前回のアップデートからおおよそ2ヶ月ぶりとなる、stableチャンネルがアップデートされました。今回は重要な内容のアップデートを含んでいます。
まずはリリースノートから。
What's new in 6.45.1 (2019-Jun-27 10:23): Important note!!! Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading. MAJOR CHANGES IN v6.45.1: ---------------------- !) dot1x - added support for IEEE 802.1X Port-Based Network Access Control; !) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator; !) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158; !) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479; !) security - fixed vulnerability CVE-2019-13074; !) user - removed insecure password storage; ---------------------- Changes in this release: *) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used; *) bridge - correctly handle bridge host table; *) bridge - fixed log message when hardware offloading is being enabled; *) bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled; *) capsman - fixed CAP system upgrading process for MMIPS; *) capsman - fixed interface-list usage in access list; *) ccr - improved packet processing after overloading interface; *) certificate - added "key-type" field; *) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1); *) certificate - fixed self signed CA certificate handling by SCEP client; *) certificate - made RAM the default CRL storage location; *) certificate - removed DSA (D) flag; *) certificate - removed "set-ca-passphrase" parameter; *) chr - legacy adapters require "disable-running-check=yes" to be set; *) cloud - added "replace" parameter for backup "upload-file" command; *) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160); *) conntrack - significant stability and performance improvements; *) crs317 - fixed known multicast flooding to the CPU; *) crs3xx - added ethernet tx-drop counter; *) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate; *) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature); *) crs3xx - fixed "tx-drop" counter; *) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305; *) defconf - added "custom-script" field that prints custom configuration installed by Netinstall; *) defconf - automatically set "installation" parameter for outdoor devices; *) defconf - changed default configuration type to AP for cAP series devices; *) defconf - fixed channel width selection for RU locked devices; *) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration; *) dhcp - do not require lease and binding to have the same configuration for dual-stack queues; *) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues; *) dhcpv4-server - added "client-mac-limit" parameter; *) dhcpv4-server - added IP conflict logging; *) dhcpv4-server - added RADIUS accounting support with queue based statistics; *) dhcpv4-server - added "vendor-class-id" matcher (CLI only); *) dhcpv4-server - improved stability when performing "check-status" command; *) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined"; *) dhcpv6-client - added option to disable rapid-commit; *) dhcpv6-client - fixed status update when leaving "bound" state; *) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time"; *) dhcpv6-server - added "address-list" support for bindings; *) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters; *) dhcpv6-server - added RADIUS accounting support with queue based statistics; *) dhcpv6-server - added "route-distance" parameter; *) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server; *) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS; *) discovery - correctly create neighbors from VLAN tagged discovery messages; *) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44); *) discovery - improved neighbour's MAC address detection; *) discovery - limit max neighbour count per interface based on total RAM memory; *) discovery - show neighbors on actual mesh ports; *) e-mail - include "message-id" identification field in e-mail header; *) e-mail - properly release e-mail sending session if the server's domain name can not be resolved; *) ethernet - added support for 25Gbps and 40Gbps rates; *) ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters; *) ethernet - increased loop warning threshold to 5 packets per second; *) fetch - added SFTP support; *) fetch - improved user policy lookup; *) firewall - fixed fragmented packet processing when only RAW firewall is configured; *) firewall - process packets by firewall when accepted by RAW with disabled connection tracking; *) gps - fixed missing minus close to zero coordinates in dd format; *) gps - make sure "direction" parameter is upper case; *) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values; *) gps - use "serial0" as default port on LtAP mini; *) hotspot - added "interface-mac" variable to HTML pages; *) hotspot - moved "title" HTML tag after "meta" tags; *) ike1 - adjusted debug packet logging topics; *) ike2 - added support for ECDSA certificate authentication (rfc4754); *) ike2 - added support for IKE SA rekeying for initiator; *) ike2 - do not send "User-Name" attribute to RADIUS server if not provided; *) ike2 - improved certificate verification when multiple CA certificates received from responder; *) ike2 - improved child SA rekeying process; *) ike2 - improved XAuth identity conversion on upgrade; *) ike2 - prefer SAN instead of DN from certificate for ID payload; *) ippool - improved logging for IPv6 Pool when prefix is already in use; *) ipsec - added dynamic comment field for "active-peers" menu inherited from identity; *) ipsec - added "ph2-total" counter to "active-peers" menu; *) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods; *) ipsec - added traffic statistics to "active-peers" menu; *) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies; *) ipsec - do not allow adding identity to a dynamic peer; *) ipsec - fixed policies becoming invalid after changing priority; *) ipsec - general improvements in policy handling; *) ipsec - properly drop already established tunnel when address change detected; *) ipsec - renamed "remote-peers" to "active-peers"; *) ipsec - renamed "rsa-signature" authentication method to "digital-signature"; *) ipsec - replaced policy SA address parameters with peer setting; *) ipsec - use tunnel name for dynamic IPsec peer name; *) ipv6 - improved system stability when receiving bogus packets; *) ltap - renamed SIM slots "up" and "down" to "2" and "3"; *) lte - added initial support for Vodafone R216-Z; *) lte - added passthrough interface subnet selection; *) lte - added support for manual operator selection; *) lte - allow setting empty APN; *) lte - allow to specify URL for firmware upgrade "firmware-file" parameter; *) lte - do not show error message for info commands that are not supported; *) lte - fixed session reactivation on R11e-LTE in UMTS mode; *) lte - improved firmware upgrade process; *) lte - improved "info" command query; *) lte - improved R11e-4G modem operation; *) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only); *) lte - show alphanumeric value for operator info; *) lte - show correct firmware revision after firmware upgrade; *) lte - use default APN name "internet" when not provided; *) lte - use secondary DNS for DNS server configuration; *) m33g - added support for additional Serial Console port on GPIO headers; *) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2; *) ospf - fixed opaque LSA type checking in OSPFv2; *) ospf - improved "unknown" LSA handling in OSPFv3; *) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066); *) ppp - added initial support for Quectel BG96; *) proxy - increased minimal free RAM that can not be used for proxy services; *) rb3011 - improved system stability when receiving bogus packets; *) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required); *) rb921 - improved system stability ("/system routerboard upgrade" required); *) routerboard - renamed 'sim' menu to 'modem'; *) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot; *) sms - added USSD message functionality under "/tool sms" (CLI only); *) sms - allow specifying multiple "allowed-number" values; *) sms - improved delivery report logging; *) snmp - added "dot1dStpPortTable" OID; *) snmp - added OID for neighbor "interface"; *) snmp - added "write-access" column to community print; *) snmp - allow setting interface "adminStatus"; *) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception"; *) snmp - fixed "send-trap" with multiple "trap-targets"; *) snmp - improved reliability on SNMP service packet validation; *) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs; *) ssh - accept remote forwarding requests with empty hostnames; *) ssh - added new "ssh-exec" command for non-interactive command execution; *) ssh - fixed non-interactive multiple command execution; *) ssh - improved remote forwarding handling (introduced in v6.44.3); *) ssh - improved session rekeying process on exchanged data size threshold; *) ssh - keep host keys when resetting configuration with "keep-users=yes"; *) ssh - use correct user when "output-to-file" parameter is used; *) sstp - improved stability when received traffic hits tarpit firewall; *) supout - added IPv6 ND section to supout file; *) supout - added "kid-control devices" section to supout file; *) supout - added "pwr-line" section to supout file; *) supout - changed IPv6 pool section to output detailed print; *) switch - properly reapply settings after switch chip reset; *) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only); *) tile - improved link fault detection on SFP+ ports; *) tr069-client - added LTE CQI and IMSI parameter support; *) tr069-client - fixed potential memory corruption; *) tr069-client - improved error reporting with incorrect firware upgrade XML file; *) traceroute - improved stability when sending large ping amounts; *) traffic-generator - improved stability when stopping traffic generator; *) tunnel - removed "local-address" requirement when "ipsec-secret" is used; *) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only); *) w60g - do not show unused "dmg" parameter; *) w60g - prefer AP with strongest signal when multiple APs with same SSID present; *) w60g - show running frequency under "monitor" command; *) winbox - added "System/SwOS" menu for all dual-boot devices; *) winbox - do not allow setting "dns-lookup-interval" to "0"; *) winbox - show "LCD" menu only on boards that have LCD screen; *) wireless - fixed frequency duplication in the frequency selection menu; *) wireless - fixed incorrect IP header for RADIUS accounting packet; *) wireless - improved 160MHz channel width stability on rb4011; *) wireless - improved DFS radar detection when using non-ETSI regulated country; *) wireless - improved installation mode selection for wireless outdoor equipment; *) wireless - set default SSID and supplicant-identity the same as router's identity; *) wireless - updated "china" regulatory domain information; *) wireless - updated "new zealand" regulatory domain information; *) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);
まず最初に重要な内容、として以下の内容が記載されています。
Important note!!!
