with 256MB RAM. If people are saying their CCR's are crashing over this I would then ask, which model of the CCR? Because if it's the 1009 series, I could see it having an issue since it has 1GB RAM and this issue can eat up over 500MB on its own it could cause the CCR1009's to have issues.

Was anyone able to reproduce this on a CCR's that have 2-4GBRAM? Did this eat them up too?
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 12:37 am

Also, if Mikrotik RouterOS allows the cache to eat up more memory than what is available on the device, then that is a bug. Simply because the device knows what amount of ram it has to begin with. It should not be able to allow the device to allocate more ram than what it has or has available.

Not having that sort of limitation in there in the first place begs to be exploited. Shortsighted development.

/M
Communication is the beginning of understanding
-- AT&T
 
kiler129
Member Candidate
Member Candidate
Posts: 221
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 3:56 am

The atmosphere here is becoming slightly toxic...

Like freaking really, how many of you worked with software as a developer? It’s very easy to say when you have very little clue how hard such problems are. I understand the frustration at the end effect, but it seems like MT is doing what they can to mitigate. Even though the device may know it’s memory its growth may not be as easy to predict as you think.

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 4:08 am

These IPv6 problems aren’t new or present really a huge danger with properly configured environment. If you expect a small router with 64MB of the memory to handle a lot of incoming connections you’re already in trouble with contrack.

The issue here is, that the memory usage of the cache can't be limited by configuration .. (unless you switch ipv6 off) and that it basically can arbitrarily triggered by an external attacker which results in a DoS scenario as the router even stops forwarding traffic or constantly reboots triggered by watchdog while under attack (as far as I understand).

The other issue is, that Mikrotik has known and acknowledged, that this is an issue since March 2018 and has not done anything about it until now, where they've been told, that the exploit is to be known public.

/M
Communication is the beginning of understanding
-- AT&T
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 9:52 am

Version 6.45beta23 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta23 (2019-Apr-01 05:51):

Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

MAJOR CHANGES IN v6.45:
----------------------
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------

Changes in this release:

*) ipsec - properly drop already established tunnel when address change detected;
*) ipv6 - adjust IPv6 route cache max size based on total RAM memory;
*) smb - fixed possible buffer overflow;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
nkourtzis
Member Candidate
Member Candidate
Posts: 202
Joined: Tue Dec 11, 2012 12:56 am
Location: Greece

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 9:59 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.

As a matter of fact, silently allowing any data structure to grow beyond the available system resources without any safegard or alternative mechanism in place, is a bug. Even more so, since the default is inappropriate for most of the devices in your product lineup.

-- EDIT: I just saw the new beta changelog. Thank you for fixing for IPv6! Does it also apply to the IPv4 route cache?
Passionate about networks
Enthusiastic about Mikrotik
MTCNA | MTCRE | MTCINE

No trees were killed to send this message,
but a large number of electrons were terribly inconvenienced.
 
rkj
just joined
Posts: 15
Joined: Sun Jun 11, 2006 7:38 pm

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 10:30 am

There were two IPv6 related issues resolved in this version:
1) IPv6 packet forwarding might get stuck (due to IPv6 route cache processing) that could lead to Watchdog reboot;
2) IPv6 neighbor table processing might get stuck (due to large neighbor table) that could lead to Watchdog reboot.

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you try to reach 1 million hosts in your network, route cache grows and can take up to 500 MB. If you have device that does not have such resources, it will reboot itself. If router has, for example, 1 GB of RAM - there is no problem. We will most likely allow to change cache size or will decide its size based on RAM size. However, it can not be considered as a bug or vulnerability. You make router work and then complain that resources are required to do the job. This is not a bug.
Actually, it's. In networking cache-based forwarding has been considered harmful for reasons such as this problem, and replaced by topology-based forwarding. So it at least one the bugs shouldn't even exist. But even topology-based systems require neighbour tables, so this one needs to be managed both in size and in rate, while also managing rate of packets targeted at in progress neighbours.
 
User avatar
jprietove
Trainer
Trainer
Posts: 88
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 11:17 am

Version 6.45beta23 has been released.
What's new in 6.45beta23 (2019-Apr-01 05:51):
!) ipv6 - fixed soft lockup when forwarding IPv6 packets;
!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table;
----------------------
Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 197
Joined: Tue May 05, 2015 11:12 am
Location: Manchester, UK
Contact:

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 12:08 pm

Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb.

