IPv6 security – IPv6 First Hop Security – IPv6 SeND (Secure Neighbor Discovery) – part five.
The SeND protocol can protect our network against non-authorized routers which can send RA messages. To mitigate the risk you can enable IPv6 SeND protocol. All RA messages will be accepted only from devices with a valid certificate and from source IP with CGA enabled (Cryptographically Generated Addresses). Let’s test this feature working on the following scenario:
PKI SERVER ROUTER
/----\ ----- /----\
| R1 |-------| sw1 |-------| R2 |
\----/ ----- \----/
|
|
/----\
| R3 |
\----/
SPOOFED ROUTER
Configure r1 as a PKI server:
crypto key generate rsa general-keys modulus 1024 label KEY1024
!
interface FastEthernet0/0
ipv6 cga rsakeypair KEY1024
ipv6 address FE80:: link-local cga
ipv6 address 2001:100::/64 cga
ipv6 nd secured trustanchor SERVER-PKI
end
!
ipv6 nd secured full-secure
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
crypto pki server SERVER-PKI
grant auto
!
and enable IPv6 on its interface:
r1#sh ipv6 interface
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::3486:2358:D3EE:CD93
No Virtual link-local address(es):
Global unicast address(es):
2001:100::200C:30C3:3AFA:2B9B, subnet is 2001:100::/64
Joined group address(es):
FF02::1
FF02::1:FFEE:CD93
FF02::1:FFFA:2B9B
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
r1#
Now I configure r2 with ‘cga’ feature:
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
ipv6 cga rsakeypair KEY1024
ipv6 address FE80:: link-local cga
ipv6 address 2001:100::/64 cga
ipv6 nd secured trustpoint PKI-TRUSTPOINT
end
!
ipv6 nd secured full-secure
ipv6 nd secured sec-level minimum 1
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
!
crypto pki trustpoint PKI-TRUSTPOINT
enrollment url http://[2001:100::200C:30C3:3AFA:2B9B]:80
revocation-check crl
!
And then r3 without ‘cga’:
!
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
interface FastEthernet0/0
ipv6 address 2001:100::3/64
end
!
Let’s try ping all routers:
R2 -> R1:
r2#ping 2001:100::200C:30C3:3AFA:2B9B
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/29/140 ms
r2#
r1#
May 2 12:11:46.271: ICMPv6-ND: DELAY -> PROBE: 2001:100::342D:C844:BE15:1391
May 2 12:11:46.271: ICMPv6-ND: Sending NS for 2001:100::342D:C844:BE15:1391 on FastEthernet0/0
May 2 12:11:46.275: SEND: Send: ND_NEIGHBOR_SOLICIT
May 2 12:11:46.275: SEND: src FE80::3486:2358:D3EE:CD93
May 2 12:11:46.275: SEND: dst 2001:100::342D:C844:BE15:1391
May 2 12:11:46.275: SEND: CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May 2 12:11:46.275: SEND: Timestamp: 0x53638B8246D3 = 12:11:46 UTC May 2 2014
May 2 12:11:46.275: SEND: Nonce length: 6, value: FFFFFFB7FFFFFFE9FFFFFF96FFFFFFBDFFFFFFE5FFFFFFB7
May 2 12:11:46.355: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:11:46.355: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:11:46.355: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:11:46.355: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:11:46.355: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:11:46.355: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:11:46.407: SEND: Receive: ND_NEIGHBOR_ADVERT
May 2 12:11:46.407: SEND: src 2001:100::342D:C844:BE15:1391
May 2 12:11:46.407: SEND: dst FE80::3486:2358:D3EE:CD93
May 2 12:11:46.407: SEND: Received at: 0x53638B826886 = 12:11:46 UTC May 2 2014
May 2 12:11:46.407: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:11:46.407: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:11:46.407: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:11:46.407: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:11:46.407: SEND: Target: 2001:100::342D:C844:BE15:1391
May 2 12:11:46.407: SEND: Solicit advertisement
May 2 12:11:46.407: SEND: Verifying address 2001:100::342D:C844:BE15:1391
May 2 12:11:46.407: SEND: keylen is 1024
May 2 12:11:46.407: SEND: sec is 1
May 2 12:11:46.407: SEND: Address verified
May 2 12:11:46.407: SEND: Nonce length: 6, value: FFFFFFB7FFFFFFE9FFFFFF96FFFFFFBDFFFFFFE5FFFFFFB7
May 2 12:11:46.407: SEND: Timestamp: 0x53638B835F2F = 12:11:47 UTC May 2 2014
May 2 12:11:46.411: SEND: Good signature
May 2 12:11:46.415: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:11:46.415: ICMPv6-ND: Received NA for 2001:100::342D:C844:BE15:1391 on FastEthernet0/0 from 2001:100::342D:C844:BE15:1391
May 2 12:11:46.415: ICMPv6-ND: PROBE -> REACH: 2001:100::342D:C844:BE15:1391
r1#
May 2 12:11:51.507: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:11:51.507: SEND: src FE80::3828:8FA2:608:14A2
May 2 12:11:51.507: SEND: dst FE80::3486:2358:D3EE:CD93
May 2 12:11:51.507: SEND: Received at: 0x53638B87822E = 12:11:51 UTC May 2 2014
May 2 12:11:51.507: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:11:51.507: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:11:51.507: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:11:51.507: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:11:51.507: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:11:51.507: SEND: Target: FE80::3486:2358:D3EE:CD93
May 2 12:11:51.507: SEND: Nonce length: 6, value: FFFFFFABFFFFFFE2FFFFFF9467FFFFFFDE72
May 2 12:11:51.507: SEND: Solicit DB init
May 2 12:11:51.507: SEND: Verifying address FE80::3828:8FA2:608:14A2
May 2 12:11:51.507: SEND: keylen is 1024
May 2 12:11:51.507: SEND: sec is 1
May 2 12:11:51.507: SEND: Address verified
May 2 12:11:51.507: SEND: Timestamp: 0x53638B8878CB = 12:11:52 UTC May 2 2014
May 2 12:11:51.507: SEND: TS opt check RC = 0
May 2 12:11:51.515: SEND: Good signature
May 2 12:11:51.515: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:11:51.515: ICMPv6-ND: Received NS for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0 from FE80::3828:8FA2:608:14A2
May 2 12:11:51.515: ICMPv6-ND: Glean FE80::3828:8FA2:608:14A2 on FastEthernet0/0
May 2 12:11:51.515: ICMPv6-ND: Neighbour FE80::3828:8FA2:608:14A2 on FastEthernet0/0 : LLA 0007.7dce.0f00
May 2 12:11:51.515: ICMPv6-ND: INCMP -> STALE: FE80::3828:8FA2:608:14A2
May 2 12:11:51.515: ICMPv6-ND: Sending NA for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0
May 2 12:11:51.519: SEND: Send: ND_NEIGHBOR_ADVERT
May 2 12:11:51.519: SEND: src FE80::3486:2358:D3EE:CD93
May 2 12:11:51.519: SEND: dst FE80::3828:8FA2:608:14A2
May 2 12:11:51.519: SEND: CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May 2 12:11:51.519: SEND: Timestamp: 0x53638B87854F = 12:11:51 UTC May 2 2014
May 2 12:11:51.519: SEND: Nonce length: 6, value: FFFFFFABFFFFFFE2FFFFFF9467FFFFFFDE72
May 2 12:11:51.599: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:11:51.599: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:11:51.599: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:11:51.599: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:11:51.599: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:11:51.599: ICMPv6-ND: STALE -> DELAY: FE80::3828:8FA2:608:14A2
r1#
May 2 12:11:56.719: ICMPv6-ND: DELAY -> PROBE: FE80::3828:8FA2:608:14A2
May 2 12:11:56.719: ICMPv6-ND: Sending NS for FE80::3828:8FA2:608:14A2 on FastEthernet0/0
May 2 12:11:56.723: SEND: Send: ND_NEIGHBOR_SOLICIT
May 2 12:11:56.723: SEND: src FE80::3486:2358:D3EE:CD93
May 2 12:11:56.723: SEND: dst FE80::3828:8FA2:608:14A2
May 2 12:11:56.723: SEND: CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May 2 12:11:56.723: SEND: Timestamp: 0x53638B8CB98C = 12:11:56 UTC May 2 2014
May 2 12:11:56.723: SEND: Nonce length: 6, value: FFFFFF8FFFFFFF9D4A557CFFFFFFB1
May 2 12:11:56.803: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:11:56.803: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:11:56.803: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:11:56.803: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:11:56.803: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:11:56.803: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:11:56.847: SEND: Receive: ND_NEIGHBOR_ADVERT
May 2 12:11:56.851: SEND: src FE80::3828:8FA2:608:14A2
May 2 12:11:56.851: SEND: dst FE80::3486:2358:D3EE:CD93
May 2 12:11:56.851: SEND: Received at: 0x53638B8CDA23 = 12:11:56 UTC May 2 2014
May 2 12:11:56.851: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:11:56.851: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:11:56.851: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:11:56.851: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:11:56.851: SEND: Target: FE80::3828:8FA2:608:14A2
May 2 12:11:56.851: SEND: Solicit advertisement
May 2 12:11:56.851: SEND: Verifying address FE80::3828:8FA2:608:14A2
May 2 12:11:56.851: SEND: keylen is 1024
May 2 12:11:56.851: SEND: sec is 1
May 2 12:11:56.851: SEND: Address verified
May 2 12:11:56.851: SEND: Nonce length: 6, value: FFFFFF8FFFFFFF9D4A557CFFFFFFB1
May 2 12:11:56.851: SEND: Timestamp: 0x53638B8DD0D9 = 12:11:57 UTC May 2 2014
May 2 12:11:56.855: SEND: Good signature
May 2 12:11:56.855: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:11:56.855: ICMPv6-ND: Received NA for FE80::3828:8FA2:608:14A2 on FastEthernet0/0 from FE80::3828:8FA2:608:14A2
May 2 12:11:56.859: ICMPv6-ND: PROBE -> REACH: FE80::3828:8FA2:608:14A2
R3- > R1:
r3#ping 2001:100::200C:30C3:3AFA:2B9B
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#
As you see R3 can’t ping R1, let’s check why:
May 2 12:14:00.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:00.623: SEND: src 2001:100::3
May 2 12:14:00.623: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:00.623: SEND: Received at: 0x53638C08A055 = 12:14:00 UTC May 2 2014
May 2 12:14:00.623: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:00.623: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:00.623: SEND: !NS without CGA option
May 2 12:14:00.623: SEND: Unsecure message discarded
