Skip to main content

IPv6 security – IPv6 First Hop Security – IPv6 SeND (Secure Neighbor Discovery) – part five.

The SeND protocol can protect our network against non-authorized routers which can send RA messages. To mitigate the risk you can enable IPv6 SeND protocol. All RA messages will be accepted only from devices with a valid certificate and from source IP with CGA enabled (Cryptographically Generated Addresses). Let’s test this feature working on the following scenario:

    PKI SERVER                     ROUTER
      /----\         -----         /----\ 
     |  R1  |-------| sw1 |-------|  R2  |
      \----/         -----         \----/ 
                       |      
                       |         
                    /----\   
                   |  R3  |
                    \----/  
                SPOOFED ROUTER 

Configure r1 as a PKI server:
 
crypto key generate rsa general-keys modulus 1024 label KEY1024
!
interface FastEthernet0/0
ipv6 cga rsakeypair KEY1024
 ipv6 address FE80:: link-local cga
 ipv6 address 2001:100::/64 cga
 ipv6 nd secured trustanchor SERVER-PKI
end
!
ipv6 nd secured full-secure
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
crypto pki server SERVER-PKI
 grant auto
!

and enable IPv6 on its interface:

r1#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::3486:2358:D3EE:CD93 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:100::200C:30C3:3AFA:2B9B, subnet is 2001:100::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FFEE:CD93
    FF02::1:FFFA:2B9B
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
r1#

Now I configure r2 with ‘cga’ feature:

!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 cga rsakeypair KEY1024
 ipv6 address FE80:: link-local cga
 ipv6 address 2001:100::/64 cga
 ipv6 nd secured trustpoint PKI-TRUSTPOINT
end
!
ipv6 nd secured full-secure
ipv6 nd secured sec-level minimum 1
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
!
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100::200C:30C3:3AFA:2B9B]:80
 revocation-check crl
!

And then r3 without ‘cga’:

!
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
interface FastEthernet0/0
ipv6 address 2001:100::3/64
end
!

Let’s try ping all routers:
R2 -> R1:

r2#ping 2001:100::200C:30C3:3AFA:2B9B
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/29/140 ms
r2#