Hopefully this fix will be in long-term and current branches soon.
I concur.

I look forward to everyone being able to push this live, given that MikroTik has disclosed the nature of the vulnerability before making the fix available in the "bugfix" and "current" versions of RouterOS.
Marek
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1221
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 1:48 pm

Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Erayd
just joined
Posts: 6
Joined: Mon Nov 09, 2015 9:59 pm

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 2:16 pm

You need someone targeting you with an attack.
Or targeting somebody else, but transiting your routers on the way. But you make good points. It's still a serious issue though.
 
ste
Forum Guru
Forum Guru
Posts: 1786
Joined: Sun Feb 13, 2005 11:21 pm

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 2:24 pm

Its not that your router will go down if you do not install a fix for IPv6 to your router.

You need IPv6 enabled.
You need some that know you are running IPv6.
You need someone targeting you with an attack.
Quite simple. Do a traceroute to a customer. Identify the BGP-Gateway. Start Attack. Any WISP doing not IPV6 now ?
You will find humans doing this just for fun.

We need the fix in the Long-Term Release ASAP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1221
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: v6.45beta [testing] is released!

Mon Apr 01, 2019 3:06 pm

You will find humans doing this just for fun.
That is true.
I installed Cowrie on port 22/23 (SSH and Telnet honeypot). Looking trough the logs 99.99% is automatic scripts that tries to install various stuff automatically, so lots of bots end little fun :)

80-90% of the SSH conections tries this:
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Just to test if they can use SSH as proxy i guess. (99% uses ya.ru as a test server)
Some of the log:
New connection: 5.188.86.165:64944 (10.10.10.50:2222) [session: 42d69d743f2c]
Remote SSH version: 'SSH-2.0-Go'
login attempt [root/admin] succeeded
direct-tcp connection request to ya.ru:80 from 0.0.0.0:0
Connection lost after 0 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds

New connection: 189.46.216.87:38040 (10.10.10.50:2223) [session: 8a47a991d959]
login attempt [root/1234] succeeded
enable
system
shell
sh
cat /proc/mounts; /bin/busybox LPPBJ
cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox LPPBJ
tftp; wget; /bin/busybox LPPBJ
dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
/bin/busybox LPPBJ
rm .s; exit
Connection lost after 2 seconds

New connection: 46.48.231.3:43837 (10.10.10.50:2222) [session: ababf7a7cf75]
Remote SSH version: 'SSH-2.0-libssh2_1.8.1'
login attempt [root/root] failed
login attempt [root/admin] succeeded
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
echo Hi | cat -n
Connection lost after 33 seconds
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 459
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu Apr 04, 2019 12:31 pm

Version 6.45beta27 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta27 (2019-Apr-03 13:53):

Changes in this release:

*) dhcpv4-server - fixed commenting option for alerts;
*) dhcpv6-server - added "address-list" support for bindings (CLI only);
*) discovery - limit max neighbour count per interface based on total RAM memory;
*) discovery - improved neighbour's MAC address detection;
*) fetch - added SFTP support;
*) ipsec - fixed possible configuration corruption after import;
*) ipv6 - improved IPv6 neighbor table updating process;
*) rb2011 - removed "sfp-led" from "System/LEDs" menu;
*) ssh - added new "ssh-exec" command for non-interactive command execution;
*) ssh - fixed multiline non-interactive command execution;
*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
osc86
newbie
Posts: 46
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri Apr 05, 2019 12:27 am

igmp-snooping is killing ipv6 connectivity, by not forwarding neighbor solicitation messages.
FF02:1:XXXX:XXXX isn't listed in MDB table, so no NS messages are exchanged between hosts.
This happens at least since beta22.
CCR1009-7G-1C-1S+ ROS6.45.2
 
davidzodelin
just joined
Posts: 1
Joined: Fri Sep 28, 2018 2:52 pm

Re: v6.45beta [testing] is released!

Fri Apr 05, 2019 2:27 am

*) wireless - added support for US FCC UNII-2 and Canada country profiles for LHG-5HPnD-US, RBLHG-5HPnD-XL-US and SXTsq5HPnD-US devices;

Please add support US FCC UNII-2 for RBSXT5nDr2 (SXT Lite 5)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7

Who is online

Users browsing this forum: No registered users and 7 guests