New blog post! bgp.tools is now on 120~ different IX LANs, and since IX LANs are not that different from the ethernet switches in your office and home, that means there are going to be some weird and wonderful things that people have enabled or attached to IX LANs So I've rounded up in a blog post all of the weird stuff I've seen, how dangerous it is, and why I sometimes know when the Brazil military makes a typo on their router CLI! Some interesting stuff I found on IX LANs https://blog.benjojo.co.uk/post/ixp-bad-broadcast-packets-interesting
one honk maybe more
grawity@social.treeh..
replied 25 Sep 2025 16:44 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/zVyCHm64h4SQ13Gzd2
@benjojo Mikrotik has *two* MAC protocols, a single-hop "MAC-Telnet" (IP broadcasts) and multi-hop "RoMON" (ethertype 88bf). So it would be interesting to know if you've specifically seen the latter on IXPs, as RoMON has its own internal routing – unlike leaving MAC-Winbox/MAC-Telnet open which merely exposes the single router, leaving RoMON open on an IXP (and not setting a HMAC secret) would allow other members to reach pretty deep into one's internal network... (like all the way to some office router with a default password).
karppinen@mastodon.o..
replied 26 Sep 2025 05:21 +0000
in reply to: https://social.treehouse.systems/users/grawity/statuses/115265941772683650
grawity@social.treeh..
replied 26 Sep 2025 05:56 +0000
in reply to: https://mastodon.online/users/karppinen/statuses/115268918648818428
@karppinen @benjojo I believe that's just a workaround for socket API limitations: 1. the primary use case for MAC-Winbox or MAC-Telnet is to connect to devices which might have misconfigured IP, e.g. might not even *have* a working IP address, thus the client cannot rely on IP & ARP to send unicast frames to that device (e.g. to configure a freshly reset router that *didn't* have the 192.168.88.1/24 defconf applied to it) (it might be possible to unicast to IPv6 link-local address, but RouterOS used to have the ipv6 package disabled by default for a long time, etc, etc. – sure it would be possible to use them *now* but not 10 years ago) 2. but the client also cannot "manually" send unicast frames to a specific MAC address either, as that needs raw sockets (root privileges) on Linux, and I believe requires a whole Winpcap/Npcap driver on Windows so the easy remaining option is to send UDP broadcasts, which always go to the broadcast MAC address and therefore definitely reach the target device. From what I recall, the third-party Linux CLI mactelnet client explicitly says in its readme that it is insecure if you don't make the binary setuid (as then it can't use raw ether sockets and has to UDP-broadcast). Might be misremembering though Note this is primarily in the "PC → router" direction. AFAIK the target device will *reply* to you using unicast, since its mactelnet service is privileged and can properly do unicast ethernet frames – and I *think* that ROS-to-ROS /tool/mac-telnet connections might not need to rely on broadcasts at all, as ROS itself would of course have a properly privileged client that can do unicast. RoMON on the other hand does not have this problem, in part because there *is* no "direct" desktop client for it – you always have to gateway through a local Mtik device – and in part because it doesn't carry cleartext Telnet, only SSH and Winbox. (It has a completely different security problem due to being routable – fortunately not IP-based but acting as its own network layer – but still, if someone's router at an IXP has RoMON open, and if their internal core is also Mikrotik-based with RoMON, then you could just do /tool/romon/discover on your router and see *through* that IXP router and all the way through their core.)
karppinen@mastodon.o..
replied 26 Sep 2025 07:26 +0000
in reply to: https://social.treehouse.systems/users/grawity/statuses/115269054757657506
grawity@social.treeh..
replied 26 Sep 2025 07:45 +0000
in reply to: https://mastodon.online/users/karppinen/statuses/115269408517599545
@karppinen @benjojo yeah, it doesn't require root, but also Winbox was Windows/Wine-only until like 2024 so it's probably the only universal option they had
benjojo
replied 25 Sep 2025 18:26 +0000
in reply to: https://social.treehouse.systems/users/grawity/statuses/115265941772683650
@grawity bgp.tools recognizes both protocols independently and tags as such, I just aggregated them into one item on the blog post because it's just microtik stuff
benjojo
replied 27 Sep 2025 15:56 +0000
in reply to: https://sharkey.chiyoda.moe/notes/ad4ngacgytdb0007
@bakabaka9 It's mostly just the mass gathering of MAC addresses and using the MAC OUI database to turn that into a vendor icon
krono@toot.berlin
replied 25 Sep 2025 15:55 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/zVyCHm64h4SQ13Gzd2
blackbit@chaos.socia..
replied 26 Sep 2025 14:51 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/zVyCHm64h4SQ13Gzd2
@benjojo Any correcctions or additions for this list? I wasn't able to find anything special for ES-IS. # DEC-MOP # RoMON # STP # CDP
Would you suggest to filter all 0xff addresses for VRRP?
ab:00:00:02:00:00
6c:3b:6b:48:0e:8b
01:80:c2:00:00:00 IEEE 802 standard Bridge Group Address
01:00:0c:cc:cc:cd Cisco proprietary Per-VLAN Spanning Tree address
03:04:08:00:07:00 Extreme Networks address
01:00:0c:cc:cc:cc
blackbit@chaos.socia..
replied 26 Sep 2025 14:52 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/zVyCHm64h4SQ13Gzd2
# IS-IS # ES-IS # LLDP # VRRP # OSPF # IPv6 RA
01:80:c20:0:00:14 All L1 IS devices
01:80:c2:00:00:15 All L2 IS devices
09:00:2b:00:00:05 All IS devices
09:00:2b:00:00:05 IS-IS Hello
?
01:80:c2:00:00:0e
01:80:c2:00:00:03
01:80:c2:00:00:00
00:00:5E:00:01:XX
01:00:5E:00:00:05 All OSPF routers on a network segment
01:00:5E:00:00:06 Designated routers on a network segment.
33:33:00:00:00:01