r1#
May  2 12:11:46.271: ICMPv6-ND: DELAY -> PROBE: 2001:100::342D:C844:BE15:1391
May  2 12:11:46.271: ICMPv6-ND: Sending NS for 2001:100::342D:C844:BE15:1391 on FastEthernet0/0
May  2 12:11:46.275: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:11:46.275: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:11:46.275: SEND:       dst 2001:100::342D:C844:BE15:1391
May  2 12:11:46.275: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:11:46.275: SEND:      Timestamp: 0x53638B8246D3 = 12:11:46 UTC May 2 2014
May  2 12:11:46.275: SEND:      Nonce length: 6, value: FFFFFFB7FFFFFFE9FFFFFF96FFFFFFBDFFFFFFE5FFFFFFB7
May  2 12:11:46.355: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:11:46.355: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:46.355: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:46.355: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:46.355: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:46.355: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:11:46.407: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:11:46.407: SEND:       src 2001:100::342D:C844:BE15:1391
May  2 12:11:46.407: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:11:46.407: SEND:       Received at: 0x53638B826886 = 12:11:46 UTC May 2 2014
May  2 12:11:46.407: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:46.407: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:46.407: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:46.407: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:46.407: SEND:       Target: 2001:100::342D:C844:BE15:1391
May  2 12:11:46.407: SEND: Solicit advertisement
May  2 12:11:46.407: SEND:      Verifying address 2001:100::342D:C844:BE15:1391
May  2 12:11:46.407: SEND:       keylen is 1024
May  2 12:11:46.407: SEND:       sec is 1
May  2 12:11:46.407: SEND:       Address verified
May  2 12:11:46.407: SEND:      Nonce length: 6, value: FFFFFFB7FFFFFFE9FFFFFF96FFFFFFBDFFFFFFE5FFFFFFB7
May  2 12:11:46.407: SEND:      Timestamp: 0x53638B835F2F = 12:11:47 UTC May 2 2014
May  2 12:11:46.411: SEND:      Good signature
May  2 12:11:46.415: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:11:46.415: ICMPv6-ND: Received NA for 2001:100::342D:C844:BE15:1391 on FastEthernet0/0 from 2001:100::342D:C844:BE15:1391
May  2 12:11:46.415: ICMPv6-ND: PROBE -> REACH: 2001:100::342D:C844:BE15:1391
r1#
May  2 12:11:51.507: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:11:51.507: SEND:       src FE80::3828:8FA2:608:14A2
May  2 12:11:51.507: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:11:51.507: SEND:       Received at: 0x53638B87822E = 12:11:51 UTC May 2 2014
May  2 12:11:51.507: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:11:51.507: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:51.507: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:51.507: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:51.507: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:51.507: SEND:       Target: FE80::3486:2358:D3EE:CD93
May  2 12:11:51.507: SEND:      Nonce length: 6, value: FFFFFFABFFFFFFE2FFFFFF9467FFFFFFDE72
May  2 12:11:51.507: SEND: Solicit DB init
May  2 12:11:51.507: SEND:      Verifying address FE80::3828:8FA2:608:14A2
May  2 12:11:51.507: SEND:       keylen is 1024
May  2 12:11:51.507: SEND:       sec is 1
May  2 12:11:51.507: SEND:       Address verified
May  2 12:11:51.507: SEND:      Timestamp: 0x53638B8878CB = 12:11:52 UTC May 2 2014
May  2 12:11:51.507: SEND:       TS opt check RC = 0
May  2 12:11:51.515: SEND:      Good signature
May  2 12:11:51.515: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:11:51.515: ICMPv6-ND: Received NS for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0 from FE80::3828:8FA2:608:14A2
May  2 12:11:51.515: ICMPv6-ND: Glean FE80::3828:8FA2:608:14A2 on FastEthernet0/0
May  2 12:11:51.515: ICMPv6-ND: Neighbour FE80::3828:8FA2:608:14A2 on FastEthernet0/0 : LLA 0007.7dce.0f00
May  2 12:11:51.515: ICMPv6-ND: INCMP -> STALE: FE80::3828:8FA2:608:14A2
May  2 12:11:51.515: ICMPv6-ND: Sending NA for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0
May  2 12:11:51.519: SEND: Send:  ND_NEIGHBOR_ADVERT 
May  2 12:11:51.519: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:11:51.519: SEND:       dst FE80::3828:8FA2:608:14A2
May  2 12:11:51.519: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:11:51.519: SEND:      Timestamp: 0x53638B87854F = 12:11:51 UTC May 2 2014
May  2 12:11:51.519: SEND:      Nonce length: 6, value: FFFFFFABFFFFFFE2FFFFFF9467FFFFFFDE72
May  2 12:11:51.599: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:51.599: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:51.599: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:51.599: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:51.599: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:11:51.599: ICMPv6-ND: STALE -> DELAY: FE80::3828:8FA2:608:14A2
r1#
May  2 12:11:56.719: ICMPv6-ND: DELAY -> PROBE: FE80::3828:8FA2:608:14A2
May  2 12:11:56.719: ICMPv6-ND: Sending NS for FE80::3828:8FA2:608:14A2 on FastEthernet0/0
May  2 12:11:56.723: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:11:56.723: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:11:56.723: SEND:       dst FE80::3828:8FA2:608:14A2
May  2 12:11:56.723: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:11:56.723: SEND:      Timestamp: 0x53638B8CB98C = 12:11:56 UTC May 2 2014
May  2 12:11:56.723: SEND:      Nonce length: 6, value: FFFFFF8FFFFFFF9D4A557CFFFFFFB1
May  2 12:11:56.803: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:11:56.803: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:56.803: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:56.803: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:56.803: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:56.803: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:11:56.847: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:11:56.851: SEND:       src FE80::3828:8FA2:608:14A2
May  2 12:11:56.851: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:11:56.851: SEND:       Received at: 0x53638B8CDA23 = 12:11:56 UTC May 2 2014
May  2 12:11:56.851: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:11:56.851: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:11:56.851: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:11:56.851: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:11:56.851: SEND:       Target: FE80::3828:8FA2:608:14A2
May  2 12:11:56.851: SEND: Solicit advertisement
May  2 12:11:56.851: SEND:      Verifying address FE80::3828:8FA2:608:14A2
May  2 12:11:56.851: SEND:       keylen is 1024
May  2 12:11:56.851: SEND:       sec is 1
May  2 12:11:56.851: SEND:       Address verified
May  2 12:11:56.851: SEND:      Nonce length: 6, value: FFFFFF8FFFFFFF9D4A557CFFFFFFB1
May  2 12:11:56.851: SEND:      Timestamp: 0x53638B8DD0D9 = 12:11:57 UTC May 2 2014
May  2 12:11:56.855: SEND:      Good signature
May  2 12:11:56.855: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:11:56.855: ICMPv6-ND: Received NA for FE80::3828:8FA2:608:14A2 on FastEthernet0/0 from FE80::3828:8FA2:608:14A2
May  2 12:11:56.859: ICMPv6-ND: PROBE -> REACH: FE80::3828:8FA2:608:14A2    

