Maybe we should recommend some outbound firewalling for such known nuisances?
To reduce traffic, drop neighbor discovery and smb as well as MikroTik Neighbor Discovery Protocol on tunl0 (optional, but a good idea):
iptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP iptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP iptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP
81.174.253.193 2014-02-23 11:14:58 G7UOD
24.85.103.226 2014-05-22 15:26:56 VE7ASS
The iptables solution doesn't apply to Mikrotik equipment since they don't run Linux.
The Mikrotik Neighbor Discovery Protocol (MNDP) is enabled by default on newly created IPIP interfaces. And since there is such an interface for each mesh partner, they are probable programatically generated by a script. So the correction has to be be done in that script, to explicitly disable MNDP for each newly created interface.
But really, isn't this a kind of overreaction to one 149 bytes long packet every minute?
Marius, YO2LOJ
-----Original Message----- ...
Maybe we should recommend some outbound firewalling for such known nuisances?
To reduce traffic, drop neighbor discovery and smb as well as MikroTik Neighbor Discovery Protocol on tunl0 (optional, but a good idea):
iptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP iptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP iptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP
On Fri, Jun 5, 2015 at 11:54 PM, Marius Petrescu marius@yo2loj.ro wrote:
But really, isn't this a kind of overreaction to one 149 bytes long packet every minute?
Agreed. The sky is not falling.
Running neighbor discovery protocol is actually a benefit. It tells you that you have connectivity to this other AMPR gateway. If those neighbor discovery packets ever stop, you know something has gone wrong and your tunnel to that gateway is broken. If all gateways ran this protocol, you could start collecting some health statistics for the entire network.
Tom KD7LXL
Overreaction, yes, if you consider 149 bytes each minute. But what if ALL the MikroTic guys were doing exactly the same thing: broadcasting every minute through every ampr gateway's tunnel? It would, methinks, turn my tunnel into a total dog's breakfast, making it impossible for me to monitor the 'real' activity on my system.
Every packet from all the folks I share an axip/udp link with traverses my tun0, which I monitor. Now add the async discovery broadcasts from how many MikroTic guys, before the real traffic can no longer be seen through the 'I'm alive are you alive' clutter?
This is my real concern.
I'm sorry if the terms I use are not in the best networking argot. 73 - jerome - ve7ass
On 2015-06-06 07:21, Tom Hayward wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Fri, Jun 5, 2015 at 11:54 PM, Marius Petrescu marius@yo2loj.ro wrote:
But really, isn't this a kind of overreaction to one 149 bytes long packet every minute?
Agreed. The sky is not falling.
Running neighbor discovery protocol is actually a benefit. It tells you that you have connectivity to this other AMPR gateway. If those neighbor discovery packets ever stop, you know something has gone wrong and your tunnel to that gateway is broken. If all gateways ran this protocol, you could start collecting some health statistics for the entire network.
Tom KD7LXL _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Honestly, if you’re on the internet and expect to not get random packets, you’re deluding yourself. And any decent packet capture/analysis program is EASILY capable of filtering on anything your heart could desire. If you don’t want to see certain traffic, filter it from your capture results.
On a personal opinion, 44-net and the tunnels are treated too much like a RF system. This is a network, similar to and attached to the internet, random stuff WILL come across, attacks will happen, and you’ll communicate like normal. It’s the responsibility of someone attaching an RF device to the internet to use firewalls or whatever other means to filter out the cruft as appropriate for their RF service. For example, if you’re in the US, and use Part 15, then perhaps you don’t care. If you’re on Part 97, then filter out what you don’t expect.
Complaining on the mailing list about every stray packet one sees (and this is not the first) uses far more bandwidth than the 149 byte packet, and FAR FAR FAR more of everyone’s time.
This is the internet, it’s an unexpected packet, that’s expected.
Nigel
On Jun 6, 2015, at 10:14, jerome schatten romers@shaw.ca wrote:
(Please trim inclusions from previous messages) _______________________________________________ Overreaction, yes, if you consider 149 bytes each minute. But what if ALL the MikroTic guys were doing exactly the same thing: broadcasting every minute through every ampr gateway's tunnel? It would, methinks, turn my tunnel into a total dog's breakfast, making it impossible for me to monitor the 'real' activity on my system.
Every packet from all the folks I share an axip/udp link with traverses my tun0, which I monitor. Now add the async discovery broadcasts from how many MikroTic guys, before the real traffic can no longer be seen through the 'I'm alive are you alive' clutter?
This is my real concern.
I'm sorry if the terms I use are not in the best networking argot. 73 - jerome - ve7ass
On 2015-06-06 07:21, Tom Hayward wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Fri, Jun 5, 2015 at 11:54 PM, Marius Petrescu marius@yo2loj.ro wrote:
But really, isn't this a kind of overreaction to one 149 bytes long packet every minute?
Agreed. The sky is not falling.
Running neighbor discovery protocol is actually a benefit. It tells you that you have connectivity to this other AMPR gateway. If those neighbor discovery packets ever stop, you know something has gone wrong and your tunnel to that gateway is broken. If all gateways ran this protocol, you could start collecting some health statistics for the entire network.
Tom KD7LXL _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On 6/6/15 1:23 PM, Nigel Vander Houwen wrote:
Complaining on the mailing list about every stray packet one sees (and this is not the first) uses far more bandwidth than the 149 byte packet, and FAR FAR FAR more of everyone’s time.
This is the internet, it’s an unexpected packet, that’s expected.
+1
I really can't believe people are logging every single packet across their network. I mean come on people, don't we have better things to do with our time. ;-)
73's W9CR
-
Bryan Fields -
jerome schatten -
Marius Petrescu -
Nigel Vander Houwen -
Steve L -
Tom Hayward