Novedades en MikroTik RouterOS v6.45beta
Importantes agregados tendrá el nuevo release del RouterOS v6.45, que en este momento se encuentra en fase beta, pero que en un par de semanas mas, tendrá su publicación final.
En relación a la seguridad vemos un cambio importante en cómo manejará el almacenamiento de las contraseñas. Según el anuncio oficial de MikroTik, a partir de este release tendremos los siguientes cambios.
*) All passwords on the router are now hashed (SHA256) and encrypted (ECC); *) all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2; *) WinBox now uses ECSRP for key exchange and authentication (requires new winbox version), both sides now verify that other side knows password (no man in the middle attack is possible); *) WinBox in ROMON mode now requires that agent is the latest version to be able to connect to latest version routers; *) WinBox now uses AES128-CBC-SHA as encryption algorithm (requires new winbox version); *) Bandwidht-test now uses ECSRP for authentication, now older version bandwidth-test clients can connect to newver version server only in no-authentication mode; *) MAC telnet now uses ECSRP for authentication, to connect to newer server, client needs to be upgraded; *) Webfig now uses ECDH for encryption key exchange; *) backup now by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;
Cómo se puede apreciar el almacenamiento ahora tendrá altos niveles de seguridad, con algoritmos de encriptación bien duros. Es importante tener en cuenta la versión del Winbox al momento de conectarse con dispositivos con RouterOS actualizado, porque requieren de la última versión.
Asimismo en este release (v6.45) se tendrán nuevas funcionalidades, las cuales eran solicitadas por usuarios de MikroTik desde hace tiempo como por ejemplo el soporte de:
dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
El changelog por el momento es el siguiente:
dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only); !) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only); !) user - removed insecure password storage; ---------------------- Changes in this release: !) user - removed insecure password storage; *) bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used; *) conntrack - fixed GRE protocol packet connection-state matching; *) crs317 - fixed known multicast flooding to the CPU; *) ike1 - general stability improvements (introduced in v6.45beta); *) ike2 - added support for IKE rekeying for initiator; *) ike2 - improved child SA rekeying process; *) lte - added initial support for Vodafone R216-Z; *) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066); *) winbox - added "System/SwOS" menu for all dual-boot devices; *) www - improved client-initiated renegotiation within the SSL and TLS protocols; Other changes since v6.44.3: *) bridge - correctly add interface list as bridge port (introduced in v6.45beta34); *) bridge - fixed log message when hardware offloading is being enabled; *) bridge - fixed port running state for non-ethernet interfaces (introduced in v6.45beta33); *) capsman - fixed interface-list usage in access list; *) ccr - improved packet processing after overloading interface; *) certificate - added "key-type" field (CLI only); *) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1) (CLI only); *) certificate - made RAM the default CRL storage location; *) certificate - removed DSA (D) flag; *) cloud - added "replace" parameter for backup "upload-file" command; *) conntrack - significant stability and performance improvements; *) crs3xx - added ethernet tx-drop counter; *) crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate; *) crs3xx - correctly handle switch reset (introduced in v6.45beta31); *) crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature); *) crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305; *) defconf - added "custom-script" field that prints custom configuration installed by Netinstall; *) defconf - automatically set "installation" parameter for outdoor devices; *) defconf - changed default configuration type to AP for cAP series devices; *) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration; *) dhcp - do not require lease and binding to have the same configuration for dual-stack queues; *) dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues; *) dhcpv4-server - added "client-mac-limit" parameter (CLI only); *) dhcpv4-server - added RADIUS accounting support with queue based statistics; *) dhcpv4-server - added "vendor-class-id" matcher (CLI only); *) dhcpv4-server - improved stability when performing "check-status" command; *) dhcpv4-server - replaced "busy" lease status with "conflict" and "declined"; *) dhcpv6-client - added option to disable rapid-commit (CLI only); *) dhcpv6-client - fixed status update when leaving "bound" state; *) dhcpv6-server - added "address-list" support for bindings (CLI only); *) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only); *) dhcpv6-server - added RADIUS accounting support; *) dhcpv6-server - added RADIUS accounting support with queue based statistics; *) dhcpv6-server - added "route-distance" parameter (CLI only); *) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server; *) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS; *) discovery - correctly create neighbors from VLAN tagged discovery messages; *) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44); *) discovery - improved neighbour's MAC address detection; *) discovery - limit max neighbour count per interface based on total RAM memory; *) discovery - show neighbors on actual mesh ports; *) e-mail - include "message-id" identification field in e-mail header; *) ethernet - added support for 25Gbps and 40Gbps rates; *) ethernet - increased loop warning threshold to 5 packets per second; *) export - fixed SMS "allowed-number" compact export (introduced in v6.45beta); *) fetch - added SFTP support; *) fetch - improved user policy lookup; *) firewall - fixed fragmented packet processing when only RAW firewall is configured; *) firewall - process packets by firewall when accepted by RAW with disabled connection tracking; *) gps - fixed missing minus close to zero coordinates in dd format; *) gps - make sure "direction" parameter is upper case; *) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values; *) hotspot - moved "title" HTML tag after "meta" tags; *) ike1 - adjusted debug packet logging topics; *) ike1 - fixed rekeying process when NAT is detected (introduced in v6.45beta16); *) ike2 - added support for ECDSA certificate authentication (rfc4754); *) ike2 - do not send "User-Name" attribute to RADIUS server if not provided; *) ike2 - fixed first child SA generation (introduced in v6.45beta34); *) ike2 - fixed pre-shared-key authentication failure (introduced in v6.45beta34); *) ike2 - improved certificate verification when multiple CA certificates received from responder; *) ike2 - improved XAuth identity conversion on upgrade; *) ike2 - prefer SAN instead of DN from certificate for ID payload; *) ippool - improved logging for IPv6 Pool when prefix is already in use; *) ipsec - added dynamic comment field for "active-peers" menu inherited from identity (CLI only); *) ipsec - added "ph2-total" counter to "active-peers" menu (CLI only); *) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only); *) ipsec - added traffic statistics to "active-peers" menu (CLI only); *) ipsec - do not allow adding identity to a dynamic peer; *) ipsec - fixed policies becoming invalid after changing priority; *) ipsec - general improvements in policy handling; *) ipsec - properly drop already established tunnel when address change detected; *) ipsec - renamed "remote-peers" to "active-peers" (CLI only); *) ipsec - renamed "rsa-signature" authentication method to "digital-signature"; *) ipsec - replaced policy SA address parameters with peer setting; *) ipsec - use tunnel name for dynamic IPsec peer name; *) ipv6 - improved system stability when receiving bogus packets; *) lte - added passthrough interface subnet selection; *) lte - added support for manual operator selection; *) lte - allow setting empty APN; *) lte - allow to specify URL for firmware upgrade "firmware-file" parameter; *) lte - do not show error message for info commands that are not supported; *) lte - fixed session reactivation on R11e-LTE in UMTS mode; *) lte - improved firmware upgrade process; *) lte - improved "info" command query; *) lte - improved R11e-4G modem operation; *) lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only); *) lte - show alphanumeric value for operator info; *) lte - show correct firmware revision after firmware upgrade; *) lte - use default APN name "internet" when not provided; *) lte - use secondary DNS for DNS server configuration; *) ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2; *) ospf - fixed opaque LSA type checking in OSPFv2; *) ospf - improved "unknown" LSA handling in OSPFv3; *) ppp - added initial support for Quectel BG96; *) proxy - increased minimal free RAM that can not be used for proxy services; *) rb3011 - improved system stability when receiving bogus packets; *) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required); *) rb4011 - fixed SFP linking (introduced in v6.45beta6); *) rb921 - improved system stability ("/system routerboard upgrade" required); *) sfp - fixed S-35LC20D transceiver DDMI readouts after reboot; *) sms - added USSD message functionality under "/tool sms" (CLI only); *) sms - allow specifying multiple "allowed-number" values; *) sms - fixed long message parsing (introduced in v6.45beta19); *) sms - improved delivery report logging; *) snmp - added "dot1dStpPortTable" OID; *) snmp - added OID for neighbor "interface"; *) snmp - added "write-access" column to community print; *) snmp - allow setting interface "adminStatus"; *) snmp - improved reliability on SNMP service packet validation; *) snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs; *) ssh - accept remote forwarding requests with empty hostnames; *) ssh - added new "ssh-exec" command for non-interactive command execution; *) ssh - fixed non-interactive multiple command execution; *) ssh - improved remote forwarding handling (introduced in v6.44.3); *) ssh - improved session rekeying process on exchanged data size threshold; *) ssh - use correct user when "output-to-file" parameter is used; *) supout - added IPv6 ND section to supout file; *) supout - added "kid-control devices" section to supout file; *) supout - added "pwr-line" section to supout file; *) supout - changed IPv6 pool section to output detailed print; *) switch - properly reapply settings after switch chip reset; *) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only); *) tile - improved link fault detection on SFP+ ports; *) tr069-client - added LTE CQI and IMSI parameter support; *) tr069-client - fixed potential memory corruption; *) tr069-client - improved error reporting with incorrect firware upgrade XML file; *) traceroute - improved stability when sending large ping amounts; *) traffic-generator - improved stability when stopping traffic generator; *) tunnel - removed "local-address" requirement when "ipsec-secret" is used; *) userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only); *) w60g - do not show unused "dmg" parameter; *) w60g - prefer AP with strongest signal when multiple APs with same SSID present; *) w60g - show running frequency under "monitor" command; *) winbox - fixed crash when opening CAPsMAN menu (introduced in v6.45beta27); *) winbox - show "LCD" menu only on boards that have LCD screen; *) wireless - fixed 5GHz interface disappearing after upgrade (introduced in v6.45beta19); *) wireless - fixed "country-info" printing (introduced in v6.45beta27); *) wireless - fixed frequency duplication in the frequency selection menu; *) wireless - fixed incorrect IP header for RADIUS accounting packet; *) wireless - improved 160MHz channel width stability on rb4011; *) wireless - improved DFS radar detection when using non-ETSI regulated country; *) wireless - improved installation mode selection for wireless outdoor equipment; *) wireless - set default SSID and supplicant-identity the same as router's identity; *) wireless - updated "china" regulatory domain information; *) wireless - updated "india" regulatory domain information; *) wireless - updated "new zealand" regulatory domain information;