ICMPv6 - Wireshark
ICMPv6Nalini ElkinsCEOInside Products, Inc.Nalini.elkins@insidethestack.com1
Agenda Changes ICMPv4 / ICMPv6 New ICMPv6 functions– Router discovery,– Prefix discovery,– Parameter discovery,– Address resolution,– Neighbor unreachability,– Duplicate Address Detection,– Redirect
Why ICMP? IP uses ICMP to convey errorinformation. Like what?
Why ICMP? IP uses ICMP to convey error information. Like what?– Host unreachable– Port unreachable– Firewall stopped the packet– There is a better way to get from here to there
ICMPv4 Messages Some ICMPv4 packets are ‘functional’ Like what?
ICMPv4 Messages Some ICMPv4 packets are ‘functional’ Like what?– Ping– Redirect– Sometimes called ‘informational’
ICMP messages are transferred through the network as the data portion of an IP datagram.This means that ICMP messages themselves can be lost.To avoid generation of error messages about error messages, new error messages about ICMP errorsare not generated.Each ICMP message has a slightly different format but the first 4 bytes are ALWAYS the same.
Hack – SMURF : ICMP ProtocolA SMURF Attack is a denial-of-servicenetwork attack (DoS) that is directedtowards some pre-determined target,usually a server.Any server that is plugged into a networkand can receive IP packets is vulnerable.These attacks come very quickly andpresent themselves as very hard to trace.
ICMP SMURFPING - PING ResponsePING - PING ResponseTCP/IP –NetworkPING - PING ResponseServerTCP App.DatasetsPING - PING ResponsePerforming a SMURF Attack involves: Creating an ICMP packet, usually an echo or a ping request packet, and placingthe victim's address in the return field (a forged packet). This packet is then broadcast onto the network, being received by several hostswho blindly reply to the victim with a response. The victim, now receiving several times its usual load, is overwhelmed withresponse packets.
Reflector Attacks Reflectors: All Web or DNS servers, and routers are potential reflectors,since they will return– SYN acks or RSTs in response to SYN or other TCP packets;– Query replies in response to query requests; or– ICMP Time Exceeded or– Host Unreachable in response to particular IP packets. By spoofing IP addresses from slaves — a massive distributed Denial ofService (dDoS) attack can be arranged.
What has changed?ICMPv4 Messages---- ----------0 Echo Reply3 Destination Unreachable4 Source Quench5 Redirect Message8 Echo Request11 Time Exceeded12 Parameter Problem13 Timestamp Request14 Timestamp Reply17 Address Mask Request18 Address Mask Reply
What has changed?ICMPv4 Messages---- ----------0 Echo Reply3 Destination Unreachable4 Source Quench5 Redirect Message8 Echo Request11 Time Exceeded12 Parameter Problem13 Timestamp Request14 Timestamp Reply17 Address Mask Request18 Address Mask Reply
ICMPv6 Error MessagesType Name---- -------------------------------1 Destination Unreachable2 Packet Too Big3 Time Exceeded4 Parameter ][RFC2463]Error messages have message types from 0 to 127.
ICMPv4 Error – Info Ratio Error messages : 90% Informational : 10%
ICMPv6 Error – Info Ratio Error messages : 20% Informational : 80%
ICMPv6 Info Messages Why? Informational : 80%–ARP gone!–Replaced by Neighbor discovery /Router discovery, Multicast ListenerDiscovery–Mobile IP
ICMPv6 Informational 9140141Name-------------------------Echo RequestEcho ReplyMulticast Listener QueryMulticast Listener ReportMulticast Listener DoneRouter SolicitationRouter AdvertisementNeighbor SolicitationNeighbor AdvertisementRedirect MessageRouter RenumberingICMP Node Info. QueryICMP Node Info. ResponseInverse Neighbor DiscoverySolicitation MessageType Name---- ------------------------142 Inverse Neighbor DiscoveryAdvertisement Message143 Version 2 Multicast ListenerReport144 Home Agent Address DiscoveryRequest Message145 Home Agent Address DiscoveryReply Message146 Mobile Prefix Solicitation147 Mobile Prefix Advertisement148 Certification Path Solicitation149 Certification Path Advertisement150 Experimental mobility protocols151 Multicast Router Advertisement152 Multicast Router Solicitation153 Multicast Router Termination
ICMPv6 Echo RequestDestination Address: Any legalIPv6 address.
