Skip to main content

IPv6 security – IPv6 First Hop Security – part one.

Before we start to configure security features we have to learn about the IPv6 protocol and messages sent across the network. Many IPv6 messages relay on the ICMP protocol. We will talk about following ICMP packet types:
  • Echo request – ICMPv6 – type 128
  • Echo reply – ICMPv6 – type 129
  • Router Solicitation – ICMPv6 – type 133
  • Router Advertisement (RA) – ICMPv6 – type 134
  • Neighbor Solicitation (NS)– ICMPv6 – type 135
  • Neighbor Advertisement – ICMPv6 – type 136
Let’s first check when we can see the messages and what they are responsible for. I have two routers R1 and R2. They have IPv6 enabled:

R1:
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:1::1/64
 ipv6 enable
!
 
R2:
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
 ipv6 address 2001:1:1::2/64
 ipv6 enable
!
 
R1#sh ipv6 interface
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C800:12FF:FE64:8
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::1, subnet is 2001:1:1::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF64:8
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R1#
 
R2#sh ipv6 interface
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C801:12FF:FE64:8
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:1:1::2, subnet is 2001:1:1::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF64:8
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
R2#

Once we enable the interfaces we can see following messages sent across the network (output from R2):

*Apr 24 06:35:54.375: ICMPv6: Received R-Advert, Src=FE80::C800:12FF:FE64:8, Dst=FF02::1
*Apr 24 06:35:54.379: ICMPv6-ND: Received RA from FE80::C800:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 06:35:54.379: ICMPv6-ND: [default] inserted router FE80::C800:12FF:FE64:8/GigabitEthernet0/0
*Apr 24 06:35:54.383: ICMPv6-ND: Prefix : 2001:1:1::, Length: 64, Vld Lifetime: 2592000, Prf Lifetime: 604800, PI Flags: C0
*Apr 24 06:35:57.403: ICMPv6-ND: Request to send RA for FE80::C801:12FF:FE64:8
*Apr 24 06:35:57.407: ICMPv6-ND: Setup RA from FE80::C801:12FF:FE64:8 to FF02::1 on GigabitEthernet0/0
*Apr 24 06:35:57.407: ICMPv6-ND:  MTU = 1500
*Apr 24 06:35:57.407: ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
*Apr 24 06:35:57.407: ICMPv6-ND:             2592000/604800 (valid/preferred)
*Apr 24 06:35:57.411: ICMPv6: Sent R-Advert, Src=FE80::C801:12FF:FE64:8, Dst=FF02::1
*Apr 24 06:36:05.227: ICMPv6: Received R-Advert, Src=FE80::C803:DFFF:FE84:8, Dst=FF02::1
*Apr 24 06:36:05.231: ICMPv6-ND: Received RA from FE80::C803:DFFF:FE84:8 on GigabitEthernet0/0
*Apr 24 06:36:05.231: ICMPv6-ND: [default] inserted router FE80::C803:DFFF:FE84:8/GigabitEthernet0/0
*Apr 24 06:36:13.415: ICMPv6-ND: Request to send RA for FE80::C801:12FF:FE64:8
*Apr 24 06:36:13.419: ICMPv6-ND: Setup RA from FE80::C801:12FF:FE64:8 to FF02::1 on GigabitEthernet0/0
*Apr 24 06:36:13.423: ICMPv6-ND:  MTU = 1500
*Apr 24 06:36:13.423: ICMPv6-ND:     prefix = 2001:1:1::/64 onlink autoconfig
*Apr 24 06:36:13.427: ICMPv6-ND:             2592000/604800 (valid/preferred)
*Apr 24 06:36:13.431: ICMPv6: Sent R-Advert, Src=FE80::C801:12FF:FE64:8, Dst=FF02::1

Let’s check local IPv6 routers:

R1#sh ipv6 routers
Router FE80::C803:DFFF:FE84:8 on GigabitEthernet0/0, last update 2 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Router FE80::C801:12FF:FE64:8 on GigabitEthernet0/0, last update 2 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
  Prefix 2001:1:1::/64 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800
R1#
 
R2#sh ipv6 router
Router FE80::C800:12FF:FE64:8 on GigabitEthernet0/0, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
  Prefix 2001:1:1::/64 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800
Router FE80::C803:DFFF:FE84:8 on GigabitEthernet0/0, last update 2 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
R2#
  • Router Solicitation (RS) – ICMPv6 – type 133 The message sent by the host which discovers IPv6 routers on the link. Source address is a local link address for example: fe80::c803:dfff:fe84:8. Destination address is multicast: ff02::2, which means “All Routers Address”.
Frame 1: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 23, 2014 19:20:54.600260000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1398273654.600260000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 70 bytes (560 bits)
    Capture Length: 70 bytes (560 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:03:df:84:00:08 (ca:03:df:84:00:08), Dst: IPv6mcast_00:00:00:02 (33:33:00:00:00:02)
    Destination: IPv6mcast_00:00:00:02 (33:33:00:00:00:02)
        Address: IPv6mcast_00:00:00:02 (33:33:00:00:00:02)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:03:df:84:00:08 (ca:03:df:84:00:08)
        Address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::c803:dfff:fe84:8 (fe80::c803:dfff:fe84:8), Dst: ff02::2 (ff02::2)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
        .... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 16
    Next header: ICMPv6 (58)
    Hop limit: 255
    Source: fe80::c803:dfff:fe84:8 (fe80::c803:dfff:fe84:8)
    Destination: ff02::2 (ff02::2)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Internet Control Message Protocol v6
    Type: Router Solicitation (133)
    Code: 0
    Checksum: 0x2c0d [correct]
    Reserved: 00000000
    ICMPv6 Option (Source link-layer address : ca:03:df:84:00:08)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
  • Router Advertisement (RA) – ICMPv6 – type 134 The message can be sent as a response on the Router Solicitation, and as unsolicited RA. The source address is local link address for example: fe80::2 and the destination is a multicast ff02::1, which represents “All Nodes Address”. 
Frame 2: 118 bytes on wire (944 bits), 118 bytes captured (944 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 23, 2014 19:20:54.622260000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1398273654.622260000 seconds
    [Time delta from previous captured frame: 0.022000000 seconds]
    [Time delta from previous displayed frame: 0.022000000 seconds]
    [Time since reference or first frame: 0.022000000 seconds]
    Frame Number: 2
    Frame Length: 118 bytes (944 bits)
    Capture Length: 118 bytes (944 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:01:12:64:00:08 (ca:01:12:64:00:08), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
    Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
        Address: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:01:12:64:00:08 (ca:01:12:64:00:08)
        Address: ca:01:12:64:00:08 (ca:01:12:64:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::2 (fe80::2), Dst: ff02::1 (ff02::1)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
        .... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 64
    Next header: ICMPv6 (58)
    Hop limit: 255
    Source: fe80::2 (fe80::2)
    Destination: ff02::1 (ff02::1)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x2134 [correct]
    Cur hop limit: 64
    Flags: 0x00
        0... .... = Managed address configuration: Not set
        .0.. .... = Other configuration: Not set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = Proxy: Not set
        .... ..0. = Reserved: 0
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Source link-layer address : ca:01:12:64:00:08)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: ca:01:12:64:00:08 (ca:01:12:64:00:08)
    ICMPv6 Option (MTU : 1500)
        Type: MTU (5)
        Length: 1 (8 bytes)
        Reserved
        MTU: 1500
    ICMPv6 Option (Prefix information : 2001::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0xc0
            1... .... = On-link flag(L): Set
            .1.. .... = Autonomous address-configuration flag(A): Set
            ..0. .... = Router address flag(R): Not set
            ...0 0000 = Reserved: 0
        Valid Lifetime: 2592000
        Preferred Lifetime: 604800
        Reserved
        Prefix: 2001:: (2001::)

Now, when we check the router neighbor’s table we see both are empty:

R1#sh ipv6  neighbors
R2#

R2#sh ipv6  neighbors
R2#

I will ping R1 from R2 (first link local and the global IP):

#ping ipv6  FE80::C800:12FF:FE64:8
Output Interface: GigabitEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::C800:12FF:FE64:8, timeout is 2 seconds:
Packet sent with a source address of FE80::C801:12FF:FE64:8%GigabitEthernet0/0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/52/116 ms
R2#
*Apr 24 09:37:51.430: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.434: ICMPv6-ND: Created ND Entry Chunk pool
*Apr 24 09:37:51.438: ICMPv6-ND: DELETE -> INCMP: FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.442: ICMPv6-ND: Sending NS for FE80::C800:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 09:37:51.446: ICMPv6-ND: Resolving next hop FE80::C800:12FF:FE64:8 on interface GigabitEthernet0/0
*Apr 24 09:37:51.450: ICMPv6: Sent N-Solicit, Src=FE80::C801:12FF:FE64:8, Dst=FF02::1:FF64:8
*Apr 24 09:37:51.526: ICMPv6: Received N-Advert, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.530: ICMPv6-ND: Received NA for FE80::C800:12FF:FE64:8 on GigabitEthernet0/0 from FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.530: ICMPv6-ND: Neighbour FE80::C800:12FF:FE64:8 on GigabitEthernet0/0 : LLA ca00.1264.0008
*Apr 24 09:37:51.534: ICMPv6-ND: INCMP -> REACH: FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.562: ICMPv6: Received echo reply
R2#, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.570: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.606: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.618: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.658: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.666: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.710: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.718: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.750: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:56.570: ICMPv6: Received N-Solicit, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:56.574: ICMPv6-ND: Received NS for FE80::C801:12FF:FE64:8 on GigabitEthernet0/0 from FE80::C800:12FF:FE64:8
*Apr 24 09:37:56.574: ICMPv6-ND: Sending NA for FE80::C801:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 09:37:56.582: ICMPv6: Sent N-Advert, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
R2#
*Apr 24 09:38:00.822: ICMPv6: Received R-Advert, Src=FE80::C800:12FF:FE64:8, Dst=FF02::1
*Apr 24 09:38:00.822: ICMPv6-ND: Received RA from FE80::C800:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 09:38:00.826: ICMPv6-ND: Prefix : 2001:1:1::, Length: 64, Vld Lifetime: 2592000, Prf Lifetime: 604800, PI Flags: C0
*Apr 24 09:38:21.802: ICMPv6-ND: REACH -> STALE: FE80::C800:12FF:FE64:8

R2#
R2#sh ipv6  neighbors
IPv6 Address                              Age Link-layer Addr State Interface
FE80::C800:12FF:FE64:8                      0 ca00.1264.0008  REACH Gi0/0

As we see the Neighbor Solicitation and Neighbor Advertisement packets were exchanged to learn about neighbor. It works similar to ARP for IPv4. We see the link local IP has been added to the neighbor table. Now let’s ping the global IP address:

R2#ping ipv6 2001:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/51/132 ms
R2#
*Apr 24 09:38:40.086: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.090: ICMPv6-ND: DELETE -> INCMP: 2001:1:1::1
*Apr 24 09:38:40.102: ICMPv6-ND: Sending NS for 2001:1:1::1 on GigabitEthernet0/0
*Apr 24 09:38:40.102: ICMPv6-ND: Resolving next hop 2001:1:1::1 on interface GigabitEthernet0/0
*Apr 24 09:38:40.110: ICMPv6: Sent N-Solicit, Src=2001:1:1::2, Dst=FF02::1:FF00:1
*Apr 24 09:38:40.182: ICMPv6: Received N-Advert, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.186: ICMPv6-ND: Received NA for 2001:1:1::1 on GigabitEthernet0/0 from 2001:1:1::1
*Apr 24 09:38:40.190: ICMPv6-ND: Neighbour 2001:1:1::1 on GigabitEthernet0/0 : LLA ca00.1264.0008
*Apr 24 09:38:40.190: ICMPv6-ND: INCMP -> REACH: 2001:1:1::1
*Apr 24 09:38:40.238: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.250: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.286: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=200
R2#1:1:1::2
*Apr 24 09:38:40.290: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.318: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.326: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.358: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.366: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.402: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:45.302: ICMPv6: Received N-Solicit, Src=FE80::C800:12FF:FE64:8, Dst=2001:1:1::2
*Apr 24 09:38:45.306: ICMPv6-ND: Received NS for 2001:1:1::2 on GigabitEthernet0/0 from FE80::C800:12FF:FE64:8
*Apr 24 09:38:45.306: ICMPv6-ND: Sending NA for 2001:1:1::2 on GigabitEthernet0/0
*Apr 24 09:38:45.314: ICMPv6: Sent N-Advert, Src=2001:1:1::2, Dst=FE80::C800:12FF:FE64:8
R2# 
 
R2#sh ipv6  neighbors
*Apr 24 09:38:55.482: ICMPv6: Received N-Solicit, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
R2#sh ipv6  neighbors
IPv6 Address                              Age Link-layer Addr State Interface
2001:1:1::1                                 0 ca00.1264.0008  REACH Gi0/0
FE80::C800:12FF:FE64:8                      0 ca00.1264.0008  REACH Gi0/0

R2#

Now we see both IPs in the neighbor table.
  • Neighbor Solicitation (NS)– ICMPv6 – type 135 The message requests a MAC address for specific IPv6 address. The message is sent from unspecific IP (::) to special multicast IP of the destination device. Data of the packet contain the target IP for which we sent the query.
Frame 4: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 23, 2014 19:20:54.642260000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1398273654.642260000 seconds
    [Time delta from previous captured frame: 0.020000000 seconds]
    [Time delta from previous displayed frame: 0.020000000 seconds]
    [Time since reference or first frame: 0.042000000 seconds]
    Frame Number: 4
    Frame Length: 78 bytes (624 bits)
    Capture Length: 78 bytes (624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:03:df:84:00:08 (ca:03:df:84:00:08), Dst: IPv6mcast_ff:84:00:08 (33:33:ff:84:00:08)
    Destination: IPv6mcast_ff:84:00:08 (33:33:ff:84:00:08)
        Address: IPv6mcast_ff:84:00:08 (33:33:ff:84:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:03:df:84:00:08 (ca:03:df:84:00:08)
        Address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: :: (::), Dst: ff02::1:ff84:8 (ff02::1:ff84:8)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
        .... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 24
    Next header: ICMPv6 (58)
    Hop limit: 255
    Source: :: (::)
    Destination: ff02::1:ff84:8 (ff02::1:ff84:8)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Internet Control Message Protocol v6
    Type: Neighbor Solicitation (135)
    Code: 0
    Checksum: 0xb38a [correct]
    Reserved: 00000000
    Target Address: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8)
  • Neighbor Advertisement (NA) – ICMPv6 – type 136
The message is a response on the NS query and contains a MAC address of the requested IP. The destination IP is a multicast ff02::1 - “All Nodes Address”.

    Frame 5: 86 bytes on wire (688 bits), 86 bytes captured (688 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr 23, 2014 19:20:55.624260000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1398273655.624260000 seconds
    [Time delta from previous captured frame: 0.982000000 seconds]
    [Time delta from previous displayed frame: 0.982000000 seconds]
    [Time since reference or first frame: 1.024000000 seconds]
    Frame Number: 5
    Frame Length: 86 bytes (688 bits)
    Capture Length: 86 bytes (688 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:03:df:84:00:08 (ca:03:df:84:00:08), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
    Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
        Address: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: ca:03:df:84:00:08 (ca:03:df:84:00:08)
        Address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8), Dst: ff02::1 (ff02::1)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
        .... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 32
    Next header: ICMPv6 (58)
    Hop limit: 255
    Source: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8)
    [Source Teredo Server IPv4: 0.0.0.0 (0.0.0.0)]
    [Source Teredo Port: 8192]
    [Source Teredo Client IPv4: 1.123.255.247 (1.123.255.247)]
    Destination: ff02::1 (ff02::1)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Internet Control Message Protocol v6
    Type: Neighbor Advertisement (136)
    Code: 0
    Checksum: 0x9feb [correct]
    Flags: 0xa0000000
        1... .... .... .... .... .... .... .... = Router: Set
        .0.. .... .... .... .... .... .... .... = Solicited: Not set
        ..1. .... .... .... .... .... .... .... = Override: Set
        ...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0
    Target Address: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8)
    ICMPv6 Option (Target link-layer address : ca:03:df:84:00:08)
        Type: Target link-layer address (2)
        Length: 1 (8 bytes)
        Link-layer address: ca:03:df:84:00:08 (ca:03:df:84:00:08)

In the next post I will talk how to implement security features for some IPv6 protocols.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more