Tuesday, September 17, 2013

A /128 link-local address, " is this normal" ?

I was doing some checking up on a anyconnect vpnclient  that's using ipv6  and notice my adapter was assigning 2 link-local address.


look here ;





So let's look at the ASA configuration. 

1st let's see what the ASA used for the group-policy and tunnel-group for my user;
( show vpn-sessiondb anyconnect )




Now for my group-policy for my user;


group-policy DfltGrpPolicy attributes
 dns-server value 2001:4860:4860::8844 2001:4860:4860::8888
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tun-ipsec
 default-domain value socpuppets.com
 user-authentication enable

and the tunnel-group;


tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPNPool03


and the corresponding ipv4 pool;

show ip local pool VPNPool03
Begin           End             Mask            Free     Held     In use
192.168.150.65  192.168.150.96  255.255.255.0      31        0        1

Okay so is this normal? A /128 prefix on a dialup sslvpn client ?  and a group-policy that's not enabled for ipv6? And then why 2  link-local address?

Will I was trying to read up on  this rfc &  on ipv6 and ppp;



Since the anyconnect virtual interface is enabled for ipv6, it uses this  unique link-local address. I'm guessing  after it attempts to establishing a PPP session, it crafts a link-local EUI48 address using the primary interface  mac_address. Remember, a ppp or serial interface, does not have a  mac_address. 

What I did find out, the  adapter will always generate a new link-local address upon establishment of connectivity;

( three new attempts gave me the following )




So if you take heed of the tentative scopeid, I believe it's using DAD ( duplicate address detection ) to ensure the  link-local-address is unique.

I will continue some more diagnostics and hopefully test this on a linux or windows anyconnect client soon.




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment