ICMPv6

Nalini Elkins
CEO
Inside Products, Inc.
[email protected]
1
 Agenda

• Changes ICMPv4 / ICMPv6

• New ICMPv6 functions

– Router discovery,
– Prefix discovery,
– Parameter discovery,
– Address resolution,
– Neighbor unreachability,
– Duplicate Address Detection,
– Redirect
 Why ICMP?

• IP uses ICMP to convey error

information.

• Like what?
 Why ICMP?

• IP uses ICMP to convey error information.

• Like what?
– Host unreachable
– Port unreachable
– Firewall stopped the packet
– There is a better way to get from here to there
 ICMPv4 Messages

• Some ICMPv4 packets are ‘functional’

• Like what?
 ICMPv4 Messages

• Some ICMPv4 packets are ‘functional’

• Like what?
– Ping
– Redirect

– Sometimes called ‘informational’

• ICMP messages are transferred through the network as the data portion of an IP datagram.
• This means that ICMP messages themselves can be lost.
• To avoid generation of error messages about error messages, new error messages about ICMP errors
are not generated.
• Each ICMP message has a slightly different format but the first 4 bytes are ALWAYS the same.
• Hack – SMURF : ICMP Protocol
• A SMURF Attack is a denial-of-service
network attack (DoS) that is directed
towards some pre-determined target,
usually a server.
• Any server that is plugged into a network
and can receive IP packets is vulnerable.
• These attacks come very quickly and
present themselves as very hard to trace.
 ICMP SMURF

PING - PING Response

Server

PING - PING Response

TCP/IP – TCP App.
Network
PING - PING Response Data
sets

PING - PING Response

Performing a SMURF Attack involves:

• Creating an ICMP packet, usually an echo or a ping request packet, and placing
the victim's address in the return field (a forged packet).
• This packet is then broadcast onto the network, being received by several hosts
who blindly reply to the victim with a response.
• The victim, now receiving several times its usual load, is overwhelmed with
response packets.
 Reflector Attacks

• Reflectors: All Web or DNS servers, and routers are potential reflectors,
since they will return
– SYN acks or RSTs in response to SYN or other TCP packets;
– Query replies in response to query requests; or
– ICMP Time Exceeded or
– Host Unreachable in response to particular IP packets.

• By spoofing IP addresses from slaves — a massive distributed Denial of

Service (dDoS) attack can be arranged.
 What has changed?

ICMPv4 Messages
---- -----------
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect Message
8 Echo Request
11 Time Exceeded
12 Parameter Problem
13 Timestamp Request
14 Timestamp Reply
17 Address Mask Request
18 Address Mask Reply
 What has changed?

ICMPv4 Messages
---- -----------
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect Message
8 Echo Request
11 Time Exceeded
12 Parameter Problem
13 Timestamp Request
14 Timestamp Reply
17 Address Mask Request
18 Address Mask Reply
 ICMPv6 Error Messages

Type Name Reference

---- -------------------------------- ---------
1 Destination Unreachable [RFC2463]
2 Packet Too Big [RFC2463]
3 Time Exceeded [RFC2463]
4 Parameter Problem [RFC2463]

Error messages have message types from 0 to 127.

 ICMPv4 Error – Info Ratio

• Error messages : 90%

• Informational : 10%
 ICMPv6 Error – Info Ratio

• Error messages : 20%

• Informational : 80%
 ICMPv6 Info Messages

• Why????
• Informational : 80%
–ARP gone!
–Replaced by Neighbor discovery /
Router discovery, Multicast Listener
Discovery
–Mobile IP
 ICMPv6 Informational Messages

Type Name Type Name

---- -------------------------- ---- -------------------------
128 Echo Request 142 Inverse Neighbor Discovery
129 Echo Reply Advertisement Message
130 Multicast Listener Query 143 Version 2 Multicast Listener
131 Multicast Listener Report Report
132 Multicast Listener Done 144 Home Agent Address Discovery
133 Router Solicitation Request Message
134 Router Advertisement 145 Home Agent Address Discovery
135 Neighbor Solicitation Reply Message
136 Neighbor Advertisement 146 Mobile Prefix Solicitation
137 Redirect Message 147 Mobile Prefix Advertisement
138 Router Renumbering 148 Certification Path Solicitation
139 ICMP Node Info. Query 149 Certification Path Advertisement
140 ICMP Node Info. Response 150 Experimental mobility protocols
141 Inverse Neighbor Discovery 151 Multicast Router Advertisement
Solicitation Message 152 Multicast Router Solicitation
153 Multicast Router Termination
ICMPv6 Echo Request
Destination Address: Any legal
IPv6 address.
ICMPv6 Echo Reply
•An Echo Reply SHOULD be sent in response
to an Echo Request message sent to an IPv6
multicast address.
•The source address of the reply MUST be a
unicast address belonging to the interface on
which the multicast Echo Request message
was received.
 Ping to Multicast Addresses

Pinging ff02::1 with 32 bytes of data: Pinging ff02::2 with 32 bytes of

Reply from ff02::1: time<1ms data:
Reply from ff02::1: time<1ms
Request timed out.
Reply from ff02::1: time<1ms Request timed out.
Reply from ff02::1: time<1ms Request timed out.
Request timed out.
Ping statistics for ff02::1:
Ping statistics for ff02::2:
Packets: Sent = 4, Received = 4,
Lost = 0 (0% loss), Packets: Sent = 4, Received = 0,
Approximate round trip times in Lost = 4 (100% loss),
milliseconds:

Minimum = 0ms, Maximum = 0ms, Did a Ping for Multicast address:

Average = 0ms
FF02:0:0:0:0:0:0:2 All Routers Address

Did a Ping for Multicast address:

FF02:0:0:0:0:0:0:1 All Nodes Address Does this mean my router is down?
 Ping to www.kame.net

Pinging www.kame.net

2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data:

Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=227ms
Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=228ms
Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=250ms
Reply from 2001:200:0:8002:203:47ff:fea5:3085: time=349ms

Ping statistics for 2001:200:0:8002:203:47ff:fea5:3085:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 227ms, Maximum = 349ms, Average = 263ms

The router stack SHOULD implement an echo reply but there is no MUST in
the RFC! Do not have to implement echo reply for multicast address.
 IPv6 Destination Unreachable

Code Meaning Description ICMPv4 Dest Unreach Subcodes

0:Network Unreachable
1: Host Unreachable
0 No Route To The datagram was not delivered because it could not be 2: Protocol Unreachable
Destination routed to the destination. Since this means the datagram 4:Fragmentation Needed and
could not be sent to the destination device's local DF Set
network, this is basically equivalent to the “Network 5:Source Route Failed
Unreachable” message subtype in ICMPv4. 6: Destination Network
Unknown
1 Communication With The datagram could not be forwarded due to filtering that 7:Destination Host Unknown
Destination blocks the message based on its contents. Equivalent to 8:Source Host Isolated
Administratively the message subtype with the same name (and Code 9:Communication with Destination
Prohibited value 13) in ICMPv4. Network is Administratively
3 Address Unreachable There was a problem attempting to deliver the datagram Prohibited
to the host specified in the destination address. This 10:Communication with Destination
code is equivalent to the ICMPv4 “Host Unreachable” Host is Administratively Prohibited
code and usually means the destination address was 11:Destination Network Unreachable
bad or there was a problem with resolving it into a layer for Type of Service
two address. 12:Destination Host Unreachable for
Type of Service
4 Port Unreachable The destination port specified in the UDP or TCP header 13:Communication Administratively
was invalid or does not exist on the destination host. Prohibited
14:Host Precedence Violation
15Precedence Cutoff In Effect
 ICMPv6 Packet Too Big

• In IPv6, routers are not allowed to

fragment datagrams that are too
large to send over a physical link are
connected.

• Packet is dropped, and an ICMPv6

Packet Too Big message sent.
(minimum IPv6 MTU 1280 bytes)

• Used in Path MTU Discovery

Now, the more complicated ones!

–Neighbor discovery,

–Router discovery,

–Multicast Listener Discovery

 Stateless Autoconfiguration

• Stateless autoconfiguration allows a node to be

configured without any configuration server.

• How? A node configures its own globally

routable addresses in cooperation with a local
IPv6 router.

• The address combines the 48- or 64-bit MAC

address of the adapter with network prefixes
that are learned from the neighboring router.

• In the case of multi-homed devices,

autoconfiguration is performed for each interface
separately.
Example on Windows PC: result of IPConfig

• Stateless autoconfiguration uses the Neighbor
Discovery protocol.
Ethernet adapter Local Area Connection:
Description : Realtek Family Fast Ethernet NIC
Physical Address : 00-11-D8-39-29-2B
Autoconfiguration Enabled . : Yes
IP Address : fe80::211:d8ff:fe39:292b%4
 Stateless Autoconfiguration Steps 1 - 2

• Link-Local Address Generation:

The device generates a link-local
address.

• Link-Local Address Uniqueness

Test:
– Is someone using my address?
– Sends Neighbor Solicitation
message
– Listens for a Neighbor
Advertisement
 Stateless Autoconfiguration Steps 3 - 4

• Link-Local Address Assignment:

– Can be used for communication on the
local network, but not on internet or
intranet.

• Router Contact:
– Asks local router what to do
– Sends Router Solicitation
– Listens for Router Advertisement

• Router Direction:
– Are we stateful / stateless
– What prefix do we use?
 Stateless Autoconfiguration Step 5

• Global Address Configuration:

– If using stateless autoconfiguration ,
form global unicast address combining
network prefix and MAC address (IID).

• Advantages:
– Low administrative costs

• Disadvantages
– Low administrative costs
 Stateless Autoconfig on Windows

• To see stateless autoconfiguration at work, start with a Windows PC with no IPv6 enabled.
• Look at the IPconfig above.
• You see only IPv4 connections
• Let’s install IPv6.
After IPv6 Installed Successfully

• Notice what
addresses are
assigned.

• Will we be able to
go out over the
internet?

• What do you think

is the MAC
address?

• Why did this

happen?
IPConfig with Global Unicast Addresses

• Will we be
able to go
out over
the
internet?

• Why did
this
happen?

• Notice
default
IPv6
gateway.
• Notice the sequence of events. • What kind of an address is ::?
• Where is the MAC address? • How about ff02::2?
• What is the Next Header field? • How about ff02::1:ff39:292b?
• What address do you think will be assigned? • And fe80::211:d8ff:fe39:292b?
 What is a Neighbor?

• Two devices are neighbors if

they are on the same local
network

• Either a host or a router.

 What is Discovery?

Neighbors
• Not just who our neighbors are but
also important information about
them.

• Such as: Local Network

– address resolution, What network prefix should I

– parameter communication, use?
– autoconfiguration, What MTU?
– local network connectivity, How do I do autoconfiguration?
– datagram routing and Are you using the address that I
– configuration. want to use?
 Neighbor Discovery Standards

• The Neighbor Discovery protocol originally

defined in RFC 1970 (1996) revised in RFC 2461
(1998) and ongoing…. Neighbor Discovery
Messages - ICMPv6

• Most of the functions of the ND protocol are Router Advertisement

implemented using a set of four ICMPv6 control Router Solicitation
messages.
Neighbor Advertisement
• ND can use of the authentication and encryption Neighbor Solicitation
with IPSec
 ND Implementation – ICMPv6

• ND implements its functions using ICMPv6

messages. 1. This is who I am Router
Atlanta
1. Router Advertisement Messages: Sent
regularly by routers to tell hosts that they 2. Tell me about you
exist and provide important prefix and
parameter information to them. Router
Atlanta
2. Router Solicitation Messages: Sent by
hosts to request that any local routers
send a Router Advertisement message so 3. This is who I am
they don't have to wait for the next regular Host
advertisement message.
Host
2
1

3. Neighbor Advertisement Messages:

Sent by hosts to indicate the existence of
the host and provide information about it. 4. Tell me about you

4. Neighbor Solicitation Messages: Sent to Host Host

verify the existence of another host and to

1 2

ask it to transmit a Neighbor

Advertisement.
Router Advertisement Packet

Source Address : MUST be the link-

local address assigned to the interface
from which this message is sent.

Destination Address: Typically the

Source Address of an invoking Router
Solicitation or the all-nodes multicast
address.
Router Solicitation Packet

Source address: usually the

unspecified IPv6 address
(0:0:0:0:0:0:0:0) or configured
unicast address of the interface.

Destination address: the all-routers

multicast address (FF02::2) with
the link-local scope.
Neighbor Solicitation Packet

Source address: Either an address

assigned to the interface from which
this message is sent or (if Duplicate
Address Detection is in progress) the
unspecified address.

Destination address: Either the

solicited-node multicast address
(ff02::1..) corresponding to the target
address, or the target address.
 Neighbor Advertisement

• ICMP type 136

– From RFC2461: A node sends Neighbor Advertisements in response to

Neighbor Solicitations and sends unsolicited Neighbor Advertisements in
order to (unreliably) propagate new information quickly.
Neighbor Solicitation Packet
To a specific unicast address.
Duplicate Address Detection
 Multicast Group Membership

• Group membership is dynamic, allowing

hosts to join and leave the group at any
time. Multicast Group at 10:00 am

• The joining of multicast groups is

performed through the sending of group
membership messages.
Multicast Group at 11:00 am

• In IPv6, Multicast Listener Discovery

(MLD) messages are used to determine
group membership on a network
segment.
Multicast group at 2:00 pm
 Multicast Listener Discovery

• MLD is used to exchange

membership status information
between IPv6 routers that support
multicasting and members of
multicast groups on a network
segment.
• Host membership in a multicast group
is reported by individual member
hosts, and membership status is
periodically polled by multicast
routers.
• MLD is defined in RFC 2710,
"Multicast Listener Discovery (MLD)
for IPv6."
 MLD Message Types

MLD message type Description

---------------------------------------------------------------------
Multicast Listener Query Sent by a multicast router to poll a
network segment for group members.
Queries can be general (requesting
group membership for all groups), or
specific (requesting group membership
for a specific group).

Multicast Listener Report Sent by a host when it joins a

multicast group, or in response to a
MLD Multicast Listener Query sent by a
router.

Multicast Listener Done Sent by a host when it leaves a host

group and might be the last member of
that group on the network segment.
RFC3971 SEcure Neighbor Discovery

To secure the various functions in NDP, a set of new Neighbor Discovery options is
introduced. The components of the solution are:
– Certification paths, anchored on trusted parties, are expected to certify the authority of
routers.
– A host must be configured with a trust anchor to which the router has a certification path
before the host can adopt the router as its default router.
– Certification Path Solicitation and Advertisement messages are used to discover a
certification path to the trust anchor without requiring the actual Router Discovery messages
to carry lengthy certification paths.
– The receipt of a protected Router Advertisement message for which no certification path is
available triggers the authorization delegation discovery process.
– Cryptographically Generated Addresses are used to make sure that the sender of a
Neighbor Discovery message is the "owner" of the claimed address.
– A public-private key pair is generated by all nodes before they can claim an address.
– A new NDP option, the CGA option, is used to carry the public key and associated
parameters.
 Agenda
Summary

• I will have a job forever because no one

can keep up with all this!

• Email: [email protected]