Community discussions

MikroTik App
 
FIPTech
Long time Member
Long time Member
Topic Author
Posts: 558
Joined: Tue Dec 22, 2009 1:53 am

Windows 10 Router Advertisement leaking

Sat Dec 03, 2022 3:12 pm

.
I faced a nasty problem after enabling IPv6 in a LAN with two subnetworks (main and guest networks, splited in two VLANs).
I did use stateless IPv6 configuration on both subnetworks, advertised by a Mikrotik router.

After doing that, i had a Windows 10 PC where i got two IPv6 addresses, one for each subnetwork !. Initially i thought that there was an ICMPv6 leaking (RA leaking) between both VLANs, or a leak in the Router OS advertisements. But after checking that, this was not the case.

After scratching my head, i did finally find the culprit : Windows 10 was listening for tagged traffic from the guest network that was available in the cable to this PC machine. The Ethernet adapter was setup without specific VLAN configuration, normally only listening for untagged traffic of the main subnetwork.

Disabling the guest tagged VLAN in the switch for the port of this PC did solved the problem. No more dual IPv6 addresses !!!
This mean that Windows was listening for all ICMPv6 traffic, not only ICMPv6 from the untagged VLAN, but ICMPv6 from all tagged VLANs available in the Ethernet cable !

I report this here because it seems to me that this is a security issue. Alternatively, when a PC get in error two or more IPv6 addresses from different subnetworks, this is triggering IPv6 connectivity problems specially inside web browsers that could revert to IPv4 (IPv4 fallback) because of that.

The solution is to check that switch ports going to IPv6 enabled PCs never have more enabled VLANs than the untagged VLAN of the desired subnetwork (access port only).
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Windows 10 Router Advertisement leaking

Sat Dec 03, 2022 3:36 pm

This has nothing to do with Mikrotik specifically, the same would be seen using a router from any other network vendor.

It is well known that most Microsoft network drivers strip VLAN tags on ingress, so any tagged broadcast/multicast packets will also be delivered to the network stack rather than being discarded.
 
FIPTech
Long time Member
Long time Member
Topic Author
Posts: 558
Joined: Tue Dec 22, 2009 1:53 am

Re: Windows 10 Router Advertisement leaking

Sat Dec 03, 2022 6:46 pm

This has nothing to do with Mikrotik specifically, the same would be seen using a router from any other network vendor.

It is well known that most Microsoft network drivers strip VLAN tags on ingress, so any tagged broadcast/multicast packets will also be delivered to the network stack rather than being discarded.
Yes it's not specific to Mikrotik. But Mikrotik is offering connectivity and IPv6 stateless address configuration for IPv6 LANs. So i think that it is interesting for network administrators to know that there is a possible problem here. This is the reason for my post.

IPv4 is not targeted most of the time because DHCPv4 answers are normally unicast, except if the broadcast flag is set in the request, or if the server has been setup with the Always broadcast option.

So eventually the same problem can occur with DHCPv4.
It is well known that most Microsoft network drivers strip VLAN tags on ingress
Perhaps, but according to my experience the consequences are not so well known specially for IPv6.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Windows 10 Router Advertisement leaking

Sat Dec 03, 2022 8:18 pm

But Mikrotik is offering connectivity and IPv6 stateless address configuration for IPv6 LANs. So i think that it is interesting for network administrators to know that there is a possible problem here.

I guess every seasoned network admin is aware of mentioned oddity of windows network drivers. Also it is a good practice to configure ports on switches so that they only offer what's necessary by device connected to it.

Yes, it's good to mention these things once a while, but make sure the wording is exact as to pointing to the real culprit.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Windows 10 Router Advertisement leaking

Sun Mar 05, 2023 2:14 am

Had the same issue and was suspecting my MikroTik as the culprit but I was very wrong.

I found a few background infos about this topic: viewtopic.php?p=988242#p988242

Basically It's default behaviour by Windows drivers which comply WHQL: https://docs.microsoft.com/en-us/window ... n-keywords
PriorityVLANTag (standard Window keyword for NICs) documentation states:
"The miniport driver should remove the 802.1Q header from all receive packets regardless of the *PriorityVLANTag setting.
If the 802.1Q header is left in a packet, other drivers might not be able to parse the packet correctly.
If the Rx flag is enabled on the receive path, the miniport driver should copy the removed 802.1Q header into OOB.
Otherwise, if the Rx flag is disabled, the miniport driver should not copy the removed 802.1Q header into OOB."
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Windows 10 Router Advertisement leaking

Sun Mar 05, 2023 3:13 pm

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], GoogleOther [Bot], joshnielsen and 65 guests