May 2 12:14:00.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:00.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:01.651: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:01.651: SEND: src 2001:100::3
May 2 12:14:01.651: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:01.651: SEND: Received at: 0x53638C09A784 = 12:14:01 UTC May 2 2014
May 2 12:14:01.651: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:01.651: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:01.651: SEND: !NS without CGA option
May 2 12:14:01.651: SEND: Unsecure message discarded
May 2 12:14:01.651: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:01.651: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:02.679: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:02.679: SEND: src 2001:100::3
May 2 12:14:02.679: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:02.679: SEND: Received at: 0x53638C0AAEA7 = 12:14:02 UTC May 2 2014
May 2 12:14:02.679: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:02.679: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:02.679: SEND: !NS without CGA option
May 2 12:14:02.679: SEND: Unsecure message discarded
May 2 12:14:02.679: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:02.679: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:04.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:04.623: SEND: src 2001:100::3
May 2 12:14:04.623: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:04.623: SEND: Received at: 0x53638C0CA04E = 12:14:04 UTC May 2 2014
May 2 12:14:04.623: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:04.623: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:04.623: SEND: !NS without CGA option
May 2 12:14:04.623: SEND: Unsecure message discarded
May 2 12:14:04.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:04.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:05.715: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:05.715: SEND: src 2001:100::3
May 2 12:14:05.715: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:05.715: SEND: Received at: 0x53638C0DB7DB = 12:14:05 UTC May 2 2014
May 2 12:14:05.715: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:05.715: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:05.715: SEND: !NS without CGA option
May 2 12:14:05.715: SEND: Unsecure message discarded
May 2 12:14:05.715: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:05.715: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:06.807: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:06.807: SEND: src 2001:100::3
May 2 12:14:06.807: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:06.807: SEND: Received at: 0x53638C0ECF65 = 12:14:06 UTC May 2 2014
May 2 12:14:06.807: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:06.807: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:06.807: SEND: !NS without CGA option
May 2 12:14:06.807: SEND: Unsecure message discarded
May 2 12:14:06.807: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:06.807: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:08.623: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:08.623: SEND: src 2001:100::3
May 2 12:14:08.623: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:08.623: SEND: Received at: 0x53638C10A049 = 12:14:08 UTC May 2 2014
May 2 12:14:08.623: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:08.623: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:08.623: SEND: !NS without CGA option
May 2 12:14:08.623: SEND: Unsecure message discarded
May 2 12:14:08.623: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:08.623: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:09.651: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:09.651: SEND: src 2001:100::3
May 2 12:14:09.651: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:09.651: SEND: Received at: 0x53638C11A774 = 12:14:09 UTC May 2 2014
May 2 12:14:09.651: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:09.651: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:09.651: SEND: !NS without CGA option
May 2 12:14:09.651: SEND: Unsecure message discarded
May 2 12:14:09.651: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:09.651: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
May 2 12:14:10.679: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:14:10.679: SEND: src 2001:100::3
May 2 12:14:10.679: SEND: dst FF02::1:FFFA:2B9B
May 2 12:14:10.679: SEND: Received at: 0x53638C12AE9A = 12:14:10 UTC May 2 2014
May 2 12:14:10.679: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:14:10.679: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:14:10.679: SEND: !NS without CGA option
May 2 12:14:10.679: SEND: Unsecure message discarded
May 2 12:14:10.679: SEND: ! DROP: ND_NEIGHBOR_SOLICIT src 2001:100::3 dst FF02::1:FFFA:2B9B reason=2
May 2 12:14:10.679: ICMPv6-ND: ND input feature SEND executed on 3 - rc=1
r1#
As we see R3 can’t ping R1 due to lack of ‘cga’. Let’s configure this feature on r3 interface:
!
ipv6 cga modifier rsakeypair KEY1024 sec-level 1
!
interface FastEthernet0/0
ipv6 cga rsakeypair KEY1024
ipv6 address FE80:: link-local cga
ipv6 address 2001:100::/64 cga
end
and try again (R3->R1):
r3#ping 2001:100::200C:30C3:3AFA:2B9B
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:100::200C:30C3:3AFA:2B9B, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/36/184 ms
r3#
r1#
May 2 12:19:13.415: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:19:13.415: SEND: src 2001:100::3CB3:5C78:9886:601B
May 2 12:19:13.415: SEND: dst FF02::1:FFFA:2B9B
May 2 12:19:13.415: SEND: Received at: 0x53638D416AFF = 12:19:13 UTC May 2 2014
May 2 12:19:13.415: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:19:13.415: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:13.415: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:13.415: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:13.415: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:13.415: SEND: Target: 2001:100::200C:30C3:3AFA:2B9B
May 2 12:19:13.415: SEND: Nonce length: 6, value: 7EFFFFFFCB1C10FFFFFFE8FFFFFFF1
May 2 12:19:13.415: SEND: Verifying address 2001:100::3CB3:5C78:9886:601B
May 2 12:19:13.415: SEND: keylen is 1024
May 2 12:19:13.415: SEND: sec is 1
May 2 12:19:13.419: SEND: Address verified
May 2 12:19:13.419: SEND: Timestamp: 0x53638D41E565 = 12:19:13 UTC May 2 2014
May 2 12:19:13.419: SEND: TS opt check RC = 0
May 2 12:19:13.423: SEND: Good signature
May 2 12:19:13.423: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:19:13.423: ICMPv6-ND: Received NS for 2001:100::200C:30C3:3AFA:2B9B on FastEthernet0/0 from 2001:100::3CB3:5C78:9886:601B
May 2 12:19:13.423: ICMPv6-ND: Glean 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0
May 2 12:19:13.423: ICMPv6-ND: Neighbour 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0 : LLA 0015.fac0.a3a0
May 2 12:19:13.423: ICMPv6-ND: INCMP -> STALE: 2001:100::3CB3:5C78:9886:601B
May 2 12:19:13.423: ICMPv6-ND: Sending NA for 2001:100::200C:30C3:3AFA:2B9B on FastEthernet0/0
May 2 12:19:13.427: SEND: Send: ND_NEIGHBOR_ADVERT
May 2 12:19:13.427: SEND: src 2001:100::200C:30C3:3AFA:2B9B
May 2 12:19:13.427: SEND: dst 2001:100::3CB3:5C78:9886:601B
May 2 12:19:13.427: SEND: CGA 2001:100::200C:30C3:3AFA:2B9B, 0x0 : found
May 2 12:19:13.427: SEND: Timestamp: 0x53638D416DCA = 12:19:13 UTC May 2 2014
May 2 12:19:13.427: SEND: Nonce length: 6, value: 7EFFFFFFCB1C10FFFFFFE8FFFFFFF1
May 2 12:19:13.507: SEND: option 2 len 8: ND_OPT_TARGET_LINKADDR
May 2 12:19:13.507: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:13.507: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:13.507: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:13.507: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:13.507: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:19:13.507: ICMPv6-ND: STALE -> DELAY: 2001:100::3CB3:5C78:9886:601B
r1#
May 2 12:19:18.563: ICMPv6-ND: DELAY -> PROBE: 2001:100::3CB3:5C78:9886:601B
May 2 12:19:18.563: ICMPv6-ND: Sending NS for 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0
May 2 12:19:18.567: SEND: Send: ND_NEIGHBOR_SOLICIT
May 2 12:19:18.567: SEND: src FE80::3486:2358:D3EE:CD93
May 2 12:19:18.567: SEND: dst 2001:100::3CB3:5C78:9886:601B
May 2 12:19:18.567: SEND: CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May 2 12:19:18.567: SEND: Timestamp: 0x53638D469194 = 12:19:18 UTC May 2 2014
May 2 12:19:18.567: SEND: Nonce length: 6, value: FFFFFFC5095F6AFFFFFFA977
May 2 12:19:18.647: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:19:18.647: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:18.647: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:18.647: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:18.647: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:18.647: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:19:18.735: SEND: Receive: ND_NEIGHBOR_ADVERT
May 2 12:19:18.735: SEND: src 2001:100::3CB3:5C78:9886:601B
May 2 12:19:18.735: SEND: dst FE80::3486:2358:D3EE:CD93
May 2 12:19:18.735: SEND: Received at: 0x53638D46BCDA = 12:19:18 UTC May 2 2014
May 2 12:19:18.735: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:18.735: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:18.735: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:18.735: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:18.735: SEND: Target: 2001:100::3CB3:5C78:9886:601B
May 2 12:19:18.735: SEND: Solicit advertisement
May 2 12:19:18.735: SEND: Verifying address 2001:100::3CB3:5C78:9886:601B
May 2 12:19:18.735: SEND: keylen is 1024
May 2 12:19:18.735: SEND: sec is 1
May 2 12:19:18.735: SEND: Address verified
May 2 12:19:18.735: SEND: Nonce length: 6, value: FFFFFFC5095F6AFFFFFFA977
May 2 12:19:18.735: SEND: Timestamp: 0x53638D473757 = 12:19:19 UTC May 2 2014
May 2 12:19:18.743: SEND: Good signature
May 2 12:19:18.743: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:19:18.743: ICMPv6-ND: Received NA for 2001:100::3CB3:5C78:9886:601B on FastEthernet0/0 from 2001:100::3CB3:5C78:9886:601B
May 2 12:19:18.743: ICMPv6-ND: PROBE -> REACH: 2001:100::3CB3:5C78:9886:601B
r1#
May 2 12:19:23.847: SEND: Receive: ND_NEIGHBOR_SOLICIT
May 2 12:19:23.847: SEND: src FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:23.847: SEND: dst FE80::3486:2358:D3EE:CD93
May 2 12:19:23.847: SEND: Received at: 0x53638D4BD97A = 12:19:23 UTC May 2 2014
May 2 12:19:23.847: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:19:23.847: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:23.847: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:23.847: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:23.847: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:23.847: SEND: Target: FE80::3486:2358:D3EE:CD93
May 2 12:19:23.847: SEND: Nonce length: 6, value: FFFFFFC802FFFFFFA9FFFFFF862C53
May 2 12:19:23.847: SEND: Verifying address FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:23.847: SEND: keylen is 1024
May 2 12:19:23.847: SEND: sec is 1
May 2 12:19:23.847: SEND: Address verified
May 2 12:19:23.847: SEND: Timestamp: 0x53638D4C53FC = 12:19:24 UTC May 2 2014
May 2 12:19:23.847: SEND: TS opt check RC = 0
May 2 12:19:23.855: SEND: Good signature
May 2 12:19:23.855: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:19:23.855: ICMPv6-ND: Received NS for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0 from FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:23.855: ICMPv6-ND: Glean FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0
May 2 12:19:23.855: ICMPv6-ND: Neighbour FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0 : LLA 0015.fac0.a3a0
May 2 12:19:23.855: ICMPv6-ND: INCMP -> STALE: FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:23.855: ICMPv6-ND: Sending NA for FE80::3486:2358:D3EE:CD93 on FastEthernet0/0
May 2 12:19:23.859: SEND: Send: ND_NEIGHBOR_ADVERT
May 2 12:19:23.859: SEND: src FE80::3486:2358:D3EE:CD93
May 2 12:19:23.859: SEND: dst FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:23.859: SEND: CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May 2 12:19:23.859: SEND: Timestamp: 0x53638D4BDC57 = 12:19:23 UTC May 2 2014
May 2 12:19:23.859: SEND: Nonce length: 6, value: FFFFFFC802FFFFFFA9FFFFFF862C53
May 2 12:19:23.939: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:23.939: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:23.939: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:23.939: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:23.939: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:19:23.939: ICMPv6-ND: STALE -> DELAY: FE80::28DF:C6F9:1EE5:DC5F
r1#
May 2 12:19:28.995: ICMPv6-ND: DELAY -> PROBE: FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:28.995: ICMPv6-ND: Sending NS for FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0
May 2 12:19:28.999: SEND: Send: ND_NEIGHBOR_SOLICIT
May 2 12:19:28.999: SEND: src FE80::3486:2358:D3EE:CD93
May 2 12:19:28.999: SEND: dst FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:28.999: SEND: CGA FE80::3486:2358:D3EE:CD93, 0x12000003 : found
May 2 12:19:28.999: SEND: Timestamp: 0x53638D500031 = 12:19:28 UTC May 2 2014
May 2 12:19:28.999: SEND: Nonce length: 6, value: FFFFFFC5FFFFFF9140FFFFFFABFFFFFFE9FFFFFF8E
May 2 12:19:29.079: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 12:19:29.079: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:29.079: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:29.079: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:29.079: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:29.079: ICMPv6-ND: ND output feature SEND executed on 3 - rc=0
May 2 12:19:29.167: SEND: Receive: ND_NEIGHBOR_ADVERT
May 2 12:19:29.167: SEND: src FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:29.167: SEND: dst FE80::3486:2358:D3EE:CD93
May 2 12:19:29.167: SEND: Received at: 0x53638D512B6D = 12:19:29 UTC May 2 2014
May 2 12:19:29.167: SEND: option 11 len 192: ND_OPT_CGA
May 2 12:19:29.167: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 12:19:29.167: SEND: option 14 len 8: ND_OPT_NONCE
May 2 12:19:29.167: SEND: option 12 len 152: ND_OPT_RSA
May 2 12:19:29.167: SEND: Target: FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:29.167: SEND: Solicit advertisement
May 2 12:19:29.167: SEND: Verifying address FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:29.167: SEND: keylen is 1024
May 2 12:19:29.167: SEND: sec is 1
May 2 12:19:29.167: SEND: Address verified
May 2 12:19:29.167: SEND: Nonce length: 6, value: FFFFFFC5FFFFFF9140FFFFFFABFFFFFFE9FFFFFF8E
May 2 12:19:29.167: SEND: Timestamp: 0x53638D51A5EE = 12:19:29 UTC May 2 2014
May 2 12:19:29.175: SEND: Good signature
May 2 12:19:29.175: ICMPv6-ND: ND input feature SEND executed on 3 - rc=0
May 2 12:19:29.175: ICMPv6-ND: Received NA for FE80::28DF:C6F9:1EE5:DC5F on FastEthernet0/0 from FE80::28DF:C6F9:1EE5:DC5F
May 2 12:19:29.175: ICMPv6-ND: PROBE -> REACH: FE80::28DF:C6F9:1EE5:DC5F
As we see we can now ping R1, only with ‘cga’ enabled but without a valid certificate from PKI Server (r1). Let’s enable routing on r2 and r3 and then we check if r1 accepts routing from them:
The routing table on r1 before enabling ‘ipv6 unicast-routing’ on r2 and r3:
r1#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:100::/64 [0/0]
via FastEthernet0/0, directly connected
L 2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
via FastEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
r1#
Let’s start with r2 which is the trusted router:
r2(config)#ipv6 unicast-routing
r2#
May 2 22:30:07.637: SEND: Send: ND_ROUTER_ADVERT
May 2 22:30:07.637: SEND: src FE80::3828:8FA2:608:14A2
May 2 22:30:07.637: SEND: dst FF02::1
May 2 22:30:07.637: SEND: CGA FE80::3828:8FA2:608:14A2, 0x12000003 : found
May 2 22:30:07.637: SEND: Timestamp: 0x53641C6FA35A = 22:30:07 UTC May 2 2014
May 2 22:30:07.677: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 22:30:07.677: SEND: option 5 len 8: ND_OPT_MTU
May 2 22:30:07.677: SEND: option 3 len 32: ND_OPT_PREFIX_INFORMATION
May 2 22:30:07.677: SEND: option 11 len 192: ND_OPT_CGA
May 2 22:30:07.677: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 22:30:07.677: SEND: option 12 len 152: ND_OPT_RSA
May 2 22:30:07.677: ICMPv6: Sent R-Advert, Src=FE80::3828:8FA2:608:14A2, Dst=FF02::1
On r1 we can see:
r1#
May 2 22:30:15.627: ICMPv6: Received R-Advert, Src=FE80::3828:8FA2:608:14A2, Dst=FF02::1
May 2 22:30:15.627: SEND: Receive: ND_ROUTER_ADVERT
May 2 22:30:15.627: SEND: src FE80::3828:8FA2:608:14A2
May 2 22:30:15.627: SEND: dst FF02::1
May 2 22:30:15.627: SEND: Received at: 0x53641C77A10C = 22:30:15 UTC May 2 2014
May 2 22:30:15.627: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 22:30:15.627: SEND: option 5 len 8: ND_OPT_MTU
May 2 22:30:15.627: SEND: option 3 len 32: ND_OPT_PREFIX_INFORMATION
May 2 22:30:15.627: SEND: option 11 len 192: ND_OPT_CGA
May 2 22:30:15.627: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 22:30:15.627: SEND: option 12 len 152: ND_OPT_RSA
May 2 22:30:15.627: SEND: Verifying address FE80::3828:8FA2:608:14A2
May 2 22:30:15.627: SEND: keylen is 1024
May 2 22:30:15.627: SEND: sec is 1
May 2 22:30:15.627: SEND: Address verified
May 2 22:30:15.627: SEND: Timestamp: 0x53641C77991A = 22:30:15 UTC May 2 2014
May 2 22:30:15.627: SEND: TS opt check RC = 0
May 2 22:30:15.635: SEND: Good signature
May 2 22:30:15.635: SEND: RA with prefix option 2001:100::
May 2 22:30:15.635: SEND: EVENT: IPV6_SEND_CERT_RCV_RA CURRENT STATE: CERT_VALIDATED
May 2 22:30:15.635: SEND: action: Set trust level in RA then deliver it
May 2 22:30:15.635: SEND: action: Deliver RA packet to stack
May 2 22:30:15.635: SEND: Deliver RA just received
May 2 22:30:15.635: SEND: NEW STATE TR: CERT_VALIDATED
r1#
May 2 22:30:16.979: SEND: EVENT: IPV6_SEND_CERT_T2_FIRED CURRENT STATE: CERT_VALIDATED
May 2 22:30:16.979: SEND: Verifying certificate
May 2 22:30:16.999: SEND: Certificate validated
May 2 22:30:16.999: SEND: action: Start T1
May 2 22:30:16.999: SEND: NEW STATE TR: CERT_VALIDATING
May 2 22:30:16.999: SEND: EVENT: IPV6_SEND_CERT_VALID_CHAIN CURRENT STATE: CERT_VALIDATING
May 2 22:30:16.999: SEND: action: Stop T1
May 2 22:30:16.999: SEND: action: Set trust level in RA then deliver it
May 2 22:30:16.999: SEND: action: Deliver RA packet to stack
May 2 22:30:16.999: SEND: action: Start T2
May 2 22:30:16.999: SEND: NEW STATE TR: CERT_VALIDATED
The r1’s routing table:
r1#sh ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S ::/0 [2/0]
via FE80::3828:8FA2:608:14A2, FastEthernet0/0
C 2001:100::/64 [0/0]
via FastEthernet0/0, directly connected
L 2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
via FastEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
and accepted router:
r1#sh ipv6 router
Router FE80::3828:8FA2:608:14A2 on FastEthernet0/0, last update 0 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:100::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
r1#
As we see r1 accepted routing entry from r2. Let’s try now the same for 3:
r3(config)#ipv6 unicast-routing
We can see r3 sends RA messages:
r3#
.May 2 22:59:25.993: ICMPv6: Sent R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
.May 2 22:59:29.473: SEND: Send: ND_ROUTER_ADVERT
.May 2 22:59:29.473: SEND: src FE80::28DF:C6F9:1EE5:DC5F
