Define pref-src for AMPR routes

[mstorck]

By defining the pref-src for AMPR routes the Mikrotik router will source requests sent via AMPR routes and tunnels from a 44net address instead of a private RFC1918 or a commercial IP address.

[mstorck]

The problem of non 44 net source addresses has been discussed recently on the 44net mailing list under the thread "[44net] Misconfiguration of gateway tunnel interfaces".

The thread contains a few examples where the source IP address in the encapsulated packet is the same as the gateway endpoint, which indicates that the packet was locally sourced.

This pull requests solves this issue for Mikrotik RouterOS using this tool to generate the configuration.

[kd7lxl]

1. Do you have a packet capture and/or example configuration that shows this problem on ROS? In my experience ROS has picked the correct source address.
2. Configuration values should go in settings.py. Users shouldn't need to edit updateros.py to use the script. The section you defined ampr_source in is for defaults that shouldn't normally need to be changed before use.
3. I'd really prefer to have this address discovered rather than configured. Can you read it out of the router to save the user the hassle of configuring it?

[mstorck]

1. will try to reproduce, not trivial as I don't have a spare RouterBoard available. Just because the issue hasn't occurred doesn't mean it will not occur in the future. Explicitly providing the IP address by an configuration element is probably what you would call "best practice".
2. I can change the patch accordingly
3. This is not so trivial, it is probably possible to use the first 44net IP address we come along but it can cause side effects. From an operational aspect it would be best that the user configures a "loopback interface" (bridge with no member interfaces) with one single address (/32) assigned. The chance of that interface going down, and the IP address altogether with the interface, is non-existant unless the user disables the interface.

[kd7lxl]

The default behavior is to use the address assigned to that interface as a source address. We define that explicitly when the ipip interface is created. The pref-src attribute exists for cases where you have multiple addresses assigned to an interface--this will never happen with the ipip interfaces.

Leaking RFC1918 addresses can be solved with a firewall rule. Even with pref-src, there are many ways to leak RFC1918 addresses unless your firewall prohibits it.

[mstorck]

I'm confused. Where exactly does the script add 44net IP addresses to ampr-* IPIP interfaces, I cannot find any statement in the form of

/ip address add interface=ampr-a.b.c.d address=44.x.y.z .....

So AFAICT there is not a single IP address assigned to the IPIP interface (beside the endpoints but those are irrelevant or part of the problem, as the OS may choose the local endpoint address as the source packet for the encapsulated packet).

This patch will fix situation where the AMPR gateway is the source of the offending packets.

If the AMPR Gateway is carefully designed, leaking by routing can be avoided by

/ip settings set rp-filter=strict

[kd7lxl]

You're right; I guess I misspoke. Pref-src could be valuable on routers that have both 44 and not-44 addresses.

Now the question is where the best place to define the source address is or whether to inspect the router to find it. The choices are:

• settings.py - this means you can only run the installation against one router, which is unfortunate.
• command line argument, i.e., ./updateros.py TARGET_IP SRC_IP - changes the way the script is run, so may bother some people. Could be made backwards-compatible to mitigate the issue.
• Inspect router, i.e., /ip address print where address~"^44." - could choose the wrong address when there are many (can we solve this?)

Regardless, you will still need a firewall rule to be sure your router does not forward packets from RFC1918 addresses. Only packets generated or address-translated by the gateway router will be able to take advantage of the pref-src attribute.