IPv6 Trace Analysis using Wireshark - Sharkfest - Wireshark

1IPv6 Trace Analysis using WiresharkNalini Elkins, CEO Inside Products, Inc.Nalini.elkins@insidethestack.com

Agenda• What has not changed between IPv4 and IPv6 traces• What has changed between IPv4 and IPv6 traces• IPv6 extension headers• Flow label• Who sent it and who received it? (Global Unicast,Multicast, Link Local)• Packets, packets, packets!• Tunneling (Teredo, 6to4)• DNSv6 / DHCPv62

What has not changed• Packets trace the network flow• Upper layer protocols (mostly)3

What has changed• The IP layer protocol (extensions, etc.)• Address resolution• Source and destination addresses (and meaning)• ICMP• Understanding of network analyst4

Common IPv6 Extension HeadersNextHeader(Hex)NextHeader(Decimal)Header NameDescription0 0 Hop-by-Hop Options For all devices on the path2B 43 Routing 0 – Source Routing (deprecated)2 – Mobile IPv62C 44 Fragment Only when packet is fragmented32 50 Encapsulated SecurityPayload (ESP)33 51 Authentication Header(AH)IPSec encrypted dataIPSec authentication3C 60 Destination Options http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xml (Mobile IP, etc)

IPv6 Hop-by-Hop HeaderSize(bits)FieldNameDescription8 NextHeaderContains the protocol number of the next header8 Length Length of this header in octets (bytes)Variable Options 8 bits for type, length in bytes, and then the option itselfhttp://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xmlRemember: this has to be read by every device!

Sample Fragment Header

IPv6 Destination Options• Destination Options:for end hostSourceDestination

IPv6 Destination OptionsUse of DestinationOptions in Mobile IPv6

From RFC2460: Option 11: discard thepacket and, only if the packet's DestinationAddress was not a multicast address, sendan ICMP Parameter Problem, Code 2,message to the packet's Source Address,pointing to the unrecognized Option Type.

RFC5095 (Deprecation of Type 0 RoutingHeaders in IPv6)• RH0 : can create routingloops.• Deprecated• Segments Left = zero, ignore• Segments Left > zero, sendICMPv6 error message

Malformed Packets• Manipulate headers– IPv6 incorrect orpartial header– Violate headerorder– Violate headeroption restrictionsIPv6 Main Header (40 Bytes)Version Traffic Class Flow LabelPayload Length Next Hdr Hop LimitSource AddressDestination Address

Crafted Packet• Crafted IPv6 packet• Multiple headers• Deprecated headers• Headers out of order

Flow Label• Quality of Service• What is a flow?• All routers on the path• SNA CoS

Trace Packet With Flow Label

Neighbor Discovery• Neighbor Discovery (ND)replaces ARP• RFC4861: Neighbor Discoveryfor IP version 6 (IPv6)• Used in SLAAC• Five ICMPv6 message types:1. Router Advertisement2. Router Solicitation3. Neighbor Advertisement4. Neighbor Solicitation5. Redirect1. This is who I am RouterAtlanta2. Tell me about you3. This is who I amHost14. Tell me about youHost15. I know a better wayRouterDes MoinesRouterAtlantaHost2Host2RouterAtlanta

Neighbor Discovery

Router Advertisement (RA)• Router Advertisement (RA)important for SLAAC.• Sent at intervals• Unsolicited RA sent to FF02::1• Receiving hosts updateconfiguration• RA also responds to RouterSolicitation (RS)• Solicited RA sent to address of RSsenderRouter 1MuncieRouterAdvertisementTime: 10:45am RouterAdvertisementTo: ff02::1Time: 11:00am RouterTo: ff02::1 AdvertisementTime: 11:15amTo: ff02::1RouterSolicitation11:08 amHaven’t heardfrom you in awhile.

Router Advertisement ContentsRouter Advertisements contain:• Stateless / stateful (DHCPv6)• Network prefix• Default router• Hop limit• MTURouter 1MuncieRouter AdvertisementTime: 10:45amTo: ff02::1•Use AutoConfiguration•Statelss•Network Prefix: 2001:: /64•I am default router•For 200 seconds•Hop limit: 126•MTU: 4096

Router Advertisement Packet• Source address• Destination address• ICMP type• Hop limit• Prefix length• Prefix

Router Solicitation (RS)– Sent during SLAAC– Immediate responseneeded– Sent 3 times total ifno responseRouter SolicitationI need an address.Please send arouteradvertisementRouter 1Muncie

Router Solicitation PacketRouter Solicitation Packet• Source address• Destination address• ICMPv6 type

Neighbor Advertisement (NA)Neighbor Advertisements sent:• In response to Neighbor Solicitation• Or if own NIC changes• Contain link-layer addressRouter 1MuncieNeighborAdvertisementTo: fe80::1:2:3:4•My link-localaddress is:fe80::5:6:7:8

Neighbor Advertisement PacketNeighbor Advertisement• ICMP type 136

Neighbor Solicitation (NS)– Neighbor Solicitationsrequest information– Neighbor Advertisementresponse– Sent during SLAAC (DAD)Neighbor SolicitationTo: ff02::1Are you using:fe80::1:2:3:4?– Sent to verify reachability

Neighbor Solicitation Packet

NS Packet (Reachability)Neighbor Solicitation PacketTo a specific unicast address.

Multicast Groups• Multicast: frequently used– All-nodes– All-routers– All-OSPF-routers• Dynamic membershipMulticast Group at 10:00 amMulticast Group at 11:00 am• Multicast ListenerDiscovery (MLD) protocolusedMulticast group at 2:00 pm

Multicast Listener Discovery• RFC2710: MulticastListener Discovery (MLD)for IPv6• RFC3590: Source AddressSelection for the MulticastListener Discovery (MLD)Protocol• RFC3810: MulticastListener Discovery Version2 (MLDv2) for IPv6

MLD Message TypesMLD message typeDescription---------------------------------------------------------------------Multicast Listener Query General Query, used to learn whichmulticast addresses have listeners onan attached link. Multicast-Address-Specific Query, used to learn if aparticular multicast address has anylisteners on an attached link.Multicast Listener Report Sent by a host when it joins amulticast group, or in response to aMulticast Listener Query sent by arouter.Multicast Listener Done Sent by a host when it leaves a hostgroup and might be the last member ofthat group on the network segment.

Multicast Listener Report

New Resource Record Type• DNS A resource record: 32‐bit IPv4 address• DNS AAAA resource record: 128‐bit IPv6 address• Structure similar, but much larger!• Other RRs: CNAME, MX, etc.

AAAA RecordAAAA (or quad A) record : defines an IPv6 address that matches to a hostname.•Can have more than one IPv6 address per host name•Can have more than one host name per IPv6 addressAAAA record format:Host.domain.name. IN AAAA nnnn::nnnnExample:from db.local@ IN AAAA ::1from NAMED.CONFzone "localhost"{ type master;file "/etc/bind/db.local"; };

DNS Query – IPv6Query to resolve IPv6 address for www.kame.net.Command entered: host –t AAAA www.kame.net

DNS Response – IPv6

Commands to Query DNS• DIG : name/address resolution, DNSserver addresses, mail exchanges, nameservers, and related information• HOST : name/address resolution• NSLOOKUP : name/address resolution(deprecated)

DIG Command Samples• # get the IPv4 address(es) for yahoo.comdig yahoo.com A• # get the IPv6 address(es) for yahoo.comdig yahoo.com AAAA• # get the name for an IPv4 addressdig -x 209.131.36.158• # get a list of yahoo's mail serversdig yahoo.com MX• # get a list of DNS servers authoritative for yahoo.comdig yahoo.com NS• # get all of the abovedig yahoo.com ANY

DNS Query – DIG AAAAQuery packet generated by :dig www.kame.net AAAA

Query response packetgenerated by :dig www.kame.net AAAA

Packets generated by:dig www.yahoo.com

DHCPv6 Basic CommandsSolicit,Request,Renew,ReleaseAdvertise,ReplyDHCPv6ServerLAN

DHCPv6 Flow : Start1. Client sends a Solicit message toAll_DHCP_Relay_Agents_and_Servers(FF02::1:2)2. DHCPv6 servers respond withAdvertise messages.3. Client chooses a server and sends aRequest message4. DHCPv6 server responds with a Replymessage1. Find aDHCPv6server2. Here I am! AdvertiseDHCPv6Server3. Will take that address. RequestDHCPv6Server4. OK. ReplyDHCPv6ServerSolicit

DHCPv6 Flow – Continue / End1. Client sends a Renewmessage to DHCPv6 server1. I still want this address RenewDHCPv6Server2. DHCPv6 server responds withReply message.2. OK. ReplyDHCPv6Server3. Client sends a Releasemessage to DHCPv6 server.3. I am done. ReleaseDHCPv6Server4. DHCPv6 server responds with aReply message4. OK. ReplyDHCPv6Server

Packets for InitializationGenerated for client getting address from DHCPv6 server• Packet 22: Solicit from link-local of client to multicastAll_DHCP_Relay_Agents_and_Servers (FF02::1:2)• Packet 23: Advertise from link-local of DHCPv6 server to link-local of client• Packet 27: Request from link-local of client to multicastAll_DHCP_Relay_Agents_and_Servers (FF02::1:2)• Packet 28: Reply from link-local of DHCPv6 server to link-local of client

Solicit messagefrom client

Advertisemessage fromserver

2 nd part ofAdvertisemessage fromserver

Requestmessage fromclient

Server IdentiefrRequestmessage fromclient showingServer Identifier

Reply messagefrom server

6to4 Tunnels6to4Tunnel6to4TunnelIPv6IPv6 SiteAIPv6 toIPv4RouterIPv4BackboneRouterIPv4IPv4RouterIPv6 SiteBIPv6 toIPv4IPv6• 6to4 tunnels allow IPv6 packets over an IPv4 network.• RFC 3056: Connection of IPv6 Domains via IPv4 Clouds.• 6to4 is transition mechanism• Operational differences– 6to4 interface automatically created in Windows XP and above– Most Unix implementations support 6to4– Cisco routers support 6to4 tunnels– z/OS Communications Server mainframe cannot be tunnel endpoint

IPv6 packet insidean IPv4 packet.Tunneling methodis being used.

Why Teredo?• Teredo does not need a router• Tunneling issues with NAT• NATs don’t translate IPv6 packetsin IPv4• Teredo uses UDP encapsulation.(IPv6 packet becomes IPv4 UDPmessage• UDP messages traverse multiplelayers of NATs.IPv4 UDPPacketIPv6Router 1IPv4Router 2IPv4TeredoHost 1IPv6• Teredo is subject to the samesecurity issues as any tunneledprotocolIPv4 UDPPacketIPv6TeredoHost 2IPv6

56IPv6 packet insidean IPv4 packet.Teredo tunnelingmethod used.

Other IPv6 Sessions• Sunday: 3:00 - Intro to IPv6 Addressing• Tuesday: 4:45 - IPv6 Trace Analysis UsingWireshark• Wednesday: 10:15 - IPv6 Security57

IPv6 Trace Analysis using Wireshark - Sharkfest - Wireshark

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?