May 6, 2004

Sending IPv6 packets to check firewall rules

Author: Laurent Constantin

IP version 6 is available in most recent products such as routers, firewalls and operating systems.
Administrators and security professionals are facing new challenges when configuring or checking an IPv6 implementation. They need IPv6 compatible tools.

Network testing requires two simple components : a tool to send
network packets, and a sniffer to intercept and display them.

Most sniffers already recognize IPv6 packets (Ethereal, tcpdump,
etc.).

This article describes netwox toolbox which can be used to
send IPv6 packets.

Learning

It is important to note that computer sending IPv6 packets must
use an Ethernet LAN, or already be IPv6 compatible. As the latter
is less common, we send Ethernet frames containing IPv6 packets.
Tools must be ran as root (Administrator under Windows) to have
privileges to send Ethernet frames. Finally, we suppose both
computers are on the same LAN (do not have routers between them).

The first example is a TCP packet over IPv6 over Ethernet.
Install netwox or netwag and run as root:

# netwox 142 --device "Eth0" --eth-dst "0:8:9:a:b:c" --ip6-src "fec0:0:0:1::1" --ip6-dst "fec0:0:0:1::2" --tcp-src "1234" --tcp-dst "80" --tcp-syn

Following packet is sent:

Ethernet__________________________________________ ______________.
|.00:11:22:33:44:55->00:08:09:0A:0B:0C.type:0x86DD ..............|
|_________________________________________________ ______________|
IP________________________________________________ ______________.
|version|.traffic.class.|..............flow.label. ..............|
|___6___|_______0_______|___________________0_____ ______________|
|........payload.length.........|..next.header..|. ..hop.limit...|
|___________0x0014=20___________|____0x06=6_____|_ ______0_______|
|............................source............... ..............|
|_________________________fec0:0:0:1::1___________ ______________|
|..........................destination............ ..............|
|_________________________fec0:0:0:1::2___________ ______________|
TCP_______________________________________________ ______________.
|..........source.port..........|.......destinatio n.port........|
|__________0x04D2=1234__________|___________0x0050 =80___________|
|............................seqnum............... ..............|
|_____________________0x686F31E7=1752117735_______ ______________|
|............................acknum............... ..............|
|_________________________0x00000000=0____________ ______________|
|.doff..|r|r|r|r|C|E|U|A|P|R|S|F|............windo w.............|
|___5___|0|0|0|0|0|0|0|0|0|0|1|0|___________0x0000 =0____________|
|...........checksum............|............urgpt r.............|
|__________0x12E4=4836__________|___________0x0000 =0____________|

Ethernet and IP header indicates that destination Ethernet
address is 0:8:9:a:b:c, source IPv6 address is fec0:0:0:1::1 and
destination IPv6 address is fec0:0:0:1::2.

To learn about possible parameters for tool number 142, run:

# netwox 142 --help
# netwox 142 --help2

Real world example

Suppose we want to check if a host has its firewall correctly
configured to block some IPv6 packets destined to itself. Its
IPv6 address is fec0:0:0:1::2. Its Ethernet address is
0:8:9:a:b:c (obtained with "netwox 3 fec0:0:0:1::2"). Suppose
port 80/tcp is allowed for computer fec0:0:0:1::1, but all other
ports and computers are blocked.

We simulate computer fec0:0:0:1::1 using another computer on
the LAN. This computer does not need to be IPv6 compatible
because we directly send IPv6 packet without using computer's
IP stack. This computer has Ethernet address 00:11:22:33:44:55
(can be real or random). All command listed below are to be
run on this computer.

First, we send a TCP SYN packet destined to port 80 of firewall.
It is accepted because port 80 is open, so server sends back a TCP
SYN-ACK packet. In order to send this SYN-ACK, server first asks
for client Ethernet address using ICMP6 neighbor solicitation
(IPv4 uses ARP). So we need 2 more tools: one to answer to
Ethernet requests, and the other to see the SYN-ACK.

Netwox contains one tool to simulate the presence of a computer.
This tool automatically answers to Ethernet requests. Open
another window and keep running:

# netwox 73 --device "Eth0" --ips "fec0:0:0:1::1" --eths "00:11:22:33:44:55"

This command answers "computer fec0:0:0:1::1 has Ethernet address
00:11:22:33:44:55" to every question.

Then open another window and run a sniffer (netwox in this
example, but it can be Ethereal):

# netwox 7 -p --device "Eth0"

Send the IPv6 packet destined to port 80 and see what
happens in the sniffer window (don't forget to change source
port "--tcp-src" for each call, for example incrementing it):

# netwox 142 --device "Eth0" --eth-src "00:11:22:33:44:55"--eth-dst "0:8:9:a:b:c" --ip6-src "fec0:0:0:1::1" --ip6-dst "fec0:0:0:1::2" --tcp-src "1235" --tcp-dst "80" --tcp-syn

If port 80 is open, the sniffer will display a SYN-ACK. Here is
an extract of a TCP header containing flags Ack and Syn set to 1:

|.doff..|r|r|r|r|C|E|U|A|P|R|S|F|............windo w.............|
|___5___|0|0|0|0|0|0|0|1|0|0|1|0|__________0x1680= 5760__________|

Meaning of receiving a SYN-ACK packet is "port 80 is open, and
you are allowed to connect".

Send an IPv6 packet destined to port 81 ("--tcp-dst 81").
Depending on firewall configuration, we receive a RST (flag R set
in the TCP header) or nothing, and firewall's log contains an alert
message. If a SYN-ACK is received, then firewall is badly
configured because port 81 is open and available.

Now, we can pick another client address such as fec0:0:0:1::3 and
check everything is forbidden.

Other tools

Tools 140 to 147 of netwox send UDP, ICMP or raw IPv6 packets.
Depending on firewall rule to check, they can also be used.

# netwox 141 --device "Eth0" --eth-src "00:11:22:33:44:55" --eth-dst "0:8:9:a:b:c" --ip6-src "fec0:0:0:1::1" --ip6-dst "fec0:0:0:1::2" --udp-src "1236" --udp-dst "80"
Ethernet__________________________________________ ______________.
|.00:11:22:33:44:55->00:08:09:0A:0B:0C.type:0x86DD ..............|
|_________________________________________________ ______________|
IP________________________________________________ ______________.
|version|.traffic.class.|..............flow.label. ..............|
|___6___|_______0_______|___________________0_____ ______________|
|........payload.length.........|..next.header..|. ..hop.limit...|
|___________0x0008=8____________|____0x11=17____|_ ______0_______|
|............................source............... ..............|
|_________________________fec0:0:0:1::1___________ ______________|
|..........................destination............ ..............|
|_________________________fec0:0:0:1::2___________ ______________|
UDP_______________________________________________ ______________.
|..........source.port..........|.......destinatio n.port........|
|__________0x04D4=1236__________|___________0x0050 =80___________|
|............length.............|...........checks um............|
|___________0x0008=8____________|_________0xFD33=6 4819__________|

# netwox 143 --device "Eth0" --eth-src "00:11:22:33:44:55" --eth-dst "0:8:9:a:b:c" --ip6-src "fec0:0:0:1::1" --ip6-dst "fec0:0:0:1::2" --icmp-type "128" --icmp-code "0"
Ethernet__________________________________________ ______________.
|.00:11:22:33:44:55->00:08:09:0A:0B:0C.type:0x86DD ..............|
|_________________________________________________ ______________|
IP________________________________________________ ______________.
|version|.traffic.class.|..............flow.label. ..............|
|___6___|_______0_______|___________________0_____ ______________|
|........payload.length.........|..next.header..|. ..hop.limit...|
|___________0x0008=8____________|____0x3A=58____|_ ______0_______|
|............................source............... ..............|
|_________________________fec0:0:0:1::1___________ ______________|
|..........................destination............ ..............|
|_________________________fec0:0:0:1::2___________ ______________|
ICMP6_echo.request________________________________ ______________.
|.....type......|.....code......|...........checks um............|
|___0x80=128____|____0x00=0_____|__________0x065B= 1627__________|
|..............id...............|............seqnu m.............|
|_________0xCD94=52628__________|_________0xAE46=4 4614__________|
|.data:........................................... ..............|
|_________________________________________________ ______________|

Conclusion

Ability to send an IPv6 packet is an elementary step for solving
network problems or checking configurations. Netwox contains
tools to achieve this step. Netwox also provides clients and
servers supporting IPv6 : FTP client, web client, etc.

Download

Netwox comes with netwag, a graphical front-end, which is
easier to use than command line tools. It depends on libpcap,
libnet and netwib libraries.

You can download netwox at:
http://www.laurentconstantin.com/en/netw/#download
http://go.to/laurentconstantin/
http://laurentconstantin.est-la.com/
"

Click Here!