R3- > R1:

r3#ping 2001:100::200C:30C3:3AFA:2B9B

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#

As you see R3 can’t ping R1, let’s check why:

May  2 12:14:00.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:00.623: SEND:       src 2001:100::3
May  2 12:14:00.623: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:00.623: SEND:       Received at: 0x53638C08A055 = 12:14:00 UTC May 2 2014
May  2 12:14:00.623: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:00.623: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:00.623: SEND: !NS without CGA option
May  2 12:14:00.623: SEND: Unsecure message discarded
May  2 12:14:00.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:00.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:01.651: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:01.651: SEND:       src 2001:100::3
May  2 12:14:01.651: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:01.651: SEND:       Received at: 0x53638C09A784 = 12:14:01 UTC May 2 2014
May  2 12:14:01.651: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:01.651: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:01.651: SEND: !NS without CGA option
May  2 12:14:01.651: SEND: Unsecure message discarded
May  2 12:14:01.651: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:01.651: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:02.679: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:02.679: SEND:       src 2001:100::3
May  2 12:14:02.679: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:02.679: SEND:       Received at: 0x53638C0AAEA7 = 12:14:02 UTC May 2 2014
May  2 12:14:02.679: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:02.679: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:02.679: SEND: !NS without CGA option
May  2 12:14:02.679: SEND: Unsecure message discarded
May  2 12:14:02.679: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:02.679: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:04.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:04.623: SEND:       src 2001:100::3
May  2 12:14:04.623: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:04.623: SEND:       Received at: 0x53638C0CA04E = 12:14:04 UTC May 2 2014
May  2 12:14:04.623: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:04.623: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:04.623: SEND: !NS without CGA option
May  2 12:14:04.623: SEND: Unsecure message discarded
May  2 12:14:04.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:04.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:05.715: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:05.715: SEND:       src 2001:100::3
May  2 12:14:05.715: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:05.715: SEND:       Received at: 0x53638C0DB7DB = 12:14:05 UTC May 2 2014
May  2 12:14:05.715: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:05.715: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:05.715: SEND: !NS without CGA option
May  2 12:14:05.715: SEND: Unsecure message discarded
May  2 12:14:05.715: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:05.715: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:06.807: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:06.807: SEND:       src 2001:100::3
May  2 12:14:06.807: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:06.807: SEND:       Received at: 0x53638C0ECF65 = 12:14:06 UTC May 2 2014
May  2 12:14:06.807: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:06.807: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:06.807: SEND: !NS without CGA option
May  2 12:14:06.807: SEND: Unsecure message discarded
May  2 12:14:06.807: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:06.807: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:08.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:08.623: SEND:       src 2001:100::3
May  2 12:14:08.623: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:08.623: SEND:       Received at: 0x53638C10A049 = 12:14:08 UTC May 2 2014
May  2 12:14:08.623: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:08.623: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:08.623: SEND: !NS without CGA option
May  2 12:14:08.623: SEND: Unsecure message discarded
May  2 12:14:08.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:08.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:09.651: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:09.651: SEND:       src 2001:100::3
May  2 12:14:09.651: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:09.651: SEND:       Received at: 0x53638C11A774 = 12:14:09 UTC May 2 2014
May  2 12:14:09.651: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:09.651: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:09.651: SEND: !NS without CGA option
May  2 12:14:09.651: SEND: Unsecure message discarded
May  2 12:14:09.651: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:09.651: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May  2 12:14:10.679: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:14:10.679: SEND:       src 2001:100::3
May  2 12:14:10.679: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:14:10.679: SEND:       Received at: 0x53638C12AE9A = 12:14:10 UTC May 2 2014
May  2 12:14:10.679: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:14:10.679: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:14:10.679: SEND: !NS without CGA option
May  2 12:14:10.679: SEND: Unsecure message discarded
May  2 12:14:10.679: SEND: ! DROP: ND_NEIGHBOR_SOLICIT  src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May  2 12:14:10.679: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#

As we see R3 can’t ping R1 due to lack of ‘cga’. Let’s configure this feature on r3 interface:

!
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
interface FastEthernet0/0
 ipv6 cga rsakeypair KEY1024
 ipv6 address FE80:: link-local cga
 ipv6 address 2001:100::/64 cga
end 

and try again (R3->R1):

r3#ping 2001:100::200C:30C3:3AFA:2B9B

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/36/184 ms
r3#

r1#
May  2 12:19:13.415: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:19:13.415: SEND:       src 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.415: SEND:       dst FF02::1:FFFA:2B9B
May  2 12:19:13.415: SEND:       Received at: 0x53638D416AFF = 12:19:13 UTC May 2 2014
May  2 12:19:13.415: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:13.415: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:13.415: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:13.415: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:13.415: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:13.415: SEND:       Target: 2001:100::200C:30C3:3AFA:2B9B
May  2 12:19:13.415: SEND:      Nonce length: 6, value: 7EFFFFFFCB1C10FFFFFFE8FFFFFFF1
May  2 12:19:13.415: SEND:      Verifying address 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.415: SEND:       keylen is 1024
May  2 12:19:13.415: SEND:       sec is 1
May  2 12:19:13.419: SEND:       Address verified
May  2 12:19:13.419: SEND:      Timestamp: 0x53638D41E565 = 12:19:13 UTC May 2 2014
May  2 12:19:13.419: SEND:       TS opt check RC = 0
May  2 12:19:13.423: SEND:      Good signature
May  2 12:19:13.423: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:13.423: ICMPv6-ND: Received NS for 2001:100::200C:30C3:3AFA:2B9B on FastEthernet0/0 from 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.423: ICMPv6-ND: Glean 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0
May  2 12:19:13.423: ICMPv6-ND: Neighbour 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0 : LLA 0015.fac0.a3a0
May  2 12:19:13.423: ICMPv6-ND: INCMP -> STALE: 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.423: ICMPv6-ND: Sending NA for 2001:100::200C:30C3:3AFA:2B9B on FastEthernet0/0
May  2 12:19:13.427: SEND: Send:  ND_NEIGHBOR_ADVERT 
May  2 12:19:13.427: SEND:       src 2001:100::200C:30C3:3AFA:2B9B
May  2 12:19:13.427: SEND:       dst 2001:100::3CB3:5C78:9886:601B
May  2 12:19:13.427: SEND:       CGA 2001:100::200C:30C3:3AFA:2B9B, 0x0 : found
May  2 12:19:13.427: SEND:      Timestamp: 0x53638D416DCA = 12:19:13 UTC May 2 2014
May  2 12:19:13.427: SEND:      Nonce length: 6, value: 7EFFFFFFCB1C10FFFFFFE8FFFFFFF1
May  2 12:19:13.507: SEND:               option 2 len 8: ND_OPT_TARGET_LINKADDR
May  2 12:19:13.507: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:13.507: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:13.507: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:13.507: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:13.507: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:13.507: ICMPv6-ND: STALE -> DELAY: 2001:100::3CB3:5C78:9886:601B
r1#
May  2 12:19:18.563: ICMPv6-ND: DELAY -> PROBE: 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.563: ICMPv6-ND: Sending NS for 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0
May  2 12:19:18.567: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:19:18.567: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:19:18.567: SEND:       dst 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.567: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:19:18.567: SEND:      Timestamp: 0x53638D469194 = 12:19:18 UTC May 2 2014
May  2 12:19:18.567: SEND:      Nonce length: 6, value: FFFFFFC5095F6AFFFFFFA977
May  2 12:19:18.647: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:18.647: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:18.647: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:18.647: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:18.647: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:18.647: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:18.735: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:19:18.735: SEND:       src 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.735: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:19:18.735: SEND:       Received at: 0x53638D46BCDA = 12:19:18 UTC May 2 2014
May  2 12:19:18.735: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:18.735: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:18.735: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:18.735: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:18.735: SEND:       Target: 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.735: SEND: Solicit advertisement
May  2 12:19:18.735: SEND:      Verifying address 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.735: SEND:       keylen is 1024
May  2 12:19:18.735: SEND:       sec is 1
May  2 12:19:18.735: SEND:       Address verified
May  2 12:19:18.735: SEND:      Nonce length: 6, value: FFFFFFC5095F6AFFFFFFA977
May  2 12:19:18.735: SEND:      Timestamp: 0x53638D473757 = 12:19:19 UTC May 2 2014
May  2 12:19:18.743: SEND:      Good signature
May  2 12:19:18.743: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:18.743: ICMPv6-ND: Received NA for 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0 from 2001:100::3CB3:5C78:9886:601B
May  2 12:19:18.743: ICMPv6-ND: PROBE -> REACH: 2001:100::3CB3:5C78:9886:601B
r1#
May  2 12:19:23.847: SEND: Receive: ND_NEIGHBOR_SOLICIT
May  2 12:19:23.847: SEND:       src FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.847: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:19:23.847: SEND:       Received at: 0x53638D4BD97A = 12:19:23 UTC May 2 2014
May  2 12:19:23.847: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:23.847: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:23.847: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:23.847: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:23.847: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:23.847: SEND:       Target: FE80::3486:2358:D3EE:CD93
May  2 12:19:23.847: SEND:      Nonce length: 6, value: FFFFFFC802FFFFFFA9FFFFFF862C53
May  2 12:19:23.847: SEND:      Verifying address FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.847: SEND:       keylen is 1024
May  2 12:19:23.847: SEND:       sec is 1
May  2 12:19:23.847: SEND:       Address verified
May  2 12:19:23.847: SEND:      Timestamp: 0x53638D4C53FC = 12:19:24 UTC May 2 2014
May  2 12:19:23.847: SEND:       TS opt check RC = 0
May  2 12:19:23.855: SEND:      Good signature
May  2 12:19:23.855: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:23.855: ICMPv6-ND: Received NS for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0 from FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.855: ICMPv6-ND: Glean FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0
May  2 12:19:23.855: ICMPv6-ND: Neighbour FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0 : LLA 0015.fac0.a3a0
May  2 12:19:23.855: ICMPv6-ND: INCMP -> STALE: FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.855: ICMPv6-ND: Sending NA for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0
May  2 12:19:23.859: SEND: Send:  ND_NEIGHBOR_ADVERT 
May  2 12:19:23.859: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:19:23.859: SEND:       dst FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:23.859: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:19:23.859: SEND:      Timestamp: 0x53638D4BDC57 = 12:19:23 UTC May 2 2014
May  2 12:19:23.859: SEND:      Nonce length: 6, value: FFFFFFC802FFFFFFA9FFFFFF862C53
May  2 12:19:23.939: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:23.939: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:23.939: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:23.939: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:23.939: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:23.939: ICMPv6-ND: STALE -> DELAY: FE80::28DF:C6F9:1EE5:DC5F
r1#
May  2 12:19:28.995: ICMPv6-ND: DELAY -> PROBE: FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:28.995: ICMPv6-ND: Sending NS for FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0
May  2 12:19:28.999: SEND: Send: ND_NEIGHBOR_SOLICIT 
May  2 12:19:28.999: SEND:       src FE80::3486:2358:D3EE:CD93
May  2 12:19:28.999: SEND:       dst FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:28.999: SEND:       CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May  2 12:19:28.999: SEND:      Timestamp: 0x53638D500031 = 12:19:28 UTC May 2 2014
May  2 12:19:28.999: SEND:      Nonce length: 6, value: FFFFFFC5FFFFFF9140FFFFFFABFFFFFFE9FFFFFF8E
May  2 12:19:29.079: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 12:19:29.079: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:29.079: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:29.079: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:29.079: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:29.079: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May  2 12:19:29.167: SEND: Receive:  ND_NEIGHBOR_ADVERT
May  2 12:19:29.167: SEND:       src FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.167: SEND:       dst FE80::3486:2358:D3EE:CD93
May  2 12:19:29.167: SEND:       Received at: 0x53638D512B6D = 12:19:29 UTC May 2 2014
May  2 12:19:29.167: SEND:               option 11 len 192: ND_OPT_CGA
May  2 12:19:29.167: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 12:19:29.167: SEND:               option 14 len 8: ND_OPT_NONCE
May  2 12:19:29.167: SEND:               option 12 len 152: ND_OPT_RSA
May  2 12:19:29.167: SEND:       Target: FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.167: SEND: Solicit advertisement
May  2 12:19:29.167: SEND:      Verifying address FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.167: SEND:       keylen is 1024
May  2 12:19:29.167: SEND:       sec is 1
May  2 12:19:29.167: SEND:       Address verified
May  2 12:19:29.167: SEND:      Nonce length: 6, value: FFFFFFC5FFFFFF9140FFFFFFABFFFFFFE9FFFFFF8E
May  2 12:19:29.167: SEND:      Timestamp: 0x53638D51A5EE = 12:19:29 UTC May 2 2014
May  2 12:19:29.175: SEND:      Good signature
May  2 12:19:29.175: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May  2 12:19:29.175: ICMPv6-ND: Received NA for FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0 from FE80::28DF:C6F9:1EE5:DC5F
May  2 12:19:29.175: ICMPv6-ND: PROBE -> REACH: FE80::28DF:C6F9:1EE5:DC5F

