Packet to ff02::1
Pim van Pelt
pim@ipng.nl
Wed, 27 Mar 2002 07:44:07 +0100
Hi Michael,
Disallowing from fe80::/10 is the same as killing DAD and neighbor
discovery (check http://www.faqs.org/rfcs/rfc2461.html).
The NDP (neighbor discovery protocol) uses ff02::1 to send a packet
in multicast (one-to-all, that is) so that all-hosts on the local link
receive it. ff02::2 is the same, but denotes all-routers.
You should try pinging ff02::1 and ff02::2 one day, it's quite good
fun!
What happens, in IPv4, when your box (10.0.0.2) wants to communicate with
another box (10.0.0.1) on the line for the first time:
1. ARP request to ethernet broadcast
-> FF:FF:FF:FF:FF:FF who-has 10.0.0.1 tell 10.0.0.2 ?
2. All boxes receive, the one with 10.0.0.1 replies from its MAC:
-> 10.0.0.1 is-at 00:20:12:34:56:AB !
3. your box sends the frame to 00:20:12:34:56:AB from its MAC address.
Now what happens with IPv6 when your box wants to talk to another ?
1. IPv6 neighbor solicitation is sent to IPv6 multicast address ff02::1
fe80::203:47ff:fe73:1f0f -> ff02::1 Neighbor Solicitation for
3ffe:8350:1:51:210:7bff:fe30:591
2. All boxes receive (this is mandatory!), the one with
3ffe:8350:1:51:210:7bff:fe30:591 replies from its link-local address:
fe80::210:7bff:fe30:591 -> fe80::203:47ff:fe73:1f0f Neigh Adv for
3ffe:8350:1:51:210:7bff:fe30:591
(which it sends to the link-local the NS came from in the first place:
your link-local)
3. Your box sees the MAC address where this advertisement came from and
now knows the MAC address of 3ffe:8350:1:51:210:7bff:fe30:591
You should never firewall the linklocal scope (fe80::/10) as you cannot
be externally attacked. I do not think you should firewall ff01::/32
nor ff02::/32 on any interface which you wish to use IPv6 on.
Hope this helps.
groet,
Pim
On Tue, Mar 26, 2002 at 06:03:37PM +0100, Michael Kjorling wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| All right, this might be a little off topic here (if it is, please
| point me at the right place), but I am finally getting a serious grasp
| of IPv6 and ran across this little one in my logs. It's logged as
| being denied (quite in accordance with the firewall rules I have set
| up), but my question is: what are the implications of disallowing the
| "all nodes multicast" address (and the other addresses in the same
| category)? (varg, among else, serves as my IPv6 router.)
|
| > Mar 26 16:50:42 varg kernel: IN=eth1 OUT= MAC= SRC=fe80:0000:0000:0000:02a0:ccff:fe52:e0a4 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=128 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
| > Mar 26 16:50:42 varg kernel: IN=eth0 OUT= MAC=33:33:00:00:00:01:00:a0:cc:52:e0:a4:86:dd SRC=fe80:0000:0000:0000:02a0:ccff:fe52:e0a4 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=128 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
|
| Also if someone has a list of the special (non-2000::/3) addresses and
| address blocks which I need to allow (locally and globally) at hand,
| that would be perfect. I would like to respond to packets that won't
| get anywhere anyway with network unreachable right away (for some
| reason the system keeps insisting on having its ::/0 route in the
| routing table and I don't seem to be able to remove it easily),
| instead of polluting my uplink. This seems to me like wise practice
| even though the actual number of packages at all over IPv6 will be
| very limited to start with.
|
| Any input would be greatly appreciated!
|
|
| Michael Kjörling
|
| - --
| Michael Kjörling -- Programmer/Network administrator ^..^
| Internet: michael@kjorling.com -- FidoNet: 2:204/254.4 \/
| PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e
|
| ``And indeed people sometimes speak of man's "bestial" cruelty, but
| this is very unfair and insulting to the beasts: a beast can never be
| so cruel as a man, so ingeniously, so artistically cruel.''
| (Ivan Karamazov, in Dostoyevsky's 'The Brothers Karamazov')
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.0.6 (GNU/Linux)
| Comment: Public key is at http://michael.kjorling.com/contact/pgp.html
|
| iD8DBQE8oKntKqN7/Ypw4z4RAmB7AKD6/l1Cog6AhuQrrXr7FnmBvLw+oQCgpJrC
| Sfdsdfk20w9MJthFahvu7Ro=
| =xi5S
| -----END PGP SIGNATURE-----
|
--
---------- - - - - -+- - - - - ----------
Pim van Pelt Email: pim@ipng.nl
http://www.ipng.nl/ IPv6 Deployment
-----------------------------------------------