Skip to main content

IPv6 security – DHCPv6 – part four.

Today I would like to do some tests with the DHCPv6. Like with IP version 4, we can run DHCP server on routers or switches.

               Gi1/0/1   Gi1/0/2           
      /----\      \  ----- /       /----\ 
     |  R1  |-------| sw1 |-------|  R2  |
      \----/         -----         \----/ 
   DHCP SERVER         |\      
                       | Gi1/0/3        
                    /----\   
                   |  R3  |
                    \----/         
                 DHCP CLIENT

In my example R1 will work as a DHCP Server and R3 as a client. First I will configure R3:

!
interface FastEthernet0/0
 no ip address
 ipv6 address dhcp
 ipv6 enable
 no sh
end
!

Then R1:

!
ipv6 dhcp pool DHCP-POOL
 eaddress prefix 2001::/64
 link-address 2001::100/64
 domain-name tst.com
!
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001::100/64
 ipv6 enable
 ipv6 dhcp server DHCP-POOL
end
!

Now I configure SW1:

!
ipv6 dhcp guard policy DHCP-POLICY
 device-role client
!
ipv6 dhcp guard policy DHCP-POLICY-SERVER
 device-role server
!
interface GigabitEthernet1/0/1
 ipv6 nd inspection
 ipv6 snooping
 ipv6 dhcp guard attach-policy DHCP-POLICY-SERVER
!
!
interface GigabitEthernet1/0/3
 ipv6 dhcp guard attach-policy DHCP-POLICY
!

Static bindings for Gig1/0/1:

ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 2
ipv6 neighbor binding vlan 1 2001::100 interface Gi1/0/1 001e.4a60.ed80 tracking enable

Now, we check how the process looks like from r1, r3 and sw1 perspective:

DHCP client:

r3#
Apr 27 12:41:28.583: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
r3#
Apr 27 12:42:00.367: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
r3#

DHCP server:

r1#
Apr 27 12:42:35.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Apr 27 12:42:36.195: IPv6 DHCP: Add routes, pool DHCP-POOL, idb FastEthernet0/0
r1#
Apr 27 12:43:05.035: IPv6 DHCP: Received SOLICIT from FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.035: IPv6 DHCP: Using interface pool DHCP-POOL
Apr 27 12:43:05.035: IPv6 DHCP: Creating binding for FE80::219:AAFF:FE00:B298 in pool DHCP-POOL
Apr 27 12:43:05.035: IPv6 DHCP: Binding for IA_NA 00030001 not found
Apr 27 12:43:05.035: IPv6 DHCP: Allocating IA_NA 00030001 in binding for FE80::219:AAFF:FE00:B298
Apr 27 12:43:05.035: IPv6 DHCP: Looking up pool 2001::/64 entry with username '000300010019AA00B29800030001'
Apr 27 12:43:05.035: IPv6 DHCP: Poolentry for user not found
Apr 27 12:43:05.035: IPv6 DHCP: Allocated new address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.035: IPv6 DHCP: Allocating address 2001::83A:E2C3:5E66:5FFF in binding for FE80::219:AAFF:FE00:B298, IAID 00030001
Apr 27 12:43:05.035: IPv6 DHCP: Updating binding address entry for address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.035: IPv6 DHCP: Setting timer on 2001::83A:E2C3:5E66:5FFF for 60 seconds
Apr 27 12:43:05.035: IPv6 DHCP: Sending ADVERTISE to FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.047: IPv6 DHCP: Received REQUEST from FE80::219:AAFF:FE00:B298 on FastEthernet0/0
Apr 27 12:43:05.047: IPv6 DHCP: Using interface pool DHCP-POOL
Apr 27 12:43:05.047: IPv6 DHCP: Looking up pool 2001::/64 entry with username '000300010019AA00B29800030001'
Apr 27 12:43:05.047: IPv6 DHCP: Poolentry for user found
Apr 27 12:43:05.047: IPv6 DHCP: Found address 2001::83A:E2C3:5E66:5FFF in binding for FE80::219:AAFF:FE00:B298, IAID 00030001
Apr 27 12:43:05.047: IPv6 DHCP: Updating binding address entry for address 2001::83A:E2C3:5E66:5FFF
Apr 27 12:43:05.047: IPv6 DHCP: Setting timer on 2001::83A:E2C3:5E66:5FFF for 172800 seconds
Apr 27 12:43:05.047: IPv6 DHCP: Sending REPLY to FE80::219:AAFF:FE00:B298 on FastEthernet0/0
r1#
Apr 27 12:43:04.939: IPv6 DHCP: Received ADVERTISE from FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
Apr 27 12:43:04.939: IPv6 DHCP: Adding server FE80::21E:4AFF:FE60:ED80
Apr 27 12:43:04.939: IPv6 DHCP: Sending REQUEST to FF02::1:2 on FastEthernet0/0
Apr 27 12:43:04.939: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0
Apr 27 12:43:04.947: IPv6 DHCP: Received REPLY from FE80::21E:4AFF:FE60:ED80 on FastEthernet0/0
Apr 27 12:43:04.947: IPv6 DHCP: Processing options
r3#
Apr 27 12:43:04.947: IPv6 DHCP: Adding address 2001::83A:E2C3:5E66:5FFF/128 to FastEthernet0/0
Apr 27 12:43:04.951: IPv6 DHCP: T1 set to expire in 43200 seconds
Apr 27 12:43:04.951: IPv6 DHCP: T2 set to expire in 69120 seconds
Apr 27 12:43:04.951: IPv6 DHCP: Configuring domain name test.com
Apr 27 12:43:04.951: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0
r3#

Switch:

sw1#
Mar 30 04:30:31.121: %SYS-5-CONFIG_I: Configured from console by console
sw1#
sw1#
Mar 30 04:30:32.354: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
Mar 30 04:30:33.360: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
sw1#
Mar 30 04:31:02.779: IPv6 DHCP: Received SOLICIT from FE80::219:AAFF:FE00:B298 on Vlan1
Mar 30 04:31:02.779: IPv6 DHCP: Pool DHCP-POOL cannot be found
Mar 30 04:31:02.796: IPv6 DHCP: Received REQUEST from FE80::219:AAFF:FE00:B298 on Vlan1
Mar 30 04:31:02.796: IPv6 DHCP: SERVERID option in REQUEST from FE80::219:AAFF:FE00:B298 on Vlan1 does not match
sw1#
Mar 30 04:31:02.796: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per box (2) V=1 I=Gi1/0/3 M=001E.4A60.ED80
Mar 30 04:31:02.796: %SISF-6-ENTRY_CREATED: Entry created A=2001::83A:E2C3:5E66:5FFF V=1 I=Gi1/0/3 P=0024 M=0019.AA00.B298
sw1#
Mar 30 04:31:07.099: %SISF-6-ENTRY_CREATED: Entry created A=FE80::21E:4AFF:FE60:ED80 V=1 I=Gi1/0/1 P=0005 M=001E.4A60.ED80
sw1#

Let’s check the current settings:

r3#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::219:AAFF:FE00:B298 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001::83A:E2C3:5E66:5FFF, subnet is 2001::83A:E2C3:5E66:5FFF/128 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:B298
    FF02::1:FF66:5FFF
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
r3#
 
sw1#sh ipv6 neighbors binding 
Binding Table has 5 entries, 2 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::21E:4AFF:FE60:ED80                001E.4A60.ED80  Gi1/0/1      1  0005   46s  REACHABLE  17 s             
L   FE80::206:F6FF:FEF7:4240                0006.F6F7.4240  Vl1          1  0100   90mn REACHABLE                   
DH  2001::83A:E2C3:5E66:5FFF                0019.AA00.B298  Gi1/0/3      1  0024  116s  STALE      164502 s         
S   2001::100                               001E.4A60.ED80  Gi1/0/1      1  0100   56s  REACHABLE  4 s try 0        
L   2001::1                                 0006.F6F7.4240  Vl1          1  0100   87mn REACHABLE 
 
 
sw1#

r1#sh ipv6 dhcp pool 
DHCPv6 pool: DHCP-POOL
  Address allocation prefix: 2001::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts)
  Link-address prefix: 2001::1/64
  Link-address prefix: 2001::100/64
  Domain name: test.com
  Active clients: 1 
 
 
r1#sh ipv6 dhcp binding 
Client: FE80::219:AAFF:FE00:B298 
  DUID: 000300010019AA00B298
  Username : unassigned
  IA NA: IA ID 0x00030001, T1 43200, T2 69120
    Address: 2001::83A:E2C3:5E66:5FFF
            preferred lifetime 86400, valid lifetime 172800
            expires at Apr 29 2014 12:43 PM (172658 seconds)
r1#

 
 
sw1#sh ipv6 dhcp guard policy 
Dhcp guard policy: DHCP-POLICY
        Device Role: dhcp client
        Target: Gi1/0/3 

Dhcp guard policy: DHCP-POLICY-SERVER
        Device Role: dhcp server
        Target: Gi1/0/1 
        Max Preference: 255
        Min Preference: 0

sw1#
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more