Saturday, May 3, 2014

IPv6 security – IPv6 First Hop Security – IPv6 SeND (Secure Neighbor Discovery) – part five.

The SeND protocol can protect our network against non-authorized routers which can send RA messages. To mitigate the risk you can enable IPv6 SeND protocol. All RA messages will be accepted only from devices with a valid certificate and from source IP with CGA enabled (Cryptographically Generated Addresses). Let’s test this feature working on the following scenario:

    PKI SERVER                     ROUTER
      /----\         -----         /----\ 
     |  R1  |-------| sw1 |-------|  R2  |
      \----/         -----         \----/ 
                       |      
                       |         
                    /----\   
                   |  R3  |
                    \----/  
                SPOOFED ROUTER 

Configure r1 as a PKI server:
 
crypto key generate rsa general-keys modulus 1024 label KEY1024
!
interface FastEthernet0/0
ipv6 cga rsakeypair KEY1024
 ipv6 address FE80:: link-local cga
 ipv6 address 2001:100::/64 cga
 ipv6 nd secured trustanchor SERVER-PKI
end
!
ipv6 nd secured full-secure
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
crypto pki server SERVER-PKI
 grant auto
!

and enable IPv6 on its interface:

r1#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::3486:2358:D3EE:CD93 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:100::200C:30C3:3AFA:2B9B, subnet is 2001:100::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FFEE:CD93
    FF02::1:FFFA:2B9B
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
r1#

Now I configure r2 with ‘cga’ feature:

!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 cga rsakeypair KEY1024
 ipv6 address FE80:: link-local cga
 ipv6 address 2001:100::/64 cga
 ipv6 nd secured trustpoint PKI-TRUSTPOINT
end
!
ipv6 nd secured full-secure
ipv6 nd secured sec-level minimum 1
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
!
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100::200C:30C3:3AFA:2B9B]:80
 revocation-check crl
!

And then r3 without ‘cga’:

!
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
interface FastEthernet0/0
ipv6 address 2001:100::3/64
end
!

Let’s try ping all routers:
R2 -> R1:

r2#ping 2001:100::200C:30C3:3AFA:2B9B
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/29/140 ms
r2#

