-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear YLs and OMs,
beware of the latest Mikrotik RouterOS version 6.21 and 6.22.
It generates strange IPIP packets adressed to the remote endpoint of an IPIP tunnel. The IPIP packets itself contains an IP packet that is addressed from the remote endpoint to the mikrotik router.
Pseudo packet capture
Frame: 1 Time: 0 Internet Protocol Version 4, Src: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik), Dst: Re.Mo.Te.IP (Re.Mo.Te.IP) Internet Protocol Version 4, Src: Re.Mo.Te.IP (Re.Mo.Te.IP), Dst: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik)
Frame: 2 Time: 10 Internet Protocol Version 4, Src: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik), Dst: Re.Mo.Te.IP (Re.Mo.Te.IP) Internet Protocol Version 4, Src: Re.Mo.Te.IP (Re.Mo.Te.IP), Dst: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik)
and so on, almost every 10 seconds.
Once I downgraded to version 6.20 the strange packets seem to have stopped appearing.
If someone discovers the origin of this issue and knows of a way to avoid the issue other than downgrading, please let me know.
Thanks to PE1CH for notifying me after seeing the strange IPIP packets on his system.
73 de Marc
Be sure to bring it to the attention of Mikrotik
On Thu, Nov 13, 2014 at 2:43 PM, Marc, LX1DUC lx1duc@laru.lu wrote:
(Please trim inclusions from previous messages) _______________________________________________ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear YLs and OMs,
beware of the latest Mikrotik RouterOS version 6.21 and 6.22.
It generates strange IPIP packets adressed to the remote endpoint of an IPIP tunnel. The IPIP packets itself contains an IP packet that is addressed from the remote endpoint to the mikrotik router.
Pseudo packet capture
Frame: 1 Time: 0 Internet Protocol Version 4, Src: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik), Dst: Re.Mo.Te.IP (Re.Mo.Te.IP) Internet Protocol Version 4, Src: Re.Mo.Te.IP (Re.Mo.Te.IP), Dst: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik)
Frame: 2 Time: 10 Internet Protocol Version 4, Src: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik), Dst: Re.Mo.Te.IP (Re.Mo.Te.IP) Internet Protocol Version 4, Src: Re.Mo.Te.IP (Re.Mo.Te.IP), Dst: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik)
and so on, almost every 10 seconds.
Once I downgraded to version 6.20 the strange packets seem to have stopped appearing.
If someone discovers the origin of this issue and knows of a way to avoid the issue other than downgrading, please let me know.
Thanks to PE1CH for notifying me after seeing the strange IPIP packets on his system.
73 de Marc -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUZTQXAAoJEHFIN1T8ZA8vGwAP/2qJuWXQLG4x3S2zPkQFll15 PA9H/ytSxxfdDsKe7tCf7Ky0qmxUV6WNVbq19/Ag1q6Ld+cBhKbWHa7BOVK9hjV0 8NO2ZV5D7KtYkhSLpNE9othhdtU/hRouevEQy/qoO6EvJxE4fEpbOrMiNX6aTAeQ bnqBWeGsuds7/qHFjOrID0jrfYXdddMW4e9cXwRJRfiFafBIwwLaNHhlKXORaXQy 23mPs+woFskGPk4VXDxWXMuOe3TeWzpxpwldYHaPRhzfUmGBj0ogQ1tSJPiMYMy8 Rc8iE4NtmZMyP0b6IdnoIjveloCpILDIwCHD8ZRba4KSs3aRVcyLih3v67zuu3Jf i+K7BCKXNFIQtGoY7IQQawRF8AP7vxL30r9J9pgKk7IjURDTBWRDbyZb201gdfbp PKV+XBlm+Hq9kxs04BIYeYBES+iVLMOJYtLPQtF906EEc1RuzjjvoKu+BVqIB+vk IRLSBqLsU4V7CM/aj2gvik4TyC2huBjhqpvxNUXeAP5CyMSfqJ8OZZmOYEGyWmZc vif4F5HhwCjPCaQr0OCqUIKuH/hd+/4qXrFtSnTOYPT+mRCMNg1PW/IvkysS86+5 orQ1J+OeqUnfwHrXvR26l9Yo+SqKie3k+1v9iYyv6ZS7eKFKqseL+lPgQmdnnJl4 gY65U+kkGw27RtlLYw5+ =+9vG -----END PGP SIGNATURE-----
Looks like tunnel keepalives. Looking at the 6.22 docs, they are enabled by default now and run in 10 second intervals.
Jesse - WC3XS
Sent from my iPhone
On Nov 13, 2014, at 5:43 PM, Marc, LX1DUC lx1duc@laru.lu wrote:
(Please trim inclusions from previous messages) _______________________________________________ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear YLs and OMs,
beware of the latest Mikrotik RouterOS version 6.21 and 6.22.
It generates strange IPIP packets adressed to the remote endpoint of an IPIP tunnel. The IPIP packets itself contains an IP packet that is addressed from the remote endpoint to the mikrotik router.
Pseudo packet capture
Frame: 1 Time: 0 Internet Protocol Version 4, Src: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik), Dst: Re.Mo.Te.IP (Re.Mo.Te.IP) Internet Protocol Version 4, Src: Re.Mo.Te.IP (Re.Mo.Te.IP), Dst: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik)
Frame: 2 Time: 10 Internet Protocol Version 4, Src: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik), Dst: Re.Mo.Te.IP (Re.Mo.Te.IP) Internet Protocol Version 4, Src: Re.Mo.Te.IP (Re.Mo.Te.IP), Dst: Mi.Kr.Ot.Ik (Mi.Kr.Ot.Ik)
and so on, almost every 10 seconds.
Once I downgraded to version 6.20 the strange packets seem to have stopped appearing.
If someone discovers the origin of this issue and knows of a way to avoid the issue other than downgrading, please let me know.
Thanks to PE1CH for notifying me after seeing the strange IPIP packets on his system.
73 de Marc -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUZTQXAAoJEHFIN1T8ZA8vGwAP/2qJuWXQLG4x3S2zPkQFll15 PA9H/ytSxxfdDsKe7tCf7Ky0qmxUV6WNVbq19/Ag1q6Ld+cBhKbWHa7BOVK9hjV0 8NO2ZV5D7KtYkhSLpNE9othhdtU/hRouevEQy/qoO6EvJxE4fEpbOrMiNX6aTAeQ bnqBWeGsuds7/qHFjOrID0jrfYXdddMW4e9cXwRJRfiFafBIwwLaNHhlKXORaXQy 23mPs+woFskGPk4VXDxWXMuOe3TeWzpxpwldYHaPRhzfUmGBj0ogQ1tSJPiMYMy8 Rc8iE4NtmZMyP0b6IdnoIjveloCpILDIwCHD8ZRba4KSs3aRVcyLih3v67zuu3Jf i+K7BCKXNFIQtGoY7IQQawRF8AP7vxL30r9J9pgKk7IjURDTBWRDbyZb201gdfbp PKV+XBlm+Hq9kxs04BIYeYBES+iVLMOJYtLPQtF906EEc1RuzjjvoKu+BVqIB+vk IRLSBqLsU4V7CM/aj2gvik4TyC2huBjhqpvxNUXeAP5CyMSfqJ8OZZmOYEGyWmZc vif4F5HhwCjPCaQr0OCqUIKuH/hd+/4qXrFtSnTOYPT+mRCMNg1PW/IvkysS86+5 orQ1J+OeqUnfwHrXvR26l9Yo+SqKie3k+1v9iYyv6ZS7eKFKqseL+lPgQmdnnJl4 gY65U+kkGw27RtlLYw5+ =+9vG -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Yep that's what I thought as well, but I couldn't find anyplace where I could activate or deactivate the tunnel keepalive on IPIP Interfaces...
On 14/11/2014 00:12, Jesse Hindmarsh wrote:
(Please trim inclusions from previous messages) _______________________________________________ Looks like tunnel keepalives. Looking at the 6.22 docs, they are enabled by default now and run in 10 second intervals.
Jesse - WC3XS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14/11/2014 00:15, Marc, LX1DUC wrote:
Yep that's what I thought as well, but I couldn't find anyplace where I could activate or deactivate the tunnel keepalive on IPIP Interfaces...
I'm taking that back. The option "keepalive" is available in the CLI only. The range is 1 to 4294967295, and you have to use the option "!keepalive" to turn it off.
73 de Marc, LX1DUC
-
Jesse Hindmarsh -
K7VE - John -
Marc, LX1DUC