Wednesday, August 5, 2015

Just how many ipv6 prefixes can be advertisd in ICMPv6-RA ( fortigate-juniper-cisco firewall ) ?

So if the cisco switch is limited a total of 44 total ipv6 prefixes, what can a fortigate firewall do?

32 ipv6 prefixes, and that's the max number you can install under the  "config ip6-prefix-list"  per interface. You can't configure more than 32 prefixes per interface.

So if the cisco switch is limited to of 44 total ipv6 prefixes,  what can  a juniper SRX firewall do?

44 ipv6 prefixes,you can configure more than the  max number with the  "set protocols router-advertisement interface"  per interface.  But the junos will only deliver the 1st 44  prefixes in the ICMPv6 RA per interface.

So if the cisco switch is limited to of 44 total ipv6 prefixes,  what can a cisco ASA firewall do?

45 ipv6 prefixes,  you can configure more  under the interface, but the cisco ASA will only deliver the 1st 45 prefixes. 

But I ran into a problem with a macosx machine picking up prefixes that I will discuss my finding in a future post.

These where the following firewall versions that I  tested with;

Fortinet Fortigate  = FortiOS 5.2.3
Juniper SRX = JUNOS 12.1X46-D15.3
cisco ASA = 9.4.1

So why the total amount of prefixes are limited to just  44 or 45 ipv6-prefixes ? 

The total is due to the size of the  ethernet frame "MTU". With a 1500byte MTU,  you can only have a ICMPv6 RA packet with 44-45 ipv6 prefixes. This packet has all of the details to include the prefix-length and any  timer options for lifetime. Any more and the ICMPv6 RA will not fit into a standard ethernet.frame

So to prove this point, I took the same Juniper SRX  and changed the  interface vlan.0 mtu from 1500 to 1000bytes.

 see the before and after  screenshots 

Now while the ICMPv6 RA is being constructed & sent, the total ethernet frame size is smaller, so less prefixes are included in the Router-Advertisement. So we now have a total of 28 ipv6 prefixes in one advertisement.

IPv6 hates fragmentation, and it will not fragment or install two route-advertisements

The  RFC 6980 speaks a little about this and the security risks of  ND and fragments.

I hope this sheds some light on the ICMPv6 RAs packets, please read the these 2 other postings

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
      /  \

No comments:

Post a Comment