In this posts, we will try to understand what happens after the expiration of a ipv6 temporary address lifetime for a autoconfig client ( stateless ).
In SLAC, we typically derive our interface address based on our mac_address, and announcements from our local ipv6 router. These routers sends a RA ( router advertisements ), and within that RA, we have details about the prefixes or prefixes that the router carrys.
i.e
16:07:42.656846 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::209:fff:fe03:5882 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
hop limit 0, Flags [other stateful], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
prefix info option (3), length 32 (4): 2001:444::/64, Flags [onlink, auto], valid time 2592000s, pref. time 3600s
0x0000: 40c0 0027 8d00 0000 000a 0000 0000 2001
0x0010: 0444 0000 0000 0000 0000 0000 0000
source link-address option (1), length 8 (1): 00:09:0f:03:58:82
0x0000: 0009 0f03 5882
note: I bold out a few entries that we will discuss in this blog.
These RA provides details to a ipv6 client for assigning the /64 network portion of the 128bit address.
You notice the gateway is not part of the RA announcement . So the clients will use the sender local-link for his own gateway. The onlink flag tells us this prefix is onlink.
So now a client that see this RA will now compute his address;
i.e
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:1f:5b:ea:0a:fa
inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
inet 192.168.254.20 netmask 0xffffff00 broadcast 192.168.254.255
inet6 2001:444::21f:5bff:feea:afa prefixlen 64 autoconf
media: autoselect (100baseTX <full-duplex,flow-control>)
status: active
And based on the RA preferred and valid fields, this address will be bind for that duration. After the preferred time has expired, the autoconfig client must re-new the address. If the host does not see another RA announcement, it will tag his interface as such;
i.e
ken-felixs-macbook:~ root# ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:1f:5b:ea:0a:fa
inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
inet 192.168.254.20 netmask 0xffffff00 broadcast 192.168.254.255
inet6 2001:444::21f:5bff:feea:afa prefixlen 64 deprecated autoconf
media: autoselect (100baseTX <full-duplex,flow-control>)
status: active
The deprecated tells us that this ipv6 address is not actively validate, but we can still use it up to the validate lifetime. It's recommended NOT to use the address for any communications if it's deprecated tho, and most OSes will try to honor that.
So how do we control this fucntion? This is done exclusively by the router issuing the RAs. Here's a few means for controlling this action;
fortigate ( 200A 4.0 patch 12 )
config system interface
edit "internal"
set vdom "root"
set ip 192.168.254.254 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set alias "inside"
config ipv6
set ip6-address 2001:444::1/64
set ip6-allowaccess ping https ssh snmp
set ip6-default-life 10
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:444::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 120
set valid-life-time 360
next
end
set ip6-send-adv enable
end
next
end
cisco ( ISR3825 ios 15.1.4 adventerprise )
!
interface GigabitEthernet0/0
ip address 1.1.1.253 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
media-type rj45
analysis-module monitoring
ipv6 address 2001:444::1/64
ipv6 enable
ipv6 nd prefix default 360 120
end
cisco ( ASA 9.1.1 )
!
interface vlan1
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
ipv6 address 2002:100::1/64
ipv6 nd ra-interval 30
ipv6 nd prefix default 360 120
ipv6 nd dad attempts 2
!
prefix info option (3), length 32 (4): 2002:100::/64, Flags [onlink, auto], valid time 360s, pref. time 120s
0x0000: 40c0 0000 0168 0000 0078 0000 0000 2002
0x0010: 0100 0000 0000 0000 0000 0000 0000
So in conclusion; Prefix valid/prefered times can be set within most RAs. This allow or give direction to the ipv6 clients as for the lifetime of use & that address
One thing I want to point out in my above 3 examples, fortinet offers controls per prefix that's announced on the local interface by default. You can have mutliple prefixes in the same fashion as having multiple ipv6 address and each one has unique configurations and valid/preferred values.
e.g
config ip6-prefix-list
edit 2001:444::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 120
set valid-life-time 360
next
edit 2001:445::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 24000
set valid-life-time 36000
next
With the cisco configurations shown above, effects all prefixes and are global to that interface. To simulate the same function as fortigate, you must enable the lifetime per-prefixes;
e.g
interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
ipv6 address 2002:100::1/64
ipv6 address 2002:101::1/64
ipv6 nd ra-interval 30
ipv6 nd prefix default 360 120
ipv6 nd prefix 2002:101::/64 3600 1200
And now the RA will show the lifetime for each prefixes and the values set.
prefix info option (3), length 32 (4): 2002:100::/64, Flags [onlink, auto], valid time 360s, pref. time 120s
0x0000: 40c0 0000 0168 0000 0078 0000 0000 2002
0x0010: 0100 0000 0000 0000 0000 0000 0000
prefix info option (3), length 32 (4): 2002:101::/64, Flags [onlink, auto], valid time 3600s, pref. time 1200s
0x0000: 40c0 0000 0e10 0000 04b0 0000 0000 2002
0x0010: 0101 0000 0000 0000 0000 0000 0000
I hope you found this posting useful
Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed d-o-t com
No comments:
Post a Comment