r1#
May  2 12:11:46.271: ICMPv6-ND: DELAY -> PROBE: 2001:100::342D:C844:BE15:1391
May  2 12:11:46.271: ICMPv6-ND: Sending NS for 2001:100::342D:C844:BE15:1391 on FastEthernet0/0
May  2 12:11:46.275: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:11:46.275: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:11:46.275: SEND:       dst 2001:100::342D:C844:BE15:1391
May  2 12:11:46.275: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:11:46.275: SEND:      Timestamp: 0x53638B8246D3 = 12:11:46 UTC May 2 2014
May  2 12:11:46.275: SEND:      Nonce length: 6, value: FFFFFFB7FFFFFFE9FFFFFF96FFFFFFBDFFFFFFE5FFFFFFB7
May  2 12:11:46.355: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:11:46.355: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:46.355: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:46.355: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:46.355: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:46.355: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:11:46.407: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:11:46.407: SEND:       src 2001:100::342D:C844:BE15:1391
May  2 12:11:46.407: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:11:46.407: SEND:       Received at: 0x53638B826886 = 12:11:46 UTC May 2 2014
May  2 12:11:46.407: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:46.407: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:46.407: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:46.407: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:46.407: SEND:       Target: 2001:100::342D:C844:BE15:1391
May  2 12:11:46.407: SEND: Solicit advertisement
May  2 12:11:46.407: SEND:      Verifying address 2001:100::342D:C844:BE15:1391
May  2 12:11:46.407: SEND:       keylen is 1024
May  2 12:11:46.407: SEND:       sec is 1
May  2 12:11:46.407: SEND:       Address verified
May  2 12:11:46.407: SEND:      Nonce length: 6, value: FFFFFFB7FFFFFFE9FFFFFF96FFFFFFBDFFFFFFE5FFFFFFB7
May  2 12:11:46.407: SEND:      Timestamp: 0x53638B835F2F = 12:11:47 UTC May 2 2014
May  2 12:11:46.411: SEND:      Good signature
May  2 12:11:46.415: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:11:46.415: ICMPv6-ND: Received NA for 2001:100::342D:C844:BE15:1391 on FastEthernet0/0 from 2001:100::342D:C844:BE15:1391
May  2 12:11:46.415: ICMPv6-ND: PROBE -> REACH: 2001:100::342D:C844:BE15:1391
r1#
May  2 12:11:51.507: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:11:51.507: SEND:       src FE80::3828:8FA2:608:14A2
May  2 12:11:51.507: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:11:51.507: SEND:       Received at: 0x53638B87822E = 12:11:51 UTC May 2 2014
May  2 12:11:51.507: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:11:51.507: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:51.507: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:51.507: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:51.507: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:51.507: SEND:       Target: FE80::3486:2358:D3EE:CD93
May  2 12:11:51.507: SEND:      Nonce length: 6, value: FFFFFFABFFFFFFE2FFFFFF9467FFFFFFDE72
May  2 12:11:51.507: SEND: Solicit DB init
May  2 12:11:51.507: SEND:      Verifying address FE80::3828:8FA2:608:14A2
May  2 12:11:51.507: SEND:       keylen is 1024
May  2 12:11:51.507: SEND:       sec is 1
May  2 12:11:51.507: SEND:       Address verified
May  2 12:11:51.507: SEND:      Timestamp: 0x53638B8878CB = 12:11:52 UTC May 2 2014
May  2 12:11:51.507: SEND:       TS opt check RC = 0
May  2 12:11:51.515: SEND:      Good signature
May  2 12:11:51.515: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:11:51.515: ICMPv6-ND: Received NS for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0 from FE80::3828:8FA2:608:14A2
May  2 12:11:51.515: ICMPv6-ND: Glean FE80::3828:8FA2:608:14A2 on FastEthernet0/0
May  2 12:11:51.515: ICMPv6-ND: Neighbour FE80::3828:8FA2:608:14A2 on FastEthernet0/0 : LLA 0007.7dce.0f00
May  2 12:11:51.515: ICMPv6-ND: INCMP -> STALE: FE80::3828:8FA2:608:14A2
May  2 12:11:51.515: ICMPv6-ND: Sending NA for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0
May  2 12:11:51.519: SEND: Send:  ND_NEIGHBOR_ADVERT 
May  2 12:11:51.519: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:11:51.519: SEND:       dst FE80::3828:8FA2:608:14A2
May  2 12:11:51.519: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:11:51.519: SEND:      Timestamp: 0x53638B87854F = 12:11:51 UTC May 2 2014
May  2 12:11:51.519: SEND:      Nonce length: 6, value: FFFFFFABFFFFFFE2FFFFFF9467FFFFFFDE72
May  2 12:11:51.599: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:51.599: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:51.599: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:51.599: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:51.599: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:11:51.599: ICMPv6-ND: STALE -> DELAY: FE80::3828:8FA2:608:14A2
r1#
May  2 12:11:56.719: ICMPv6-ND: DELAY -> PROBE: FE80::3828:8FA2:608:14A2
May  2 12:11:56.719: ICMPv6-ND: Sending NS for FE80::3828:8FA2:608:14A2 on FastEthernet0/0
May  2 12:11:56.723: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:11:56.723: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:11:56.723: SEND:       dst FE80::3828:8FA2:608:14A2
May  2 12:11:56.723: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:11:56.723: SEND:      Timestamp: 0x53638B8CB98C = 12:11:56 UTC May 2 2014
May  2 12:11:56.723: SEND:      Nonce length: 6, value: FFFFFF8FFFFFFF9D4A557CFFFFFFB1
May  2 12:11:56.803: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:11:56.803: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:56.803: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:56.803: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:56.803: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:56.803: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:11:56.847: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:11:56.851: SEND:       src FE80::3828:8FA2:608:14A2
May  2 12:11:56.851: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:11:56.851: SEND:       Received at: 0x53638B8CDA23 = 12:11:56 UTC May 2 2014
May  2 12:11:56.851: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:56.851: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:56.851: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:56.851: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:56.851: SEND:       Target: FE80::3828:8FA2:608:14A2
May  2 12:11:56.851: SEND: Solicit advertisement
May  2 12:11:56.851: SEND:      Verifying address FE80::3828:8FA2:608:14A2
May  2 12:11:56.851: SEND:       keylen is 1024
May  2 12:11:56.851: SEND:       sec is 1
May  2 12:11:56.851: SEND:       Address verified
May  2 12:11:56.851: SEND:      Nonce length: 6, value: FFFFFF8FFFFFFF9D4A557CFFFFFFB1
May  2 12:11:56.851: SEND:      Timestamp: 0x53638B8DD0D9 = 12:11:57 UTC May 2 2014
May  2 12:11:56.855: SEND:      Good signature
May  2 12:11:56.855: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:11:56.855: ICMPv6-ND: Received NA for FE80::3828:8FA2:608:14A2 on FastEthernet0/0 from FE80::3828:8FA2:608:14A2
May  2 12:11:56.859: ICMPv6-ND: PROBE -> REACH: FE80::3828:8FA2:608:14A2    