As we see we can now ping R1, only with ‘cga’ enabled but without a valid certificate from PKI Server (r1). Let’s enable routing on r2 and r3 and then we check if r1 accepts routing from them:
The routing table on r1 before enabling ‘ipv6 unicast-routing’ on r2 and r3:

r1#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:100::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive
r1#

Let’s start with r2 which is the trusted router:
 
r2(config)#ipv6 unicast-routing

r2#
May  2 22:30:07.637: SEND: Send: ND_ROUTER_ADVERT 
May  2 22:30:07.637: SEND:       src FE80::3828:8FA2:608:14A2
May  2 22:30:07.637: SEND:       dst FF02::1
May  2 22:30:07.637: SEND:       CGA FE80::3828:8FA2:608:14A2, 0x12000003 : found
May  2 22:30:07.637: SEND:      Timestamp: 0x53641C6FA35A = 22:30:07 UTC May 2 2014
May  2 22:30:07.677: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 22:30:07.677: SEND:               option 5 len 8: ND_OPT_MTU
May  2 22:30:07.677: SEND:               option 3 len 32: ND_OPT_PREFIX_INFORMATION
May  2 22:30:07.677: SEND:               option 11 len 192: ND_OPT_CGA
May  2 22:30:07.677: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 22:30:07.677: SEND:               option 12 len 152: ND_OPT_RSA
May  2 22:30:07.677: ICMPv6: Sent R-Advert, Src=FE80::3828:8FA2:608:14A2, Dst=FF02::1