ICMPv6 Echo Reply An Echo Reply SHOULD be sent in responseto an Echo Request message sent to an IPv6multicast address. The source address of the reply MUST be aunicast address belonging to the interface onwhich the multicast Echo Request messagewas received.
Ping to Multicast AddressesPinging ff02::1 with 32 bytes of data:Reply from ff02::1: time 1msReply from ff02::1: time 1msReply from ff02::1: time 1msReply from ff02::1: time 1msPing statistics for ff02::1:Packets: Sent 4, Received 4,Lost 0 (0% loss),Approximate round trip times inmilliseconds:Minimum 0ms, Maximum 0ms,Average 0msPinging ff02::2 with 32 bytes timedout.out.out.out.Ping statistics for ff02::2:Packets: Sent 4, Received 0,Lost 4 (100% loss),Did a Ping for Multicast address:FF02:0:0:0:0:0:0:2All Routers AddressDid a Ping for Multicast address:FF02:0:0:0:0:0:0:1All Nodes AddressDoes this mean my router is down?
Ping to www.kame.netPinging www.kame.net2001:200:0:8002:203:47ff:fea5:3085] with 32 bytes of data:Reply from 2001:200:0:8002:203:47ff:fea5:3085: time 227msReply from 2001:200:0:8002:203:47ff:fea5:3085: time 228msReply from 2001:200:0:8002:203:47ff:fea5:3085: time 250msReply from 2001:200:0:8002:203:47ff:fea5:3085: time 349msPing statistics for 2001:200:0:8002:203:47ff:fea5:3085:Packets: Sent 4, Received 4, Lost 0 (0% loss),Approximate round trip times in milli-seconds:Minimum 227ms, Maximum 349ms, Average 263msThe router stack SHOULD implement an echo reply but there is no MUST inthe RFC! Do not have to implement echo reply for multicast address.
IPv6 Destination UnreachableCodeMeaningDescription0No Route ToDestinationThe datagram was not delivered because it could not berouted to the destination. Since this means the datagramcould not be sent to the destination device's localnetwork, this is basically equivalent to the “NetworkUnreachable” message subtype in ICMPv4.1Communication WithDestinationAdministrativelyProhibitedThe datagram could not be forwarded due to filtering thatblocks the message based on its contents. Equivalent tothe message subtype with the same name (and Codevalue 13) in ICMPv4.3Address UnreachableThere was a problem attempting to deliver the datagramto the host specified in the destination address. Thiscode is equivalent to the ICMPv4 “Host Unreachable”code and usually means the destination address wasbad or there was a problem with resolving it into a layertwo address.4Port UnreachableThe destination port specified in the UDP or TCP headerwas invalid or does not exist on the destination host.ICMPv4 Dest Unreach Subcodes0:Network Unreachable1: Host Unreachable2: Protocol Unreachable4:Fragmentation Needed andDF Set5:Source Route Failed6: Destination NetworkUnknown7:Destination Host Unknown8:Source Host Isolated9:Communication with DestinationNetwork is AdministrativelyProhibited10:Communication with DestinationHost is Administratively Prohibited11:Destination Network Unreachablefor Type of Service12:Destination Host Unreachable forType of Service13:Communication AdministrativelyProhibited14:Host Precedence Violation15Precedence Cutoff In Effect
ICMPv6 Packet Too Big In IPv6, routers are not allowed tofragment datagrams that are toolarge to send over a physical link areconnected. Packet is dropped, and an ICMPv6Packet Too Big message sent.(minimum IPv6 MTU 1280 bytes) Used in Path MTU Discovery
Now, the more complicated ones!–Neighbor discovery,–Router discovery,–Multicast Listener Discovery
Stateless Autoconfiguration Stateless autoconfiguration allows a node to beconfigured without any configuration server. How? A node configures its own globallyroutable addresses in cooperation with a localIPv6 router. The address combines the 48- or 64-bit MACaddress of the adapter with network prefixesthat are learned from the neighboring router. In the case of multi-homed devices,autoconfiguration is performed for each interfaceseparately. Stateless autoconfiguration uses the NeighborDiscovery protocol.Example on Windows PC: result of IPConfigEthernet adapter Local Area Connection:Description : Realtek Family Fast Ethernet NICPhysical Address : 00-11-D8-39-29-2BAutoconfiguration Enabled . : YesIP Address : fe80::211:d8ff:fe39:292b%4
Stateless Autoconfiguration Steps 1 - 2 Link-Local Address Generation:The device generates a link-localaddress. Link-Local Address UniquenessTest:– Is someone using my address?– Sends Neighbor Solicitationmessage– Listens for a NeighborAdvertisement
Stateless Autoconfiguration Steps 3 - 4 Link-Local Address Assignment:– Can be used for communication on thelocal network, but not on internet orintranet. Router Contact:– Asks local router what to do– Sends Router Solicitation– Listens for Router Advertisement Router Direction:– Are we stateful / stateless– What prefix do we use?
Stateless Autoconfiguration Step 5 Global Address Configuration:– If using stateless autoconfiguration ,form global unicast address combiningnetwork prefix and MAC address (IID). Advantages:– Low administrative costs Disadvantages– Low administrative costs
Stateless Autoconfig on Windows To see stateless autoconfiguration at work, start with a Windows PC with no IPv6 enabled.Look at the IPconfig above.You see only IPv4 connectionsLet’s install IPv6.
After IPv6 Installed Successfully Notice whataddresses areassigned. Will we be able togo out over theinternet? What do you thinkis the MACaddress? Why did thishappen?
IPConfig with Global Unicast Addresses Will we beable to goout overtheinternet? Why didthishappen? NoticedefaultIPv6gateway.
Notice the sequence of events.Where is the MAC address?What is the Next Header field?What address do you think will be assigned? What kind of an address is ::?How about ff02::2?How about ff02::1:ff39:292b?And fe80::211:d8ff:fe39:292b?
What is a Neighbor? Two devices are neighbors ifthey are on the same localnetwork Either a host or a router.
What is Discovery? Not just who our neighbors are butalso important information aboutthem. Such as:– address resolution,– parameter communication,– autoconfiguration,– local network connectivity,– datagram routing and– configuration.NeighborsLocal NetworkWhat network prefix should Iuse?What MTU?How do I do autoconfiguration?Are you using the address that Iwant to use?
Neighbor Discovery Standards The Neighbor Discovery protocol originallydefined in RFC 1970 (1996) revised in RFC 2461(1998) and ongoing . Most of the functions of the ND protocol areimplemented using a set of four ICMPv6 controlmessages.Neighbor DiscoveryMessages - ICMPv6Router AdvertisementRouter SolicitationNeighbor Advertisement ND can use of the authentication and encryptionwith IPSecNeighbor Solicitation
ND Implementation – ICMPv6 ND implements its functions using ICMPv6messages.1. This is who I amRouterAtlanta1.2.3.4.Router Advertisement Messages: Sentregularly by routers to tell hosts that theyexist and provide important prefix andparameter information to them.Router Solicitation Messages: Sent byhosts to request that any local routerssend a Router Advertisement message sothey don't have to wait for the next regularadvertisement message.Neighbor Advertisement Messages:Sent by hosts to indicate the existence ofthe host and provide information about it.Neighbor Solicitation Messages: Sent toverify the existence of another host and toask it to transmit a NeighborAdvertisement.2. Tell me about youRouterAtlanta3. This is who I amHost1Host24. Tell me about youHost1Host2
Router Advertisement PacketSource Address : MUST be the linklocal address assigned to the interfacefrom which this message is sent.Destination Address: Typically theSource Address of an invoking RouterSolicitation or the all-nodes multicastaddress.
Router Solicitation PacketSource address: usually theunspecified IPv6 address(0:0:0:0:0:0:0:0) or configuredunicast address of the interface.Destination address: the all-routersmulticast address (FF02::2) withthe link-local scope.
Neighbor Solicitation PacketSource address: Either an addressassigned to the interface from whichthis message is sent or (if DuplicateAddress Detection is in progress) theunspecified address.Destination address: Either thesolicited-node multicast address(ff02::1.) corresponding to the targetaddress, or the target address.
Neighbor Advertisement ICMP type 136– From RFC2461: A node sends Neighbor Advertisements in response toNeighbor Solicitations and sends unsolicited Neighbor Advertisements inorder to (unreliably) propagate new information quickly.
Neighbor Solicitation PacketTo a specific unicast address.Duplicate Address Detection
Multicast Group Membership Group membership is dynamic, allowinghosts to join and leave the group at anytime.Multicast Group at 10:00 amThe joining of multicast groups isperformed through the sending of groupmembership messages.Multicast Group at 11:00 am In IPv6, Multicast Listener Discovery(MLD) messages are used to determinegroup membership on a networksegment.Multicast group at 2:00 pm
Multicast Listener Discovery MLD is used to exchangemembership status informationbetween IPv6 routers that supportmulticasting and members ofmulticast groups on a networksegment.Host membership in a multicast groupis reported by individual memberhosts, and membership status isperiodically polled by multicastrouters.MLD is defined in RFC 2710,"Multicast Listener Discovery (MLD)for IPv6."
MLD Message TypesMLD message ---------------------------------Multicast Listener Query Sent by a multicast router to poll anetwork segment for group members.Queries can be general (requestinggroup membership for all groups), orspecific (requesting group membershipfor a specific group).Multicast Listener Report Sent by a host when it joins amulticast group, or in response to aMLD Multicast Listener Query sent by arouter.Multicast Listener DoneSent by a host when it leaves a hostgroup and might be the last member ofthat group on the network segment.
RFC3971 SEcure Neighbor DiscoveryTo secure the various functions in NDP, a set of new Neighbor Discovery options isintroduced. The components of the solution are:– Certification paths, anchored on trusted parties, are expected to certify the authority ofrouters.– A host must be configured with a trust anchor to which the router has a certification pathbefore the host can adopt the router as its default router.– Certification Path Solicitation and Advertisement messages are used to discover acertification path to the trust anchor without requiring the actual Router Discovery messagesto carry lengthy certification paths.– The receipt of a protected Router Advertisement message for which no certification path isavailable triggers the authorization delegation discovery process.– Cryptographically Generated Addresses are used to make sure that the sender of aNeighbor Discovery message is the "owner" of the claimed address.– A public-private key pair is generated by all nodes before they can claim an address.– A new NDP option, the CGA option, is used to carry the public key and associatedparameters.
AgendaSummary I will have a job forever because no onecan keep up with all this! Email: nalini.elkins@insidethestack.com
1. Router Advertisement Messages: Sent regularly by routers to tell hosts that they exist and provide important prefix and parameter information to them. 2. Router Solicitation Messages: Sent by hosts to request that any local routers send a Router Advertisement message so they don't have to wait for the next regular advertisement message. Host 3.
Change Wireshark permission settings We need administrative privilege to capture packet, though Raspberrian OS works as user mode. We need to change Wireshark permission to be able to capture packets in user mode. "sudo dpkg-reconfigure wireshark-common" Choose YES to capture packets in user mode "sudo adduser wireshark pi"
packets and tries to display that packet data as detailed as possible. Wireshark is already installed on Lab VM, start Wireshark from Dash menu on the left. You should see following window. 2.1.2 Wireshark Live Capture Wireshark can capture traffic from many different network media types
Getting Wireshark In order to run Wireshark, you will need to have access to a computer that supports both Wireshark and the libpcap or WinPCap packet capture library. The libpcap software will be installed for you, if it is not installed within your operating system, when you install Wireshark.
building Wireshark are much more common in the UNIX world than on Win32. The first part of this book will describe how to set up the environment needed to develop Wireshark. The second part of this book will describe how to change the Wireshark source code. Wireshark.
Lab 1: Packet Sniffing and Wireshark Introduction The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open-source network protocol analyzer. It is used for network troubleshooting and communication protocol analysis. Wireshark captures network packets in real time and display them in human-readable format.
Fengwei Zhang - CSC 5991 Cyber Security Practice 1 CSC 5991 Cyber Security Practice Lab 1: Packet Sniffing and Wireshark Introduction The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open-source network protocol analyzer. It is used for network troubleshooting and communication protocol analysis.
sniff-target ip.of.wireshark.box sniff-target-port port.of.wireshark.box By default TZSP is run on UDP/37008, so you can listen on UDP/37008 with your sniffing tools like wireshark (will introduce wireshark more in analyze step) 17
Wireshark 101 Qiao Zhang CSE 461 15sp Section #1 Slides adapted from Ravi Bhoraskar. What is Wireshark? Wireshark is a network packet analyzer uses libpcap to capture packets logs all packets seen by NIC . Refer ch