R3- > R1:

r3#ping 2001:100::200C:30C3:3AFA:2B9B

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#

As you see R3 can’t ping R1, let’s check why:

May  2 12:14:00.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:00.623: SEND:       src 2001:100::3
May  2 12:14:00.623: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:00.623: SEND:       Received at: 0x53638C08A055 = 12:14:00 UTC May 2 2014
May  2 12:14:00.623: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:00.623: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:00.623: SEND: !NS without CGA option
May  2 12:14:00.623: SEND: Unsecure message discarded
May  2 12:14:00.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:00.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:01.651: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:01.651: SEND:       src 2001:100::3
May  2 12:14:01.651: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:01.651: SEND:       Received at: 0x53638C09A784 = 12:14:01 UTC May 2 2014
May  2 12:14:01.651: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:01.651: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:01.651: SEND: !NS without CGA option
May  2 12:14:01.651: SEND: Unsecure message discarded
May  2 12:14:01.651: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:01.651: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:02.679: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:02.679: SEND:       src 2001:100::3
May  2 12:14:02.679: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:02.679: SEND:       Received at: 0x53638C0AAEA7 = 12:14:02 UTC May 2 2014
May  2 12:14:02.679: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:02.679: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:02.679: SEND: !NS without CGA option
May  2 12:14:02.679: SEND: Unsecure message discarded
May  2 12:14:02.679: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:02.679: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:04.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:04.623: SEND:       src 2001:100::3
May  2 12:14:04.623: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:04.623: SEND:       Received at: 0x53638C0CA04E = 12:14:04 UTC May 2 2014
May  2 12:14:04.623: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:04.623: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:04.623: SEND: !NS without CGA option
May  2 12:14:04.623: SEND: Unsecure message discarded
May  2 12:14:04.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:04.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:05.715: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:05.715: SEND:       src 2001:100::3
May  2 12:14:05.715: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:05.715: SEND:       Received at: 0x53638C0DB7DB = 12:14:05 UTC May 2 2014
May  2 12:14:05.715: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:05.715: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:05.715: SEND: !NS without CGA option
May  2 12:14:05.715: SEND: Unsecure message discarded
May  2 12:14:05.715: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:05.715: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:06.807: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:06.807: SEND:       src 2001:100::3
May  2 12:14:06.807: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:06.807: SEND:       Received at: 0x53638C0ECF65 = 12:14:06 UTC May 2 2014
May  2 12:14:06.807: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:06.807: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:06.807: SEND: !NS without CGA option
May  2 12:14:06.807: SEND: Unsecure message discarded
May  2 12:14:06.807: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:06.807: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:08.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:08.623: SEND:       src 2001:100::3
May  2 12:14:08.623: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:08.623: SEND:       Received at: 0x53638C10A049 = 12:14:08 UTC May 2 2014
May  2 12:14:08.623: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:08.623: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:08.623: SEND: !NS without CGA option
May  2 12:14:08.623: SEND: Unsecure message discarded
May  2 12:14:08.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:08.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:09.651: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:09.651: SEND:       src 2001:100::3
May  2 12:14:09.651: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:09.651: SEND:       Received at: 0x53638C11A774 = 12:14:09 UTC May 2 2014
May  2 12:14:09.651: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:09.651: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:09.651: SEND: !NS without CGA option
May  2 12:14:09.651: SEND: Unsecure message discarded
May  2 12:14:09.651: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:09.651: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:10.679: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:10.679: SEND:       src 2001:100::3
May  2 12:14:10.679: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:10.679: SEND:       Received at: 0x53638C12AE9A = 12:14:10 UTC May 2 2014
May  2 12:14:10.679: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:10.679: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:10.679: SEND: !NS without CGA option
May  2 12:14:10.679: SEND: Unsecure message discarded
May  2 12:14:10.679: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:10.679: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#

As we see R3 can’t ping R1 due to lack of ‘cga’. Let’s configure this feature on r3 interface:

!
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
interface FastEthernet0/0
 ipv6 cga rsakeypair KEY1024
 ipv6 address FE80:: link-local cga
 ipv6 address 2001:100::/64 cga
end 

and try again (R3->R1):

r3#ping 2001:100::200C:30C3:3AFA:2B9B

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/36/184 ms
r3#

r1#
May  2 12:19:13.415: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:19:13.415: SEND:       src 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.415: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:19:13.415: SEND:       Received at: 0x53638D416AFF = 12:19:13 UTC May 2 2014
May  2 12:19:13.415: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:13.415: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:13.415: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:13.415: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:13.415: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:13.415: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:19:13.415: SEND:      Nonce length: 6, value: 7EFFFFFFCB1C10FFFFFFE8FFFFFFF1
May  2 12:19:13.415: SEND:      Verifying address 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.415: SEND:       keylen is 1024
May  2 12:19:13.415: SEND:       sec is 1
May  2 12:19:13.419: SEND:       Address verified
May  2 12:19:13.419: SEND:      Timestamp: 0x53638D41E565 = 12:19:13 UTC May 2 2014
May  2 12:19:13.419: SEND:       TS opt check RC = 0
May  2 12:19:13.423: SEND:      Good signature
May  2 12:19:13.423: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:13.423: ICMPv6-ND: Received NS for 2001:100::200C:30C3:3AFA:2B9B on FastEthernet0/0 from 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.423: ICMPv6-ND: Glean 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0
May  2 12:19:13.423: ICMPv6-ND: Neighbour 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0 : LLA 0015.fac0.a3a0
May  2 12:19:13.423: ICMPv6-ND: INCMP -> STALE: 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.423: ICMPv6-ND: Sending NA for 2001:100::200C:30C3:3AFA:2B9B on FastEthernet0/0
May  2 12:19:13.427: SEND: Send:  ND_NEIGHBOR_ADVERT 
May  2 12:19:13.427: SEND:       src 2001:100::200C:30C3:3AFA:2B9B
May  2 12:19:13.427: SEND:       dst 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.427: SEND:       CGA 2001:100::200C:30C3:3AFA:2B9B, 0x0 : found
May  2 12:19:13.427: SEND:      Timestamp: 0x53638D416DCA = 12:19:13 UTC May 2 2014
May  2 12:19:13.427: SEND:      Nonce length: 6, value: 7EFFFFFFCB1C10FFFFFFE8FFFFFFF1
May  2 12:19:13.507: SEND:               option 2 len 8: ND_OPT_TARGET_LINKADDR
May  2 12:19:13.507: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:13.507: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:13.507: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:13.507: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:13.507: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:13.507: ICMPv6-ND: STALE -> DELAY: 2001:100::3CB3:5C78:9886:601B
r1#
May  2 12:19:18.563: ICMPv6-ND: DELAY -> PROBE: 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.563: ICMPv6-ND: Sending NS for 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0
May  2 12:19:18.567: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:19:18.567: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:19:18.567: SEND:       dst 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.567: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:19:18.567: SEND:      Timestamp: 0x53638D469194 = 12:19:18 UTC May 2 2014
May  2 12:19:18.567: SEND:      Nonce length: 6, value: FFFFFFC5095F6AFFFFFFA977
May  2 12:19:18.647: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:18.647: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:18.647: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:18.647: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:18.647: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:18.647: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:18.735: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:19:18.735: SEND:       src 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.735: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:19:18.735: SEND:       Received at: 0x53638D46BCDA = 12:19:18 UTC May 2 2014
May  2 12:19:18.735: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:18.735: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:18.735: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:18.735: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:18.735: SEND:       Target: 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.735: SEND: Solicit advertisement
May  2 12:19:18.735: SEND:      Verifying address 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.735: SEND:       keylen is 1024
May  2 12:19:18.735: SEND:       sec is 1
May  2 12:19:18.735: SEND:       Address verified
May  2 12:19:18.735: SEND:      Nonce length: 6, value: FFFFFFC5095F6AFFFFFFA977
May  2 12:19:18.735: SEND:      Timestamp: 0x53638D473757 = 12:19:19 UTC May 2 2014
May  2 12:19:18.743: SEND:      Good signature
May  2 12:19:18.743: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:18.743: ICMPv6-ND: Received NA for 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0 from 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.743: ICMPv6-ND: PROBE -> REACH: 2001:100::3CB3:5C78:9886:601B
r1#
May  2 12:19:23.847: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:19:23.847: SEND:       src FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.847: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:19:23.847: SEND:       Received at: 0x53638D4BD97A = 12:19:23 UTC May 2 2014
May  2 12:19:23.847: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:23.847: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:23.847: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:23.847: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:23.847: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:23.847: SEND:       Target: FE80::3486:2358:D3EE:CD93
May  2 12:19:23.847: SEND:      Nonce length: 6, value: FFFFFFC802FFFFFFA9FFFFFF862C53
May  2 12:19:23.847: SEND:      Verifying address FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.847: SEND:       keylen is 1024
May  2 12:19:23.847: SEND:       sec is 1
May  2 12:19:23.847: SEND:       Address verified
May  2 12:19:23.847: SEND:      Timestamp: 0x53638D4C53FC = 12:19:24 UTC May 2 2014
May  2 12:19:23.847: SEND:       TS opt check RC = 0
May  2 12:19:23.855: SEND:      Good signature
May  2 12:19:23.855: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:23.855: ICMPv6-ND: Received NS for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0 from FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.855: ICMPv6-ND: Glean FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0
May  2 12:19:23.855: ICMPv6-ND: Neighbour FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0 : LLA 0015.fac0.a3a0
May  2 12:19:23.855: ICMPv6-ND: INCMP -> STALE: FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.855: ICMPv6-ND: Sending NA for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0
May  2 12:19:23.859: SEND: Send:  ND_NEIGHBOR_ADVERT 
May  2 12:19:23.859: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:19:23.859: SEND:       dst FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.859: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:19:23.859: SEND:      Timestamp: 0x53638D4BDC57 = 12:19:23 UTC May 2 2014
May  2 12:19:23.859: SEND:      Nonce length: 6, value: FFFFFFC802FFFFFFA9FFFFFF862C53
May  2 12:19:23.939: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:23.939: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:23.939: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:23.939: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:23.939: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:23.939: ICMPv6-ND: STALE -> DELAY: FE80::28DF:C6F9:1EE5:DC5F
r1#
May  2 12:19:28.995: ICMPv6-ND: DELAY -> PROBE: FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:28.995: ICMPv6-ND: Sending NS for FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0
May  2 12:19:28.999: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:19:28.999: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:19:28.999: SEND:       dst FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:28.999: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:19:28.999: SEND:      Timestamp: 0x53638D500031 = 12:19:28 UTC May 2 2014
May  2 12:19:28.999: SEND:      Nonce length: 6, value: FFFFFFC5FFFFFF9140FFFFFFABFFFFFFE9FFFFFF8E
May  2 12:19:29.079: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:29.079: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:29.079: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:29.079: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:29.079: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:29.079: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:29.167: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:19:29.167: SEND:       src FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.167: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:19:29.167: SEND:       Received at: 0x53638D512B6D = 12:19:29 UTC May 2 2014
May  2 12:19:29.167: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:29.167: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:29.167: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:29.167: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:29.167: SEND:       Target: FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.167: SEND: Solicit advertisement
May  2 12:19:29.167: SEND:      Verifying address FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.167: SEND:       keylen is 1024
May  2 12:19:29.167: SEND:       sec is 1
May  2 12:19:29.167: SEND:       Address verified
May  2 12:19:29.167: SEND:      Nonce length: 6, value: FFFFFFC5FFFFFF9140FFFFFFABFFFFFFE9FFFFFF8E
May  2 12:19:29.167: SEND:      Timestamp: 0x53638D51A5EE = 12:19:29 UTC May 2 2014
May  2 12:19:29.175: SEND:      Good signature
May  2 12:19:29.175: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:29.175: ICMPv6-ND: Received NA for FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0 from FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.175: ICMPv6-ND: PROBE -> REACH: FE80::28DF:C6F9:1EE5:DC5F

As we see we can now ping R1, only with ‘cga’ enabled but without a valid certificate from PKI Server (r1). Let’s enable routing on r2 and r3 and then we check if r1 accepts routing from them:
The routing table on r1 before enabling ‘ipv6 unicast-routing’ on r2 and r3:

r1#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:100::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive
r1#

Let’s start with r2 which is the trusted router:
 
r2(config)#ipv6 unicast-routing

r2#
May  2 22:30:07.637: SEND: Send: ND_ROUTER_ADVERT 
May  2 22:30:07.637: SEND:       src FE80::3828:8FA2:608:14A2
May  2 22:30:07.637: SEND:       dst FF02::1
May  2 22:30:07.637: SEND:       CGA FE80::3828:8FA2:608:14A2, 0x12000003 : found
May  2 22:30:07.637: SEND:      Timestamp: 0x53641C6FA35A = 22:30:07 UTC May 2 2014
May  2 22:30:07.677: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 22:30:07.677: SEND:               option 5 len 8: ND_OPT_MTU
May  2 22:30:07.677: SEND:               option 3 len 32: ND_OPT_PREFIX_INFORMATION
May  2 22:30:07.677: SEND:               option 11 len 192: ND_OPT_CGA
May  2 22:30:07.677: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 22:30:07.677: SEND:               option 12 len 152: ND_OPT_RSA
May  2 22:30:07.677: ICMPv6: Sent R-Advert, Src=FE80::3828:8FA2:608:14A2, Dst=FF02::1

On r1 we can see:
 