.May 2 22:59:29.473: SEND: dst FF02::1
.May 2 22:59:29.473: SEND: CGA FE80::28DF:C6F9:1EE5:DC5F, 0x12000003 : found
.May 2 22:59:29.473: SEND: Timestamp: 0x536423517991 = 22:59:29 UTC May 2 2014
.May 2 22:59:29.553: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
.May 2 22:59:29.553: SEND: option 5 len 8: ND_OPT_MTU
.May 2 22:59:29.553: SEND: option 7 len 8: ND_RA_INTERVA
.May 2 22:59:29.553: SEND: option 3 len 32: ND_OPT_PREFIX_INFORMATION
.May 2 22:59:29.553: SEND: option 11 len 192: ND_OPT_CGA
.May 2 22:59:29.553: SEND: option 13 len 16: ND_OPT_TIMESTAMP
.May 2 22:59:29.553: SEND: option 12 len 152: ND_OPT_RSA
.May 2 22:59:29.553: ICMPv6: Sent R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
.May 2 22:59:29.561: ICMPv6: Received type 148, Src=FE80::3486:2358:D3EE:CD93, Dst=FE80::28DF:C6F9:1EE5:DC5F
.May 2 22:59:29.561: SEND: Receive: ND_CERTIFICATE_SOLICIT
.May 2 22:59:29.561: SEND: src FE80::3486:2358:D3EE:CD93
.May 2 22:59:29.561: SEND: dst FE80::28DF:C6F9:1EE5:DC5F
.May 2 22:59:29.561: SEND: Received at: 0x536423519065 = 22:59:29 UTC May 2 2014
.May 2 22:59:29.561: SEND: option 15 len 32: ND_OPT_TRUST_ANCHOR
.May 2 22:59:29.561: SEND: option trustanchor cn=SERVER-PKI
.May 2 22:59:29.561: SEND: searching trustanchor cn=SERVER-PKI
.May 2 22:59:29.561: SEND: Found no trustpoint with this trusted issuer cn=SERVER-PKI
.May 2 22:59:29.561: SEND: No match so far. Another trustanchor ?
.May 2 22:59:29.561: SEND: ! No more anchor to try - None matches - abort
r3#
On r1 we see received RA:
r1#
May 2 22:58:23.247: ICMPv6: Received R-Advert, Src=FE80::28DF:C6F9:1EE5:DC5F, Dst=FF02::1
May 2 22:58:23.247: SEND: Receive: ND_ROUTER_ADVERT
May 2 22:58:23.247: SEND: src FE80::28DF:C6F9:1EE5:DC5F
May 2 22:58:23.247: SEND: dst FF02::1
May 2 22:58:23.247: SEND: Received at: 0x5364230F400C = 22:58:23 UTC May 2 2014
May 2 22:58:23.247: SEND: option 1 len 8: ND_OPT_SOURCE_LINKADDR
May 2 22:58:23.247: SEND: option 5 len 8: ND_OPT_MTU
May 2 22:58:23.247: SEND: option 7 len 8: ND_RA_INTERVA
May 2 22:58:23.247: SEND: option 3 len 32: ND_OPT_PREFIX_INFORMATION
May 2 22:58:23.247: SEND: option 11 len 192: ND_OPT_CGA
May 2 22:58:23.247: SEND: option 13 len 16: ND_OPT_TIMESTAMP
May 2 22:58:23.247: SEND: option 12 len 152: ND_OPT_RSA
May 2 22:58:23.247: SEND: Verifying address FE80::28DF:C6F9:1EE5:DC5F
May 2 22:58:23.247: SEND: keylen is 1024sh ipv6 routers
May 2 22:58:23.251: SEND: sec is 1
May 2 22:58:23.251: SEND: Address verified
May 2 22:58:23.251: SEND: Timestamp: 0x5364230F2EEB = 22:58:23 UTC May 2 2014
May 2 22:58:23.251: SEND: TS opt check RC = 0
May 2 22:58:23.255: SEND: Good signature
May 2 22:58:23.255: SEND: RA with prefix option 2001:100::
May 2 22:58:23.255: SEND: EVENT: IPV6_SEND_CERT_RCV_RA CURRENT STATE: CERT_PENDING
May 2 22:58:23.255: SEND: action: Update RA in cert DB
May 2 22:58:23.255: SEND: NEW STATE TR: CERT_PENDING
May 2 22:58:24.591: SEND: EVENT: IPV6_SEND_CERT_T0_FIRED CURRENT STATE: CERT_PENDING
May 2 22:58:24.591: SEND: action: check mode
May 2 22:58:24.591: SEND: NEW STATE TR: CERT_NONE
May 2 22:58:24.591: SEND: action error - abort
r1#
In the routing table we can’t see any new entry:
r1#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:100::/64 [0/0]
via FastEthernet0/0, directly connected
L 2001:100::200C:30C3:3AFA:2B9B/128 [0/0]
via FastEthernet0/0, receive
L FF00::/8 [0/0]
via Null0, receive
and any router:
r1#sh ipv6 router
r1#
Before r1 can add r3 as the default router the certificates must match and in our case they didn’t.
4
Kudos
4
Kudos