So if the cisco switch is limited a total of 44 total ipv6 prefixes, what can a fortigate firewall do?
32 ipv6 prefixes, and that's the max number you can install under the "config ip6-prefix-list" per interface. You can't configure more than 32 prefixes per interface.
B:
So if the cisco switch is limited to of 44 total ipv6 prefixes, what can a juniper SRX firewall do?
44 ipv6 prefixes,you can configure more than the max number with the "set protocols router-advertisement interface" per interface. But the junos will only deliver the 1st 44 prefixes in the ICMPv6 RA per interface.
C:
So if the cisco switch is limited to of 44 total ipv6 prefixes, what can a cisco ASA firewall do?
45 ipv6 prefixes, you can configure more under the interface, but the cisco ASA will only deliver the 1st 45 prefixes.
But I ran into a problem with a macosx machine picking up prefixes that I will discuss my finding in a future post.
These where the following firewall versions that I tested with;
Fortinet Fortigate = FortiOS 5.2.3
Juniper SRX = JUNOS 12.1X46-D15.3
cisco ASA = 9.4.1
So why the total amount of prefixes are limited to just 44 or 45 ipv6-prefixes ?
The total is due to the size of the ethernet frame "MTU". With a 1500byte MTU, you can only have a ICMPv6 RA packet with 44-45 ipv6 prefixes. This packet has all of the details to include the prefix-length and any timer options for lifetime. Any more and the ICMPv6 RA will not fit into a standard ethernet.frame
So to prove this point, I took the same Juniper SRX and changed the interface vlan.0 mtu from 1500 to 1000bytes.
see the before and after screenshots
Now while the ICMPv6 RA is being constructed & sent, the total ethernet frame size is smaller, so less prefixes are included in the Router-Advertisement. So we now have a total of 28 ipv6 prefixes in one advertisement.
IPv6 hates fragmentation, and it will not fragment or install two route-advertisements
The RFC 6980 speaks a little about this and the security risks of ND and fragments.
https://www.rfc-editor.org/info/rfc6980
I hope this sheds some light on the ICMPv6 RAs packets, please read the these 2 other postings
http://socpuppet.blogspot.com/2014/03/protection-from-rouge-ra-advertisements.html
http://socpuppet.blogspot.com/2015/07/ipv6-ra-security-concerns.html
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment