[AusNOG] AARNet's IPv6 Broker is being shutdown on the 7th of April 2019 at 10pm AEST

[Warrick Mitchell]

Dear AusNOG,

Please be advised that after many years of service the AARNet IPv6 Tunnel 
Broker (http://broker.aarnet.net.au/) service is being discontinued as the 
hardware and software are no longer supported.

Whilst it will be missed, we are happy to see a large number of services 
providers in Australia are now offering IPv6 services to their clients directly 
which has resulted in the reduction of usage this service has provided to the 
point where it no longer makes economic sense for AARNet to keep providing this 
service.

We will be switching the broker off on Sunday the 7th of April 2019 at 10pm 
AEST.

Kind regards,
Warrick Mitchell
Network Architect
AARNet Pty Ltd
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

[Joseph Goldman]

Biggest issue is i still want to use their hardware, RouterBoards have 
some good products. hAP's for home CPE's, 3011's for SME and 1100x4's 
for corp and/or bottom of tower are great value for money. I know some 
boards you can flash WRT onto but its not as full featured, and Ubiquiti 
routers are also not as flexible from my limited exposure to them :(. If 
I could run something like VyOS on a routerboard I would.

On 2019-04-01 12:11 PM, Michael J. Carmody wrote:


If you want to stay in the Mikrotik like space, VyOS is probably where 
you need to be for BGP/Carrier networking.


If looking for CPE/lower level again, pfSense or Edgerouter?

-Michael

*From:*AusNOG  *On Behalf Of *Alex Samad
*Sent:* Sunday, 31 March 2019 5:51 PM
*To:* ausnog@lists.ausnog.net
*Subject:* Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you 
have Public IPv6 Facing Mikrotik


Sigh, how long have they promised V7 ...

Think it was coming soon 7years ago

Multithreaded BGP !

"

* There's a comment 'The fix is in v7' - theres a long running joke 
that v7 will never emerge (it probably never will, they've lost most 
of their senior engineers, and refuse to open source their code to 
leverage their developers in the community)


"

is this whispers or documented somewhere ?

What would some suggest as a good replacement ?

A

On Sat, 30 Mar 2019 at 09:48, Philip Loenneker 
> wrote:


Unfortunately this apparently fixes 2x softlock issues, but not a
memory leak that results in a reboot of the device.

You can read from here on to see more information:

https://forum.mikrotik.com/viewtopic.php?f=2=147048#p723977

Regards,

*Philip Loenneker | Network Engineer**| TasmaNet*

*From:*AusNOG mailto:ausnog-boun...@lists.ausnog.net>> *On Behalf Of *Shane Clay
*Sent:* Friday, 29 March 2019 10:08 PM
*To:* ausnog@lists.ausnog.net 
*Subject:* Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if
you have Public IPv6 Facing Mikrotik

Looks like a fix is on the way:

What's new in 6.45beta22 (2019-Mar-29 08:37):

Changes in this release:

!) ipv6 - fixed soft lockup when forwarding IPv6 packets
(CVE-2018-19299);

!) ipv6 - fixed soft lockup when processing large IPv6 Neighbor
table (CVE-2018-19298);

https://mikrotik.com/download/changelogs/testing-release-tree

Shane Clay

Caznet

*From:*AusNOG mailto:ausnog-boun...@lists.ausnog.net>> *On Behalf Of *Noel Butler
*Sent:* Friday, 29 March 2019 12:02 PM
*To:* ausnog@lists.ausnog.net 
*Subject:* Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if
you have Public IPv6 Facing Mikrotik

On 29/03/2019 11:17, Mike Everest wrote:

On the point of "the fix is in v7"

v7  has for a great many years, been code for  "too hard basket"

-- 


Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally
privileged information, therefore remains confidential and subject
to copyright protected under international law. You may not
disseminate, discuss, or reveal, any part, to anyone, without the
authors express written authority to do so. If you are not the
intended recipient, please notify the sender then delete all
copies of this message including attachments, immediately.
Confidentiality, copyright, and legal privilege are not waived or
lost by reason of the mistaken delivery of this message. Only PDF
 and ODF
 documents accepted,
please do not send proprietary formatted documents

___
AusNOG mailing list
AusNOG@lists.ausnog.net 
http://lists.ausnog.net/mailman/listinfo/ausnog


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

[Karl Auer]

On Mon, 2019-04-01 at 01:11 +, Michael J. Carmody wrote:
> If you want to stay in the Mikrotik like space, VyOS is probably
> where you need to be for BGP/Carrier networking.

This is really sad, because the MikroTiks are almost unbeatable bang
for buck.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389



___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

[Rob Thomas]

For those with popcorn, here's the running update (and, after typing
all this, I realise it may not be of interest to everyone on the list
- but it's a REALLY GOOD EXAMPLE of what not to do, so if you're
involved in security at YOUR org, please take notes.  Specifically -
ALWAYS HAVE A 'security@' email address that gets read by AT LEAST
THREE PEOPLE who can go 'wait, hang on, that's ACTUALLY a really big
issue). If you're not interested, please feel free to skip over it.
But it's entertaining from a nerd perspective  -
https://twitter.com/xrobau/status/780395954003969


* It seems like my original summary was pretty much spot on.
* The original thread has exploded - Linky:
https://forum.mikrotik.com/viewtopic.php?f=2=147048
* 'Normis' appears to be being the public face for MikroTik in this,
and has been chatting with Maznu (OP) and I on twitter.
* ANNOUNCEMENT BY MIKROTIK: This is fixed in 6.45b22!
   Maznu: No it's not. https://twitter.com/maznu/status/910399182626816
* Mikrotik: We only heard about this last week!
   Maznu: No. Here's screenshots of my emails to you, a year ago,
where you say it's not to be kept secret.
https://twitter.com/maznu/status/1112442619244802048
* MikroTik: IRRESPONSIBLE DISCLOSURE! You should have given us more warning!
   Me: WTF, is 360 days NOT ENOUGH?
* Also Me: Guys, c'mon. You messed up. Everyone does it. Use it as a
learning experience on how to NOT handle security issues!

Since the titles of the CVEs have been mentioned a few time (Yes, the
title alone is enough to figure out the problems), the vulnerabilities
have been confirmed or re-implemented by other third parties.

CVE-2018-19298 = NDP exhaustion
CVE-2018-19299 = IPv6 routing exhaustion

https://forum.mikrotik.com/viewtopic.php?f=2=147048=100#p724283

* MikroTik: OK, we can fix 19298 by limiting new IPv6 connection to
2.5 per second -
https://forum.mikrotik.com/viewtopic.php?f=2=147048=50#p724018
   The world: Um. This is not 1995. We have web browsers that
establish 6 concurrent connections

(To quote Michael Wheeler, our resident Ham and entertaining presenter
at LCA2019 - "ipv6 / ndp exhaustion still happening in 2019. ffs." -
https://twitter.com/theskorm/status/791284585324544)

On the UPSIDE, There has been some interest directed at my favourite
open source router, VyOS (based on Vyatta, which was purchased and
borg'ed by Brocade), and some discussions have been had about getting
XDP and/or DPDK into it.  People seem to be leaning towards XDP,
because it allows things to be scripted by BPF, and is almost as fast
as DPDK anyway, without all the downsides of having to faff around
with moving things in and out of userspace.

(For those that haven't heard of them, they're super-optimized ways of
moving network traffic around inside/outside of the Linux/BSD Kernel -
letting standard machines run 20+ Million PPS routing/switching, with
all the advantages of commodity hardware - feel free to chat to me off
list, or on twitter where I can tag people who know more about it and
pretend I'm an expert!)

I won't do any more summaries, unless something amazing happens (eg,
MikroTik tableflip and open sources everything like they should have
10 years ago). Thanks to Cameron for the original heads up. This has
been great fun.

--Rob
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you have Public IPv6 Facing Mikrotik

[Alex Samad]

Sigh, how long have they promised V7 ...
Think it was coming soon 7years ago

Multithreaded BGP !

"
* There's a comment 'The fix is in v7' - theres a long running joke that v7
will never emerge (it probably never will, they've lost most of their
senior engineers, and refuse to open source their code to leverage their
developers in the community)
"
is this whispers or documented somewhere ?


What would some suggest as a good replacement ?

A



On Sat, 30 Mar 2019 at 09:48, Philip Loenneker <
philip.loenne...@tasmanet.com.au> wrote:

> Unfortunately this apparently fixes 2x softlock issues, but not a memory
> leak that results in a reboot of the device.
>
> You can read from here on to see more information:
>
> https://forum.mikrotik.com/viewtopic.php?f=2=147048#p723977
>
>
>
> Regards,
>
> *Philip Loenneker | Network Engineer** | TasmaNet*
>
>
>
> *From:* AusNOG  *On Behalf Of *Shane Clay
> *Sent:* Friday, 29 March 2019 10:08 PM
> *To:* ausnog@lists.ausnog.net
> *Subject:* Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you
> have Public IPv6 Facing Mikrotik
>
>
>
> Looks like a fix is on the way:
>
>
>
> What's new in 6.45beta22 (2019-Mar-29 08:37):
>
> Changes in this release:
>
> !) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299);
>
> !) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table
> (CVE-2018-19298);
>
>
>
> https://mikrotik.com/download/changelogs/testing-release-tree
>
>
>
>
>
> Shane Clay
>
> Caznet
>
>
>
>
>
> *From:* AusNOG  *On Behalf Of *Noel
> Butler
> *Sent:* Friday, 29 March 2019 12:02 PM
> *To:* ausnog@lists.ausnog.net
> *Subject:* Re: [AusNOG] Mikrotik IPv6 Vulnerability - Must Read if you
> have Public IPv6 Facing Mikrotik
>
>
>
> On 29/03/2019 11:17, Mike Everest wrote:
>
> On the point of "the fix is in v7"
>
>
>
>
>
> v7  has for a great many years, been code for  "too hard basket"
>
>
>
> --
>
> Kind Regards,
>
> Noel Butler
>
> This Email, including any attachments, may contain legally privileged
> information, therefore remains confidential and subject to copyright
> protected under international law. You may not disseminate, discuss, or
> reveal, any part, to anyone, without the authors express written authority
> to do so. If you are not the intended recipient, please notify the sender
> then delete all copies of this message including attachments, immediately.
> Confidentiality, copyright, and legal privilege are not waived or lost by
> reason of the mistaken delivery of this message. Only PDF
>  and ODF
>  documents accepted, please do
> not send proprietary formatted documents
>
>
> ___
> AusNOG mailing list
> AusNOG@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog