Category Archives: Network

Computer networks over IPv4 and IPv6. Switching, Routing, and Firewalling.

RADIUS & TACACS+ PCAP

2022-12-20Authentication, Design/PolicyAruba ClearPass, FortiGate, FreeRADIUS, Palo Alto Networks, pcap, RADIUS, TACACS+, Ultimate PCAP, WiresharkJohannes Weber

Again two more commonly used network protocols for the Ultimate PCAP: the Remote Authentication Dial-In User Service (RADIUS) and the Terminal Access Controller Access-Control System Plus (TACACS+) protocols. Captured with quite some details:

Continue reading RADIUS & TACACS+ PCAP →

Who sends TCP RSTs?

2022-12-13Design/Policy, SecurityFirewall, Hop Limit, ICMP, ICMPv6, Palo Alto Networks, pcap, TCP, TCP RST, TTL, Ultimate PCAP, WiresharkJohannes Weber

At SharkFest’22 EU, the Annual Wireshark User and Developer Conference, I attended a beginners’ course called “Network Troubleshooting from Scratch”, taught by the great Jasper Bongertz. In the end, we had some high-level discussions concerning various things, one of them was the insight that TCP RSTs are not only sent from a server in case the port is closed, but are also commonly sent (aka spoofed) from firewalls in case a security policy denies the connection. Key question: Can you distinguish between those spoofed vs. real TCP RSTs? Initially, I thought: no, you can’t, cause the firewalls out there do a great job.

It turned out: you can!

Continue reading Who sends TCP RSTs? →

Accessing IPv6-only Resources via Legacy IP: NAT46 on a FortiGate

2022-12-07Fortinet, Internet Access, IPv6, NATFortiGate, Fortinet, IPv6, NAT, NAT46, pcap, SIIT, Ultimate PCAP, WiresharkJohannes Weber

In general, Network Address Translation (NAT) solves some problems but should be avoided wherever possible. It has nothing to do with security and is only a short-term solution on the way to IPv6. (Yes, I know, the last 20 years have proven that NAT is used everywhere every time. 😉) This applies to all kinds of NATs for IPv4 (SNAT, DNAT, PAT) as well as for NPTv6 and NAT66.

However, there are two types of NATs that do not only change the network addresses but do a translation between the two Internet Protocols, that is IPv4 <-> IPv6 and vice versa. Let’s focus on NAT46 this time. In which situations is it used and why? Supplemented by a configuration guide for the FortiGates, a downloadable PCAP and Wireshark screenshots.

Continue reading Accessing IPv6-only Resources via Legacy IP: NAT46 on a FortiGate →

Linux’s Traceroute

2022-11-24Ping/Traceroutefail, IPv6, Linux, Palo Alto Networks, Traceroute, UDP, Ultimate PCAP, WiresharkJohannes Weber

The other day I just wanted to capture some basic Linux traceroutes but ended up troubleshooting different traceroute commands and Wireshark display anomalies. Sigh. Anyway, I just added a few Linux traceroute captures – legacy and IPv6 – to the Ultimate PCAP. Here are some details:

Continue reading Linux’s Traceroute →

IPv6 Crash Course @ SharkFest’22 EUROPE

2022-11-16Conference Talks, IPv6DNS64, IPv6, IPv6 Duplicate Address Detection, IPv6 Global Unicast Address, Legacy IP, NAT64, Router Advertisement, SharkFest, WiresharkJohannes Weber

Fortunately, there was a SharkFest – the “Wireshark Developer and User Conference” – this year in Europe again. I was there and gave an IPv6 Crash Course likewise. Yeah! It’s my favourite topic, you know. 75 minutes full of content, hence the name crash course.

Here are my slides as well as the video recording. If you want a crash course for IPv6, here we go:

Continue reading IPv6 Crash Course @ SharkFest’22 EUROPE →

Why counting IPv6 Addresses is nonsense

2022-11-08IPv6fail, IP Address, IPv4 Thinking, IPv6, Legacy IPJohannes Weber

From time to time I stumble upon Tweets about counting the number of IPv6 addresses (1 2 3). While I think it is ok to do it that way when you’re new to IPv6 and you want to get an idea of it, it does not make sense at all because the mere number of IPv6 addresses is ridiculously high and only theoretically, but has no relevance for the real-world at all. Let me state why:

Continue reading Why counting IPv6 Addresses is nonsense →

Small Servers PCAP

2022-10-27Networkchargen, daytime, discard, echo, netcat, pcap, small servers, Telnet, time, WiresharkJohannes Weber

For some reason, I came across a blog post by Gian Paolo called Small servers. This reminded me of some fairly old network protocols (that no one uses as far as I know) that are not in my Ultimate PCAP yet. Hence I took some minutes, captured them, and took some Wireshark screenshots. They are: echo, discard, daytime, chargen, and time. Mostly via TCP and UDP, and, as you would have expected, IPv6 and legacy IP.

I’m aware that this is not of interest to most of you. :) But for the sake of completeness, and because I love adding new protocols to the Ultimate PCAP, I added them though.

Continue reading Small Servers PCAP →

Zehn Vorteile von IPv6!

2022-08-18Design/Policy, IPv6, Memorandumc't Artikel, IP Address, IPv6, Legacy IP, NAT, Site-to-Site VPN, VorteileJohannes Weber

Das moderne Internetprotokoll IPv6 gilt als so komplex und umständlich, dass manche Administratoren beharrlich beim vertrauten, aber veralteten IPv4 bleiben. Zehn Praxisbeispiele belegen, warum viele Netzwerkanwendungen besser und kostengünstiger auf IPv6 laufen und wie Admins davon profitieren.

Continue reading Zehn Vorteile von IPv6! →

Netzwerkprotokolle: Nachschlagewerk für Wireshark

2022-07-29Memorandum, NetworkBGP, c't Artikel, Coloring Rules, DNS, Dynamic Routing, HTTP, ICMP, IPv6, Legacy IP, Network Protocol, OSPF, Proxy, SLAAC, WiresharkJohannes Weber

Wenn es im Netzwerk knirscht, versuchen Admins den Fehler in Analyse-Tools wie Wireshark anhand von Paketmitschnitten einzukreisen. Jedoch hat der Herr viel mehr Netzwerkprotokolle gegeben, als sich ein Admin-Hirn in allen Details merken kann. Eine Referenzdatei, die zahlreiche korrekte Protokollabläufe enthält, gibt Orientierung.

Continue reading Netzwerkprotokolle: Nachschlagewerk für Wireshark →

Netzwerkmitschnitte mit tshark analysieren

2022-06-30Memorandum, Networkc't Artikel, DNS, FRITZ!Box, HTTP, HTTPS, IPv6, SNI, sort, tshark, uniq, WiresharkJohannes Weber

Haben Sie mal Netzwerkmitschnitte untersucht, ohne zu wissen, was genau Sie suchen? Mit Wireshark wird das leicht zu einer Odyssee: Das Analysewerkzeug filtert zwar fabelhaft, reagiert bei großen Datenmengen aber schnell zäh.

Was bei solchen Problemstellungen hilft ist: tshark! Ein Tool, mit welchem Sie auch große Packet Captures einfach anhand gängiger Kriterien durchforsten können.

Continue reading Netzwerkmitschnitte mit tshark analysieren →

Server-Verfügbarkeit: Monitoring-Werkzeuge

2022-05-25DNS/DNSSEC, Mail, Memorandum, Monitoring, Ping/Traceroutec't Artikel, DNS, DNSDiag, dnsping, HTTP, httping, HTTPS, Layer 4 Traceroute, Man-in-the-Middle, MITM, Ping, SMTP, smtpping, three-way handshake, TracerouteJohannes Weber

Angreifer verwenden gern Ping und Traceroute, um Server im Internet ausfindig zu machen. Das bringt viele Security-Admins in Versuchung, den Ping- und Traceroute-Verkehr mittels ihrer Firewall in ihrem Netz zu unterbinden. Doch damit behindern sie nur die Arbeit von Server-Administratoren, denn es gibt noch viel mehr Möglichkeiten, Server aufzuspüren.

Continue reading Server-Verfügbarkeit: Monitoring-Werkzeuge →

Partial NTP Pool: The leap second that wasn’t

2022-04-19NTPBug, fail, Guest Post, leap second, LeoNTP, NTP, NTP Pool ProjectSteven Sommars

An analysis of some falsified leap second warnings that appeared in November 2021 on public NTP servers out of the NTP Pool Project.

Continue reading Partial NTP Pool: The leap second that wasn’t →

#heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen

2022-04-13Conference Talks, Internet Access, IPv6#heiseshow, FRITZ!Box, IPv6, IPv6 Dynamic Prefix, IPv6 Prefix, ISP, NATJohannes Weber

Ich durfte zu Gast bei der #heiseshow zum Thema IPv6 sein. In Anlehnung an die Artikelserie über IPv6 in der c’t 7/2022, in der auch mein Artikel über die Vorteile von IPv6-Adressen erschienen ist, ging es bei diesem Video-Podcast um gängige Fragen zu IPv6 sowohl im Heimanwender- als auch im Enterprise-Segment. Ne knappe Stunde lief die Schose und ich empfand es als ziemlich kurzweilig. ;)

Continue reading #heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen →

DHCPv6 Relay Issue with Cisco ASA and Ubuntu

2022-02-17Cisco ASA, DHCP, IPv6, LinuxCisco ASA, DHCPv6, Guest Post, IPv6, UbuntuUlrich Hauser

Some months ago, my co-worker and I ran into an interesting issue: a notebook with a newly installed Ubuntu 20.04 does only work with IPv4, but this office network is dual-stacked (IPv4 and IPv6). Other Linux clients as well as Windows and Mac systems still work fine. They all get an IPv4 configuration by DHCPv4 and an IPv6 configuration by stateful DHCPv6 from the same DHCP server, relayed by a Cisco ASA 5500-X. What’s wrong with Ubuntu 20.04?

Continue reading DHCPv6 Relay Issue with Cisco ASA and Ubuntu →

Publishing IPv6 NTP Servers with DHCPv6

2022-01-21DHCP, Fortinet, IPv6, Network, NTPDHCPv6, FortiGate, Fortinet, Guest Post, IPv6, IPv6-only, MikroTik, NTP, RFC, RouterOSUlrich Hauser

During the last weeks, I had an interesting request to publish NTP servers to client systems by using DHCPv6 in an IPv6 only network. Our Fortigate (or me?) had to learn how to publish the information. Hence this post is not only about NTP and IPv6, but a small guide on how to walk through RFCs and how to get out the relevant information. I’m very happy I got the possibility to share my experience here. Thank you, Johannes!

Continue reading Publishing IPv6 NTP Servers with DHCPv6 →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP