IPv6 security – IPv6 First Hop Security – part one.
Before we start to configure security features we have to learn about the IPv6 protocol and messages sent across the network. Many IPv6 messages relay on the ICMP protocol.
We will talk about following ICMP packet types:
- Echo request – ICMPv6 – type 128
- Echo reply – ICMPv6 – type 129
- Router Solicitation – ICMPv6 – type 133
- Router Advertisement (RA) – ICMPv6 – type 134
- Neighbor Solicitation (NS)– ICMPv6 – type 135
- Neighbor Advertisement – ICMPv6 – type 136
Let’s first check when we can see the messages and what they are responsible for. I have two routers R1 and R2. They have IPv6 enabled:
R1:
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
ipv6 address 2001:1:1::1/64
ipv6 enable
!
R2:
!
ipv6 unicast-routing
!
interface GigabitEthernet0/0
ipv6 address 2001:1:1::2/64
ipv6 enable
!
R1#sh ipv6 interface
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C800:12FF:FE64:8
No Virtual link-local address(es):
Global unicast address(es):
2001:1:1::1, subnet is 2001:1:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF64:8
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
R1#
R2#sh ipv6 interface
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C801:12FF:FE64:8
No Virtual link-local address(es):
Global unicast address(es):
2001:1:1::2, subnet is 2001:1:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:2
FF02::1:FF64:8
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
R2#
Once we enable the interfaces we can see following messages sent across the network (output from R2):
*Apr 24 06:35:54.375: ICMPv6: Received R-Advert, Src=FE80::C800:12FF:FE64:8, Dst=FF02::1
*Apr 24 06:35:54.379: ICMPv6-ND: Received RA from FE80::C800:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 06:35:54.379: ICMPv6-ND: [default] inserted router FE80::C800:12FF:FE64:8/GigabitEthernet0/0
*Apr 24 06:35:54.383: ICMPv6-ND: Prefix : 2001:1:1::, Length: 64, Vld Lifetime: 2592000, Prf Lifetime: 604800, PI Flags: C0
*Apr 24 06:35:57.403: ICMPv6-ND: Request to send RA for FE80::C801:12FF:FE64:8
*Apr 24 06:35:57.407: ICMPv6-ND: Setup RA from FE80::C801:12FF:FE64:8 to FF02::1 on GigabitEthernet0/0
*Apr 24 06:35:57.407: ICMPv6-ND: MTU = 1500
*Apr 24 06:35:57.407: ICMPv6-ND: prefix = 2001:1:1::/64 onlink autoconfig
*Apr 24 06:35:57.407: ICMPv6-ND: 2592000/604800 (valid/preferred)
*Apr 24 06:35:57.411: ICMPv6: Sent R-Advert, Src=FE80::C801:12FF:FE64:8, Dst=FF02::1
*Apr 24 06:36:05.227: ICMPv6: Received R-Advert, Src=FE80::C803:DFFF:FE84:8, Dst=FF02::1
*Apr 24 06:36:05.231: ICMPv6-ND: Received RA from FE80::C803:DFFF:FE84:8 on GigabitEthernet0/0
*Apr 24 06:36:05.231: ICMPv6-ND: [default] inserted router FE80::C803:DFFF:FE84:8/GigabitEthernet0/0
*Apr 24 06:36:13.415: ICMPv6-ND: Request to send RA for FE80::C801:12FF:FE64:8
*Apr 24 06:36:13.419: ICMPv6-ND: Setup RA from FE80::C801:12FF:FE64:8 to FF02::1 on GigabitEthernet0/0
*Apr 24 06:36:13.423: ICMPv6-ND: MTU = 1500
*Apr 24 06:36:13.423: ICMPv6-ND: prefix = 2001:1:1::/64 onlink autoconfig
*Apr 24 06:36:13.427: ICMPv6-ND: 2592000/604800 (valid/preferred)
*Apr 24 06:36:13.431: ICMPv6: Sent R-Advert, Src=FE80::C801:12FF:FE64:8, Dst=FF02::1
Let’s check local IPv6 routers:
R1#sh ipv6 routers
Router FE80::C803:DFFF:FE84:8 on GigabitEthernet0/0, last update 2 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Router FE80::C801:12FF:FE64:8 on GigabitEthernet0/0, last update 2 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:1:1::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
R1#
R2#sh ipv6 router
Router FE80::C800:12FF:FE64:8 on GigabitEthernet0/0, last update 0 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:1:1::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
Router FE80::C803:DFFF:FE84:8 on GigabitEthernet0/0, last update 2 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
R2#
- Router Solicitation (RS) – ICMPv6 – type 133 The message sent by the host which discovers IPv6 routers on the link. Source address is a local link address for example: fe80::c803:dfff:fe84:8. Destination address is multicast: ff02::2, which means “All Routers Address”.
Frame 1: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 23, 2014 19:20:54.600260000 Central Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1398273654.600260000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 70 bytes (560 bits)
Capture Length: 70 bytes (560 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:03:df:84:00:08 (ca:03:df:84:00:08), Dst: IPv6mcast_00:00:00:02 (33:33:00:00:00:02)
Destination: IPv6mcast_00:00:00:02 (33:33:00:00:00:02)
Address: IPv6mcast_00:00:00:02 (33:33:00:00:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: ca:03:df:84:00:08 (ca:03:df:84:00:08)
Address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::c803:dfff:fe84:8 (fe80::c803:dfff:fe84:8), Dst: ff02::2 (ff02::2)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 16
Next header: ICMPv6 (58)
Hop limit: 255
Source: fe80::c803:dfff:fe84:8 (fe80::c803:dfff:fe84:8)
Destination: ff02::2 (ff02::2)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol v6
Type: Router Solicitation (133)
Code: 0
Checksum: 0x2c0d [correct]
Reserved: 00000000
ICMPv6 Option (Source link-layer address : ca:03:df:84:00:08)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
- Router Advertisement (RA) – ICMPv6 – type 134 The message can be sent as a response on the Router Solicitation, and as unsolicited RA. The source address is local link address for example: fe80::2 and the destination is a multicast ff02::1, which represents “All Nodes Address”.
Frame 2: 118 bytes on wire (944 bits), 118 bytes captured (944 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 23, 2014 19:20:54.622260000 Central Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1398273654.622260000 seconds
[Time delta from previous captured frame: 0.022000000 seconds]
[Time delta from previous displayed frame: 0.022000000 seconds]
[Time since reference or first frame: 0.022000000 seconds]
Frame Number: 2
Frame Length: 118 bytes (944 bits)
Capture Length: 118 bytes (944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:01:12:64:00:08 (ca:01:12:64:00:08), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Address: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: ca:01:12:64:00:08 (ca:01:12:64:00:08)
Address: ca:01:12:64:00:08 (ca:01:12:64:00:08)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::2 (fe80::2), Dst: ff02::1 (ff02::1)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Next header: ICMPv6 (58)
Hop limit: 255
Source: fe80::2 (fe80::2)
Destination: ff02::1 (ff02::1)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0x2134 [correct]
Cur hop limit: 64
Flags: 0x00
0... .... = Managed address configuration: Not set
.0.. .... = Other configuration: Not set
..0. .... = Home Agent: Not set
...0 0... = Prf (Default Router Preference): Medium (0)
.... .0.. = Proxy: Not set
.... ..0. = Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
ICMPv6 Option (Source link-layer address : ca:01:12:64:00:08)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: ca:01:12:64:00:08 (ca:01:12:64:00:08)
ICMPv6 Option (MTU : 1500)
Type: MTU (5)
Length: 1 (8 bytes)
Reserved
MTU: 1500
ICMPv6 Option (Prefix information : 2001::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
1... .... = On-link flag(L): Set
.1.. .... = Autonomous address-configuration flag(A): Set
..0. .... = Router address flag(R): Not set
...0 0000 = Reserved: 0
Valid Lifetime: 2592000
Preferred Lifetime: 604800
Reserved
Prefix: 2001:: (2001::)
Now, when we check the router neighbor’s table we see both are empty:
R1#sh ipv6 neighbors
R2#
R2#sh ipv6 neighbors
R2#
I will ping R1 from R2 (first link local and the global IP):
#ping ipv6 FE80::C800:12FF:FE64:8
Output Interface: GigabitEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::C800:12FF:FE64:8, timeout is 2 seconds:
Packet sent with a source address of FE80::C801:12FF:FE64:8%GigabitEthernet0/0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/52/116 ms
R2#
*Apr 24 09:37:51.430: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.434: ICMPv6-ND: Created ND Entry Chunk pool
*Apr 24 09:37:51.438: ICMPv6-ND: DELETE -> INCMP: FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.442: ICMPv6-ND: Sending NS for FE80::C800:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 09:37:51.446: ICMPv6-ND: Resolving next hop FE80::C800:12FF:FE64:8 on interface GigabitEthernet0/0
*Apr 24 09:37:51.450: ICMPv6: Sent N-Solicit, Src=FE80::C801:12FF:FE64:8, Dst=FF02::1:FF64:8
*Apr 24 09:37:51.526: ICMPv6: Received N-Advert, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.530: ICMPv6-ND: Received NA for FE80::C800:12FF:FE64:8 on GigabitEthernet0/0 from FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.530: ICMPv6-ND: Neighbour FE80::C800:12FF:FE64:8 on GigabitEthernet0/0 : LLA ca00.1264.0008
*Apr 24 09:37:51.534: ICMPv6-ND: INCMP -> REACH: FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.562: ICMPv6: Received echo reply
R2#, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.570: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.606: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.618: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.658: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.666: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.710: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:51.718: ICMPv6: Sent echo request, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
*Apr 24 09:37:51.750: ICMPv6: Received echo reply, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:56.570: ICMPv6: Received N-Solicit, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
*Apr 24 09:37:56.574: ICMPv6-ND: Received NS for FE80::C801:12FF:FE64:8 on GigabitEthernet0/0 from FE80::C800:12FF:FE64:8
*Apr 24 09:37:56.574: ICMPv6-ND: Sending NA for FE80::C801:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 09:37:56.582: ICMPv6: Sent N-Advert, Src=FE80::C801:12FF:FE64:8, Dst=FE80::C800:12FF:FE64:8
R2#
*Apr 24 09:38:00.822: ICMPv6: Received R-Advert, Src=FE80::C800:12FF:FE64:8, Dst=FF02::1
*Apr 24 09:38:00.822: ICMPv6-ND: Received RA from FE80::C800:12FF:FE64:8 on GigabitEthernet0/0
*Apr 24 09:38:00.826: ICMPv6-ND: Prefix : 2001:1:1::, Length: 64, Vld Lifetime: 2592000, Prf Lifetime: 604800, PI Flags: C0
*Apr 24 09:38:21.802: ICMPv6-ND: REACH -> STALE: FE80::C800:12FF:FE64:8
R2#
R2#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::C800:12FF:FE64:8 0 ca00.1264.0008 REACH Gi0/0
As we see the Neighbor Solicitation and Neighbor Advertisement packets were exchanged to learn about neighbor. It works similar to ARP for IPv4. We see the link local IP has been added to the neighbor table. Now let’s ping the global IP address:
R2#ping ipv6 2001:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/51/132 ms
R2#
*Apr 24 09:38:40.086: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.090: ICMPv6-ND: DELETE -> INCMP: 2001:1:1::1
*Apr 24 09:38:40.102: ICMPv6-ND: Sending NS for 2001:1:1::1 on GigabitEthernet0/0
*Apr 24 09:38:40.102: ICMPv6-ND: Resolving next hop 2001:1:1::1 on interface GigabitEthernet0/0
*Apr 24 09:38:40.110: ICMPv6: Sent N-Solicit, Src=2001:1:1::2, Dst=FF02::1:FF00:1
*Apr 24 09:38:40.182: ICMPv6: Received N-Advert, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.186: ICMPv6-ND: Received NA for 2001:1:1::1 on GigabitEthernet0/0 from 2001:1:1::1
*Apr 24 09:38:40.190: ICMPv6-ND: Neighbour 2001:1:1::1 on GigabitEthernet0/0 : LLA ca00.1264.0008
*Apr 24 09:38:40.190: ICMPv6-ND: INCMP -> REACH: 2001:1:1::1
*Apr 24 09:38:40.238: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.250: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.286: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=200
R2#1:1:1::2
*Apr 24 09:38:40.290: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.318: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.326: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.358: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:40.366: ICMPv6: Sent echo request, Src=2001:1:1::2, Dst=2001:1:1::1
*Apr 24 09:38:40.402: ICMPv6: Received echo reply, Src=2001:1:1::1, Dst=2001:1:1::2
*Apr 24 09:38:45.302: ICMPv6: Received N-Solicit, Src=FE80::C800:12FF:FE64:8, Dst=2001:1:1::2
*Apr 24 09:38:45.306: ICMPv6-ND: Received NS for 2001:1:1::2 on GigabitEthernet0/0 from FE80::C800:12FF:FE64:8
*Apr 24 09:38:45.306: ICMPv6-ND: Sending NA for 2001:1:1::2 on GigabitEthernet0/0
*Apr 24 09:38:45.314: ICMPv6: Sent N-Advert, Src=2001:1:1::2, Dst=FE80::C800:12FF:FE64:8
R2#
R2#sh ipv6 neighbors
*Apr 24 09:38:55.482: ICMPv6: Received N-Solicit, Src=FE80::C800:12FF:FE64:8, Dst=FE80::C801:12FF:FE64:8
R2#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
2001:1:1::1 0 ca00.1264.0008 REACH Gi0/0
FE80::C800:12FF:FE64:8 0 ca00.1264.0008 REACH Gi0/0
R2#
Now we see both IPs in the neighbor table.
- Neighbor Solicitation (NS)– ICMPv6 – type 135 The message requests a MAC address for specific IPv6 address. The message is sent from unspecific IP (::) to special multicast IP of the destination device. Data of the packet contain the target IP for which we sent the query.
Frame 4: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 23, 2014 19:20:54.642260000 Central Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1398273654.642260000 seconds
[Time delta from previous captured frame: 0.020000000 seconds]
[Time delta from previous displayed frame: 0.020000000 seconds]
[Time since reference or first frame: 0.042000000 seconds]
Frame Number: 4
Frame Length: 78 bytes (624 bits)
Capture Length: 78 bytes (624 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:03:df:84:00:08 (ca:03:df:84:00:08), Dst: IPv6mcast_ff:84:00:08 (33:33:ff:84:00:08)
Destination: IPv6mcast_ff:84:00:08 (33:33:ff:84:00:08)
Address: IPv6mcast_ff:84:00:08 (33:33:ff:84:00:08)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: ca:03:df:84:00:08 (ca:03:df:84:00:08)
Address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: :: (::), Dst: ff02::1:ff84:8 (ff02::1:ff84:8)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 24
Next header: ICMPv6 (58)
Hop limit: 255
Source: :: (::)
Destination: ff02::1:ff84:8 (ff02::1:ff84:8)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol v6
Type: Neighbor Solicitation (135)
Code: 0
Checksum: 0xb38a [correct]
Reserved: 00000000
Target Address: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8)
- Neighbor Advertisement (NA) – ICMPv6 – type 136
The message is a response on the NS query and contains a MAC address of the requested IP. The destination IP is a multicast ff02::1 - “All Nodes Address”.
Frame 5: 86 bytes on wire (688 bits), 86 bytes captured (688 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 23, 2014 19:20:55.624260000 Central Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1398273655.624260000 seconds
[Time delta from previous captured frame: 0.982000000 seconds]
[Time delta from previous displayed frame: 0.982000000 seconds]
[Time since reference or first frame: 1.024000000 seconds]
Frame Number: 5
Frame Length: 86 bytes (688 bits)
Capture Length: 86 bytes (688 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: ca:03:df:84:00:08 (ca:03:df:84:00:08), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Address: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: ca:03:df:84:00:08 (ca:03:df:84:00:08)
Address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8), Dst: ff02::1 (ff02::1)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... 1110 00.. .... .... .... .... .... = Differentiated Services Field: Class Selector 7 (0x00000038)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
Next header: ICMPv6 (58)
Hop limit: 255
Source: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8)
[Source Teredo Server IPv4: 0.0.0.0 (0.0.0.0)]
[Source Teredo Port: 8192]
[Source Teredo Client IPv4: 1.123.255.247 (1.123.255.247)]
Destination: ff02::1 (ff02::1)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol v6
Type: Neighbor Advertisement (136)
Code: 0
Checksum: 0x9feb [correct]
Flags: 0xa0000000
1... .... .... .... .... .... .... .... = Router: Set
.0.. .... .... .... .... .... .... .... = Solicited: Not set
..1. .... .... .... .... .... .... .... = Override: Set
...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0
Target Address: 2001::c803:dfff:fe84:8 (2001::c803:dfff:fe84:8)
ICMPv6 Option (Target link-layer address : ca:03:df:84:00:08)
Type: Target link-layer address (2)
Length: 1 (8 bytes)
Link-layer address: ca:03:df:84:00:08 (ca:03:df:84:00:08)
In the next post I will talk how to implement security features for some IPv6 protocols.
4
Kudos
4
Kudos