Due to removal of compatibility with old version passwords in this version, downgrading to any version prior to v6.43 (v6.42.12 and older) will clear all user passwords and allow password-less authentication. Please secure your router after downgrading.
パスワード認証周りに変更があったようで、もし今回の6.45.1にアップデートした場合、何らかの理由で6.43未満にダウングレードした場合、パスワードが空になってしまうようです。そのため、外部から簡単にログインできるようになってしまう恐れがあるため、このあたりの取扱には注意が必要です。
主な更新としては以下の項目があります。
- ! )dot1x – IEEE 802.1Xポートベースのネットワークアクセス制御のサポートを追加。
- !)ike2 – イニシエータとしてEAP認証方式(eap-tls、eap-ttls、eap-peap、eap-mschapv2)のサポートを追加。
- !)セキュリティ – 脆弱性の修正、CVE-2018-1157、CVE-2018-1158。
- !)セキュリティ – 脆弱性の修正、CVE-2019-11477、CVE-2019-11478、CVE-2019-11479。
- !)セキュリティ – 脆弱性の修正、CVE-2019-13074;
- !)user – 安全でないパスワードストレージを削除しました。
betaチャンネルで実装が進んでいた、IEEE802.1xが正式に実装されました。これでようやく認証VLANなどが設定できるようになりました。
また、脆弱性の修正として、neighbor discovery周りの脆弱性の修正、 Linux および FreeBSD カーネルでTCP Selective Acknowledgement (SACK) および Maximum Segment Size (MSS) の処理に関する複数の脆弱性について、こちらも修正になっています。
CVE-2019-13074 については、少し調べてみたのですが該当する脆弱性情報が見つかりませんでした。これから公表されるものなんでしょうか?
また他に気になる更新内容としては、25Gbps、40Gbpsに対応というのがあります。とはいえ、これに対応しているのは40Gbps対応製品だと思うので、これからに期待になるかと思います。
2019/07/05:追記
6.45.1を適用すると以下のような問題が発生しているようです。
IPsecまわりの変更があるので
— イニュイト (@inyuito) July 2, 2019
現状の設定じゃ上がらないパターン有り。
リモートアップデートはグローバルIPに穴開けてからをオススメします
EoIP ipsecとL2TP ipsecの繋がらなくなって
現在大はまり中(笑) https://t.co/5ILflJlmy9
なんかHexは普通なんですが
— イニュイト (@inyuito) July 3, 2019
CCR1036 8G 2s+だけだめですね。
しかも今朝フリーズしてて
confも破損したのか
起動しなくててんわやんわ。
結局6.44.4戻すと普通に動くんですよね。。
6.45.1だと起動完了ブザーなってから
IFが立ち上がるまでが異常に長いので
なんかバグなのかも??
たぶん、IPsec周りのUIを含めた変更のせいだと思います。一応、6.46beta6でipsecの修正が入っているので、一時的にこちらにするか、6.44.3にロールバックすることをおすすめします。
また、フォーラムには他にもAPI周りの動作不良、SNMPv3での認証が通らない件、PPTPでの通信が確立しない、など、認証周りに手が入っているせいかいつも以上のフォーラムの書き込みが見られます。