On r1 we can see:
 
r1#
May  2 22:30:15.627: ICMPv6: Received R-Advert, Src=FE80::3828:8FA2:608:14A2, Dst=FF02::1
May  2 22:30:15.627: SEND: Receive: ND_ROUTER_ADVERT
May  2 22:30:15.627: SEND:       src FE80::3828:8FA2:608:14A2
May  2 22:30:15.627: SEND:       dst FF02::1
May  2 22:30:15.627: SEND:       Received at: 0x53641C77A10C = 22:30:15 UTC May 2 2014
May  2 22:30:15.627: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 22:30:15.627: SEND:               option 5 len 8: ND_OPT_MTU
May  2 22:30:15.627: SEND:               option 3 len 32: ND_OPT_PREFIX_INFORMATION
May  2 22:30:15.627: SEND:               option 11 len 192: ND_OPT_CGA
May  2 22:30:15.627: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 22:30:15.627: SEND:               option 12 len 152: ND_OPT_RSA
May  2 22:30:15.627: SEND:      Verifying address FE80::3828:8FA2:608:14A2
May  2 22:30:15.627: SEND:       keylen is 1024
May  2 22:30:15.627: SEND:       sec is 1
May  2 22:30:15.627: SEND:       Address verified
May  2 22:30:15.627: SEND:      Timestamp: 0x53641C77991A = 22:30:15 UTC May 2 2014
May  2 22:30:15.627: SEND:       TS opt check RC = 0
May  2 22:30:15.635: SEND:      Good signature
May  2 22:30:15.635: SEND:      RA with prefix option 2001:100::
May  2 22:30:15.635: SEND: EVENT: IPV6_SEND_CERT_RCV_RA  CURRENT STATE: CERT_VALIDATED
May  2 22:30:15.635: SEND:      action: Set trust level in RA then deliver it
May  2 22:30:15.635: SEND:      action: Deliver RA packet to stack
May  2 22:30:15.635: SEND:      Deliver RA just received
May  2 22:30:15.635: SEND: NEW STATE TR: CERT_VALIDATED
r1#
May  2 22:30:16.979: SEND: EVENT: IPV6_SEND_CERT_T2_FIRED  CURRENT STATE: CERT_VALIDATED
May  2 22:30:16.979: SEND: Verifying certificate
May  2 22:30:16.999: SEND: Certificate validated
May  2 22:30:16.999: SEND:      action: Start T1
May  2 22:30:16.999: SEND: NEW STATE TR: CERT_VALIDATING
May  2 22:30:16.999: SEND: EVENT: IPV6_SEND_CERT_VALID_CHAIN  CURRENT STATE: CERT_VALIDATING
May  2 22:30:16.999: SEND:      action: Stop T1
May  2 22:30:16.999: SEND:      action: Set trust level in RA then deliver it
May  2 22:30:16.999: SEND:      action: Deliver RA packet to stack
May  2 22:30:16.999: SEND:      action: Start T2
May  2 22:30:16.999: SEND: NEW STATE TR: CERT_VALIDATED

The r1’s routing table:

r1#sh ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [2/0]
     via FE80::3828:8FA2:608:14A2, FastEthernet0/0
C   2001:100::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

and accepted router:

r1#sh ipv6 router
Router FE80::3828:8FA2:608:14A2 on FastEthernet0/0, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
  Prefix 2001:100::/64 onlink autoconfig
    Valid lifetime 2592000, preferred lifetime 604800
r1#

As we see r1 accepted routing entry from r2. Let’s try now the same for 3:

r3(config)#ipv6 unicast-routing

We can see r3 sends RA messages:

r3#
.May  2 22:59:25.993: ICMPv6: Sent R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
.May  2 22:59:29.473: SEND: Send: ND_ROUTER_ADVERT 
.May  2 22:59:29.473: SEND:      src FE80::28DF:C6F9:1EE5:DC5F
.May  2 22:59:29.473: SEND:      dst FF02::1
.May  2 22:59:29.473: SEND:      CGA FE80::28DF:C6F9:1EE5:DC5F, 0x12000003 : found
.May  2 22:59:29.473: SEND:     Timestamp: 0x536423517991 = 22:59:29 UTC May 2 2014
.May  2 22:59:29.553: SEND:              option 1 len 8: ND_OPT_SOURCE_LINKADDR
.May  2 22:59:29.553: SEND:              option 5 len 8: ND_OPT_MTU
.May  2 22:59:29.553: SEND:              option 7 len 8: ND_RA_INTERVA
.May  2 22:59:29.553: SEND:              option 3 len 32: ND_OPT_PREFIX_INFORMATION
.May  2 22:59:29.553: SEND:              option 11 len 192: ND_OPT_CGA
.May  2 22:59:29.553: SEND:              option 13 len 16: ND_OPT_TIMESTAMP
.May  2 22:59:29.553: SEND:              option 12 len 152: ND_OPT_RSA
.May  2 22:59:29.553: ICMPv6: Sent R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
.May  2 22:59:29.561: ICMPv6: Received type 148, Src=FE80::3486:2358:D3EE:CD93, Dst=FE80::28DF:C6F9:1EE5:DC5F
.May  2 22:59:29.561: SEND: Receive: ND_CERTIFICATE_SOLICIT
.May  2 22:59:29.561: SEND:      src FE80::3486:2358:D3EE:CD93
.May  2 22:59:29.561: SEND:      dst FE80::28DF:C6F9:1EE5:DC5F
.May  2 22:59:29.561: SEND:      Received at: 0x536423519065 = 22:59:29 UTC May 2 2014
.May  2 22:59:29.561: SEND:              option 15 len 32: ND_OPT_TRUST_ANCHOR
.May  2 22:59:29.561: SEND:      option trustanchor cn=SERVER-PKI
.May  2 22:59:29.561: SEND:      searching trustanchor cn=SERVER-PKI
.May  2 22:59:29.561: SEND: Found no trustpoint with this trusted issuer cn=SERVER-PKI
.May  2 22:59:29.561: SEND:      No match so far. Another trustanchor ?
.May  2 22:59:29.561: SEND: ! No more anchor to try - None matches - abort
r3#

On r1 we see received RA:
 
r1#
May  2 22:58:23.247: ICMPv6: Received R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
May  2 22:58:23.247: SEND: Receive: ND_ROUTER_ADVERT
May  2 22:58:23.247: SEND:       src FE80::28DF:C6F9:1EE5:DC5F
May  2 22:58:23.247: SEND:       dst FF02::1
May  2 22:58:23.247: SEND:       Received at: 0x5364230F400C = 22:58:23 UTC May 2 2014
May  2 22:58:23.247: SEND:               option 1 len 8: ND_OPT_SOURCE_LINKADDR
May  2 22:58:23.247: SEND:               option 5 len 8: ND_OPT_MTU
May  2 22:58:23.247: SEND:               option 7 len 8: ND_RA_INTERVA
May  2 22:58:23.247: SEND:               option 3 len 32: ND_OPT_PREFIX_INFORMATION
May  2 22:58:23.247: SEND:               option 11 len 192: ND_OPT_CGA
May  2 22:58:23.247: SEND:               option 13 len 16: ND_OPT_TIMESTAMP
May  2 22:58:23.247: SEND:               option 12 len 152: ND_OPT_RSA
May  2 22:58:23.247: SEND:      Verifying address FE80::28DF:C6F9:1EE5:DC5F
May  2 22:58:23.247: SEND:       keylen is 1024sh ipv6 routers 
May  2 22:58:23.251: SEND:       sec is 1
May  2 22:58:23.251: SEND:       Address verified
May  2 22:58:23.251: SEND:      Timestamp: 0x5364230F2EEB = 22:58:23 UTC May 2 2014
May  2 22:58:23.251: SEND:       TS opt check RC = 0
May  2 22:58:23.255: SEND:      Good signature
May  2 22:58:23.255: SEND:      RA with prefix option 2001:100::
May  2 22:58:23.255: SEND: EVENT: IPV6_SEND_CERT_RCV_RA  CURRENT STATE: CERT_PENDING
May  2 22:58:23.255: SEND:      action: Update RA in cert DB
May  2 22:58:23.255: SEND: NEW STATE TR: CERT_PENDING
May  2 22:58:24.591: SEND: EVENT: IPV6_SEND_CERT_T0_FIRED  CURRENT STATE: CERT_PENDING
May  2 22:58:24.591: SEND:      action: check mode
May  2 22:58:24.591: SEND: NEW STATE TR: CERT_NONE
May  2 22:58:24.591: SEND:      action error - abort
r1#

In the routing table we can’t see any new entry:

r1#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:100::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

and any router:

r1#sh ipv6 router

r1#

Before r1 can add r3 as the default router the certificates must match and in our case they didn’t.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo