Wednesday, August 5, 2015

Just how many ipv6 prefixes can be advertisd in ICMPv6-RA ( fortigate-juniper-cisco firewall ) ?

A:
So if the cisco switch is limited a total of 44 total ipv6 prefixes, what can a fortigate firewall do?

32 ipv6 prefixes, and that's the max number you can install under the  "config ip6-prefix-list"  per interface. You can't configure more than 32 prefixes per interface.

B:
So if the cisco switch is limited to of 44 total ipv6 prefixes,  what can  a juniper SRX firewall do?

44 ipv6 prefixes,you can configure more than the  max number with the  "set protocols router-advertisement interface"  per interface.  But the junos will only deliver the 1st 44  prefixes in the ICMPv6 RA per interface.



C:
So if the cisco switch is limited to of 44 total ipv6 prefixes,  what can a cisco ASA firewall do?

45 ipv6 prefixes,  you can configure more  under the interface, but the cisco ASA will only deliver the 1st 45 prefixes. 


But I ran into a problem with a macosx machine picking up prefixes that I will discuss my finding in a future post.


These where the following firewall versions that I  tested with;

Fortinet Fortigate  = FortiOS 5.2.3
Juniper SRX = JUNOS 12.1X46-D15.3
cisco ASA = 9.4.1

So why the total amount of prefixes are limited to just  44 or 45 ipv6-prefixes ? 

The total is due to the size of the  ethernet frame "MTU". With a 1500byte MTU,  you can only have a ICMPv6 RA packet with 44-45 ipv6 prefixes. This packet has all of the details to include the prefix-length and any  timer options for lifetime. Any more and the ICMPv6 RA will not fit into a standard ethernet.frame

So to prove this point, I took the same Juniper SRX  and changed the  interface vlan.0 mtu from 1500 to 1000bytes.

 see the before and after  screenshots 







Now while the ICMPv6 RA is being constructed & sent, the total ethernet frame size is smaller, so less prefixes are included in the Router-Advertisement. So we now have a total of 28 ipv6 prefixes in one advertisement.





IPv6 hates fragmentation, and it will not fragment or install two route-advertisements


The  RFC 6980 speaks a little about this and the security risks of  ND and fragments.

https://www.rfc-editor.org/info/rfc6980



I hope this sheds some light on the ICMPv6 RAs packets, please read the these 2 other postings

http://socpuppet.blogspot.com/2014/03/protection-from-rouge-ra-advertisements.html
http://socpuppet.blogspot.com/2015/07/ipv6-ra-security-concerns.html


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

No comments:

Post a Comment