So first make sure you have it: > /system package print The RouterOS (v6.18) need package “ipv6” for all this to work. IPv6 prefix will be delegated by ISP, but address assignment will be done by customer (us) to our IPv6 capable home devices (laptop, smartphone). We need to distinguish between address assignment and prefix delegation. This extension to DHCPv6 is described in RFC3633.Īlthough it is pretty much self-explanatory, CPE is cable modem in this case, MT is Mikrotik WLAN router. My ISP is using DHCPv6-PD to delegate IPv6 (/56 sized) prefixes to the customers. In this post I’ll explain IPv6 setup on my home router Mikrotik running RouterOS on Routerboard 951-2n. Therefore, until the bugfix/longterm and stable versions include this recent fix, core routers processing significant (more than 2 new connections per sec, burst of 5) we recommend to run the 6.45beta23 software release, and firewall filters for all other routers.Now days most of ISPs provide their end-users with IPv6 connectivity. For reasons outlined above, input chain can not be used for this case.
Typically, attacks that target a specific device by sending packets with destination address OF THAT device which can be mitigated using input chain of firewall. The structure/content of such malicious packets are not matchable by any of the available packet attributes of MikroTik firewall, and therefore, the only way to effectively limit excess dodgy packets is to limit ALL ipv6 connections to a limited rate. So such malicious packets could have destination address of another router server, host, client on your network. Essentially, an attack on a specific router can be made by sending 'specially crafted' IPv6 packet to any IPv6 host on any network via the target router.
* To clarify further, the particularly nasty issue (the one from this recent discussion that has caused the most angst) is related to the ipv6 routing engine.
It is important to note that this problem affects routing function of ipv6, so packets with final destination of any host forwarded by a router will make that router vulnerable (i.e. limit=2,5:packet add action=mark-connection \Ĭhain=prerouting connection-state=new dst-address= \ Official MikroTik comment is that there is some more optimisation to be done for routers with low RAM before it will be released into long term and stable versions, and that there is some priority on releasing these updates in advance of the problem going public next week.įor low memory capacity routers (< 100MB) or in cases where upgrade is not feasible, firewall rules to limit new connection rates will help to defeat an attack using the exploit:Īdd action=drop chain=forward connection-mark=drop connection-state=newĪdd action=accept chain=prerouting connection-state=new dst-address=\ MikroTik have now released an effective patch for this issue, albeit currently only in beta chain: 6.45beta23
0 kommentar(er)
