Sunday, March 10, 2013

autoconfig ipv6 and deprecated address

In this posts, we will try to understand what happens after the expiration of a ipv6 temporary address lifetime for a autoconfig client ( stateless ).

In SLAC, we typically derive our interface address based on our mac_address,  and announcements from  our local ipv6 router. These routers sends a RA ( router advertisements ), and within that  RA, we have details about the prefixes or prefixes that the router carrys.

i.e
16:07:42.656846 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::209:fff:fe03:5882 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
    hop limit 0, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
      prefix info option (3), length 32 (4): 2001:444::/64, Flags [onlink, auto], valid time 2592000s, pref. time 3600s
        0x0000:  40c0 0027 8d00 0000 000a 0000 0000 2001
        0x0010:  0444 0000 0000 0000 0000 0000 0000
      source link-address option (1), length 8 (1): 00:09:0f:03:58:82
        0x0000:  0009 0f03 5882


note: I bold out a few entries that we will discuss in this blog.


These RA provides details to a ipv6 client for assigning the /64 network portion of the 128bit address.

You notice the gateway is not part of the RA announcement .  So the clients will use the sender local-link for his own gateway. The onlink flag tells us this prefix is onlink.

So now a client that see this RA will now compute his address;

i.e
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:1f:5b:ea:0a:fa
    inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
    inet 192.168.254.20 netmask 0xffffff00 broadcast 192.168.254.255
    inet6 2001:444::21f:5bff:feea:afa prefixlen 64 autoconf
    media: autoselect (100baseTX <full-duplex,flow-control>)
    status: active


And based on the  RA preferred  and valid fields, this address will be bind for that duration. After the preferred time has expired, the autoconfig client  must re-new the address. If the host does not see another RA announcement, it will tag his interface as such;

i.e
ken-felixs-macbook:~ root# ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:1f:5b:ea:0a:fa
    inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
    inet 192.168.254.20 netmask 0xffffff00 broadcast 192.168.254.255
    inet6 2001:444::21f:5bff:feea:afa prefixlen 64 deprecated autoconf
    media: autoselect (100baseTX <full-duplex,flow-control>)
    status: active


The deprecated tells us that this ipv6 address is not actively validate, but we can still use it up to the  validate lifetime. It's recommended NOT to use the address for any communications if it's deprecated tho, and most OSes will try to honor that.

So how do we control this fucntion? This is done exclusively by the router issuing the RAs. Here's a few means for controlling this action;

fortigate    ( 200A  4.0 patch 12 )

 config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.254.254 255.255.255.0
        set allowaccess ping https ssh snmp
        set type physical
        set alias "inside"
            config ipv6
                set ip6-address 2001:444::1/64
                set ip6-allowaccess ping https ssh snmp
                set ip6-default-life 10
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit 2001:444::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                           
set preferred-life-time 120
                            set valid-life-time 360
                        next
                    end
                set ip6-send-adv enable
            end
    next
end



cisco  ( ISR3825 ios 15.1.4 adventerprise )
 


 !
interface GigabitEthernet0/0
 ip address 1.1.1.253 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 duplex auto
 speed auto
 media-type rj45
 analysis-module monitoring
 ipv6 address
2001:444
::1/64
 ipv6 enable
 ipv6 nd prefix default 360 120
 end




cisco  ( ASA 9.1.1 )
 


 !
interface vlan1
 nameif inside
 security-level 100
 ip address 192.168.110.1 255.255.255.0
 ipv6 address 2002:100::1/64
 ipv6 nd ra-interval 30
 ipv6 nd prefix default 360 120
 ipv6 nd dad attempts 2
!



prefix info option (3), length 32 (4): 2002:100::/64, Flags [onlink, auto], valid time 360s, pref. time 120s
        0x0000:  40c0 0000 0168 0000 0078 0000 0000 2002
        0x0010:  0100 0000 0000 0000 0000 0000 0000




So in conclusion; Prefix valid/prefered times can be set within most RAs. This allow or give direction to the ipv6 clients as for  the lifetime of use &  that address

One thing I want to point out in my  above 3 examples, fortinet offers  controls per prefix that's announced on the local interface by default. You can have mutliple prefixes in the same fashion as having multiple ipv6 address and each one  has unique configurations and valid/preferred values.


e.g

   config ip6-prefix-list
                        edit 2001:444::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                           
set preferred-life-time 120

                            set valid-life-time 360
                        next

                       edit 2001:445::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                           
set preferred-life-time 24000

                            set valid-life-time 36000
                        next




With the cisco configurations  shown above, effects all prefixes and are global to that interface. To simulate the same function as fortigate, you  must enable the lifetime per-prefixes;

e.g
 interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.110.1 255.255.255.0
 ipv6 address 2002:100::1/64
 ipv6 address 2002:101::1/64
 ipv6 nd ra-interval 30
 ipv6 nd prefix default 360 120
 ipv6 nd prefix 2002:101::/64 3600 1200



And now the RA will show the lifetime for each prefixes and the values set.


  prefix info option (3), length 32 (4): 2002:100::/64, Flags [onlink, auto], valid time 360s, pref. time 120s
        0x0000:  40c0 0000 0168 0000 0078 0000 0000 2002
        0x0010:  0100 0000 0000 0000 0000 0000 0000
      prefix info option (3), length 32 (4): 2002:101::/64, Flags [onlink, auto], valid time 3600s, pref. time 1200s
        0x0000:  40c0 0000 0e10 0000 04b0 0000 0000 2002
        0x0010:  0101 0000 0000 0000 0000 0000 0000

 




I hope you  found this posting useful

Ken Felix
Freelance Network/Security Engineer
kfelix  at hyperfeed d-o-t com
  

 

No comments:

Post a Comment