r1#
May  2 22:30:15.627: ICMPv6: Received R-Advert, Src=FE80::3828:8FA2:608:14A2, Dst=FF02::1
May  2 22:30:15.627: SEND: Receive: ND_ROUTER_ADVERT
May  2 22:30:15.627: SEND:       src FE80::3828:8FA2:608:14A2
May  2 22:30:15.627: SEND:       dst FF02::1
May  2 22:30:15.627: SEND:       Received at: 0x53641C77A10C = 22:30:15 UTC May 2 2014
May  2 22:30:15.627: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 22:30:15.627: SEND:               option 5 len 8: ND_OPT_MTU
May  2 22:30:15.627: SEND:               option 3 len 32: ND_OPT_PREFIX_INFORMATION
May  2 22:30:15.627: SEND:               option 11 len 192: ND_OPT_CGA
May  2 22:30:15.627: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 22:30:15.627: SEND:               option 12 len 152: ND_OPT_RSA
May  2 22:30:15.627: SEND:      Verifying address FE80::3828:8FA2:608:14A2
May  2 22:30:15.627: SEND:       keylen is 1024
May  2 22:30:15.627: SEND:       sec is 1
May  2 22:30:15.627: SEND:       Address verified
May  2 22:30:15.627: SEND:      Timestamp: 0x53641C77991A = 22:30:15 UTC May 2 2014
May  2 22:30:15.627: SEND:       TS opt check RC = 0
May  2 22:30:15.635: SEND:      Good signature
May  2 22:30:15.635: SEND:      RA with prefix option 2001:100::
May  2 22:30:15.635: SEND: EVENT: IPV6_SEND_CERT_RCV_RA  CURRENT STATE: CERT_VALIDATED
May  2 22:30:15.635: SEND:      action: Set trust level in RA then deliver it
May  2 22:30:15.635: SEND:      action: Deliver RA packet to stack
May  2 22:30:15.635: SEND:      Deliver RA just received
May  2 22:30:15.635: SEND: NEW STATE TR: CERT_VALIDATED
r1#
May  2 22:30:16.979: SEND: EVENT: IPV6_SEND_CERT_T2_FIRED  CURRENT STATE: CERT_VALIDATED
May  2 22:30:16.979: SEND: Verifying certificate
May  2 22:30:16.999: SEND: Certificate validated
May  2 22:30:16.999: SEND:      action: Start T1
May  2 22:30:16.999: SEND: NEW STATE TR: CERT_VALIDATING
May  2 22:30:16.999: SEND: EVENT: IPV6_SEND_CERT_VALID_CHAIN  CURRENT STATE: CERT_VALIDATING
May  2 22:30:16.999: SEND:      action: Stop T1
May  2 22:30:16.999: SEND:      action: Set trust level in RA then deliver it
May  2 22:30:16.999: SEND:      action: Deliver RA packet to stack
May  2 22:30:16.999: SEND:      action: Start T2
May  2 22:30:16.999: SEND: NEW STATE TR: CERT_VALIDATED

The r1’s routing table:

r1#sh ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [2/0]
     via FE80::3828:8FA2:608:14A2, FastEthernet0/0
C   2001:100::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

and accepted router:

r1#sh ipv6 router
Router FE80::3828:8FA2:608:14A2 on FastEthernet0/0, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
  Prefix 2001:100::/64 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800
r1#

As we see r1 accepted routing entry from r2. Let’s try now the same for 3:

r3(config)#ipv6 unicast-routing

We can see r3 sends RA messages:

r3#
.May  2 22:59:25.993: ICMPv6: Sent R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
.May  2 22:59:29.473: SEND: Send: ND_ROUTER_ADVERT 
.May  2 22:59:29.473: SEND:      src FE80::28DF:C6F9:1EE5:DC5F
.May  2 22:59:29.473: SEND:      dst FF02::1
.May  2 22:59:29.473: SEND:      CGA FE80::28DF:C6F9:1EE5:DC5F, 0x12000003 : found
.May  2 22:59:29.473: SEND:     Timestamp: 0x536423517991 = 22:59:29 UTC May 2 2014
.May  2 22:59:29.553: SEND:              option 1 len 8: ND_OPT_SOURCE_LINKADDR
.May  2 22:59:29.553: SEND:              option 5 len 8: ND_OPT_MTU
.May  2 22:59:29.553: SEND:              option 7 len 8: ND_RA_INTERVA
.May  2 22:59:29.553: SEND:              option 3 len 32: ND_OPT_PREFIX_INFORMATION
.May  2 22:59:29.553: SEND:              option 11 len 192: ND_OPT_CGA
.May  2 22:59:29.553: SEND:              option 13 len 16: ND_OPT_TIMESTAMP
.May  2 22:59:29.553: SEND:              option 12 len 152: ND_OPT_RSA
.May  2 22:59:29.553: ICMPv6: Sent R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
.May  2 22:59:29.561: ICMPv6: Received type 148, Src=FE80::3486:2358:D3EE:CD93, Dst=FE80::28DF:C6F9:1EE5:DC5F
.May  2 22:59:29.561: SEND: Receive: ND_CERTIFICATE_SOLICIT
.May  2 22:59:29.561: SEND:      src FE80::3486:2358:D3EE:CD93
.May  2 22:59:29.561: SEND:      dst FE80::28DF:C6F9:1EE5:DC5F
.May  2 22:59:29.561: SEND:      Received at: 0x536423519065 = 22:59:29 UTC May 2 2014
.May  2 22:59:29.561: SEND:              option 15 len 32: ND_OPT_TRUST_ANCHOR
.May  2 22:59:29.561: SEND:      option trustanchor cn=SERVER-PKI
.May  2 22:59:29.561: SEND:      searching trustanchor cn=SERVER-PKI
.May  2 22:59:29.561: SEND: Found no trustpoint with this trusted issuer cn=SERVER-PKI
.May  2 22:59:29.561: SEND:      No match so far. Another trustanchor ?
.May  2 22:59:29.561: SEND: ! No more anchor to try - None matches - abort
r3#

On r1 we see received RA:
 
r1#
May  2 22:58:23.247: ICMPv6: Received R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
May  2 22:58:23.247: SEND: Receive: ND_ROUTER_ADVERT
May  2 22:58:23.247: SEND:       src FE80::28DF:C6F9:1EE5:DC5F
May  2 22:58:23.247: SEND:       dst FF02::1
May  2 22:58:23.247: SEND:       Received at: 0x5364230F400C = 22:58:23 UTC May 2 2014
May  2 22:58:23.247: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 22:58:23.247: SEND:               option 5 len 8: ND_OPT_MTU
May  2 22:58:23.247: SEND:               option 7 len 8: ND_RA_INTERVA
May  2 22:58:23.247: SEND:               option 3 len 32: ND_OPT_PREFIX_INFORMATION
May  2 22:58:23.247: SEND:               option 11 len 192: ND_OPT_CGA
May  2 22:58:23.247: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 22:58:23.247: SEND:               option 12 len 152: ND_OPT_RSA
May  2 22:58:23.247: SEND:      Verifying address FE80::28DF:C6F9:1EE5:DC5F
May  2 22:58:23.247: SEND:       keylen is 1024sh ipv6 routers 
May  2 22:58:23.251: SEND:       sec is 1
May  2 22:58:23.251: SEND:       Address verified
May  2 22:58:23.251: SEND:      Timestamp: 0x5364230F2EEB = 22:58:23 UTC May 2 2014
May  2 22:58:23.251: SEND:       TS opt check RC = 0
May  2 22:58:23.255: SEND:      Good signature
May  2 22:58:23.255: SEND:      RA with prefix option 2001:100::
May  2 22:58:23.255: SEND: EVENT: IPV6_SEND_CERT_RCV_RA  CURRENT STATE: CERT_PENDING
May  2 22:58:23.255: SEND:      action: Update RA in cert DB
May  2 22:58:23.255: SEND: NEW STATE TR: CERT_PENDING
May  2 22:58:24.591: SEND: EVENT: IPV6_SEND_CERT_T0_FIRED  CURRENT STATE: CERT_PENDING
May  2 22:58:24.591: SEND:      action: check mode
May  2 22:58:24.591: SEND: NEW STATE TR: CERT_NONE
May  2 22:58:24.591: SEND:      action error - abort
r1#

In the routing table we can’t see any new entry:

r1#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:100::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

and any router:

r1#sh ipv6 router

r1#

Before r1 can add r3 as the default router the certificates must match and in our case they didn’t.

No comments:

Post a Comment