Category Archives: IPv6

Well, this is simply IPv6 stuff. Either network and/or security related.

Stateful DHCPv6 Capture (along with Relaying)

2023-05-08DHCP, IPv6DHCP, DHCPv6, Infoblox, Palo Alto Networks, pcap, ProfiShark, Ultimate PCAP, WiresharkJohannes Weber

For my IPv6 training classes, I was missing a capture of a stateful DHCPv6 address assignment. That is: M-flag within the RA, followed by DHCPv6 messages handing out an IPv6 address among others. Therefore, I set up a DHCPv6 server on an Infoblox grid and furthermore used a Palo Alto NGFW as a DHCPv6 relay to it. I captured on two points: from the client’s point of view (getting to the relay) and from the server’s point of view (unicast messages from the relay). And since I was already there anyway, I additionally captured the same process for DHCPv4. So, here we go:

Continue reading Stateful DHCPv6 Capture (along with Relaying) →

Accessing IPv6-only Resources via Legacy IP: NAT46 on a FortiGate

2022-12-07Fortinet, Internet Access, IPv6, NATFortiGate, Fortinet, IPv6, NAT, NAT46, pcap, SIIT, Ultimate PCAP, WiresharkJohannes Weber

In general, Network Address Translation (NAT) solves some problems but should be avoided wherever possible. It has nothing to do with security and is only a short-term solution on the way to IPv6. (Yes, I know, the last 20 years have proven that NAT is used everywhere every time. 😉) This applies to all kinds of NATs for IPv4 (SNAT, DNAT, PAT) as well as for NPTv6 and NAT66.

However, there are two types of NATs that do not only change the network addresses but do a translation between the two Internet Protocols, that is IPv4 <-> IPv6 and vice versa. Let’s focus on NAT46 this time. In which situations is it used and why? Supplemented by a configuration guide for the FortiGates, a downloadable PCAP and Wireshark screenshots.

Continue reading Accessing IPv6-only Resources via Legacy IP: NAT46 on a FortiGate →

IPv6 Crash Course @ SharkFest’22 EUROPE

2022-11-16Conference Talks, IPv6DNS64, IPv6, IPv6 Duplicate Address Detection, IPv6 Global Unicast Address, Legacy IP, NAT64, Router Advertisement, SharkFest, WiresharkJohannes Weber

Fortunately, there was a SharkFest – the “Wireshark Developer and User Conference” – this year in Europe again. I was there and gave an IPv6 Crash Course likewise. Yeah! It’s my favourite topic, you know. 75 minutes full of content, hence the name crash course.

Here are my slides as well as the video recording. If you want a crash course for IPv6, here we go:

Continue reading IPv6 Crash Course @ SharkFest’22 EUROPE →

Why counting IPv6 Addresses is nonsense

2022-11-08IPv6fail, IP Address, IPv4 Thinking, IPv6, Legacy IPJohannes Weber

From time to time I stumble upon Tweets about counting the number of IPv6 addresses (1 2 3). While I think it is ok to do it that way when you’re new to IPv6 and you want to get an idea of it, it does not make sense at all because the mere number of IPv6 addresses is ridiculously high and only theoretically, but has no relevance for the real-world at all. Let me state why:

Continue reading Why counting IPv6 Addresses is nonsense →

Zehn Vorteile von IPv6!

2022-08-18Design/Policy, IPv6, Memorandumc't Artikel, IP Address, IPv6, Legacy IP, NAT, Site-to-Site VPN, VorteileJohannes Weber

Das moderne Internetprotokoll IPv6 gilt als so komplex und umständlich, dass manche Administratoren beharrlich beim vertrauten, aber veralteten IPv4 bleiben. Zehn Praxisbeispiele belegen, warum viele Netzwerkanwendungen besser und kostengünstiger auf IPv6 laufen und wie Admins davon profitieren.

Continue reading Zehn Vorteile von IPv6! →

#heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen

2022-04-13Conference Talks, Internet Access, IPv6#heiseshow, FRITZ!Box, IPv6, IPv6 Dynamic Prefix, IPv6 Prefix, ISP, NATJohannes Weber

Ich durfte zu Gast bei der #heiseshow zum Thema IPv6 sein. In Anlehnung an die Artikelserie über IPv6 in der c’t 7/2022, in der auch mein Artikel über die Vorteile von IPv6-Adressen erschienen ist, ging es bei diesem Video-Podcast um gängige Fragen zu IPv6 sowohl im Heimanwender- als auch im Enterprise-Segment. Ne knappe Stunde lief die Schose und ich empfand es als ziemlich kurzweilig. ;)

Continue reading #heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen →

DHCPv6 Relay Issue with Cisco ASA and Ubuntu

2022-02-17Cisco ASA, DHCP, IPv6, LinuxCisco ASA, DHCPv6, Guest Post, IPv6, UbuntuUlrich Hauser

Some months ago, my co-worker and I ran into an interesting issue: a notebook with a newly installed Ubuntu 20.04 does only work with IPv4, but this office network is dual-stacked (IPv4 and IPv6). Other Linux clients as well as Windows and Mac systems still work fine. They all get an IPv4 configuration by DHCPv4 and an IPv6 configuration by stateful DHCPv6 from the same DHCP server, relayed by a Cisco ASA 5500-X. What’s wrong with Ubuntu 20.04?

Continue reading DHCPv6 Relay Issue with Cisco ASA and Ubuntu →

Publishing IPv6 NTP Servers with DHCPv6

2022-01-21DHCP, Fortinet, IPv6, Network, NTPDHCPv6, FortiGate, Fortinet, Guest Post, IPv6, IPv6-only, MikroTik, NTP, RFC, RouterOSUlrich Hauser

During the last weeks, I had an interesting request to publish NTP servers to client systems by using DHCPv6 in an IPv6 only network. Our Fortigate (or me?) had to learn how to publish the information. Hence this post is not only about NTP and IPv6, but a small guide on how to walk through RFCs and how to get out the relevant information. I’m very happy I got the possibility to share my experience here. Thank you, Johannes!

Continue reading Publishing IPv6 NTP Servers with DHCPv6 →

Services listening on IPv6 and IPv4 (or maybe not?)

2021-05-25IPv6, NetworkIPv6, Legacy IP, Linux, netstat, ss, syslog-ng, TCP, UDPJohannes Weber

The other day I wanted to verify whether a service running on my Linux server was listening on IPv6 as well as IPv4. It turned out that it wasn’t that easy to answer – if at all.

Continue reading Services listening on IPv6 and IPv4 (or maybe not?) →

UK IPv6 Council Spring 2020: Incorrect Working IPv6 Clients & Networks

2020-04-29Conference Talks, IPv6, NTPfail, ICMPv6, IPv6, NTP, NTP Pool Project, StatisticsJohannes Weber

I did a short presentation at the spring 2020 roundtable of the UK IPv6 Council. The talk was about a case study I did with my NTP server listed in the NTP Pool project: For 66 days I captured all NTP requests for IPv6 and legacy IP while analyzing the returning ICMPv6/ICMPv4 error messages. (A much longer period than my initial capture for 24 hours.) Following are my presentation slides along with the results.

Continue reading UK IPv6 Council Spring 2020: Incorrect Working IPv6 Clients & Networks →

SharkFest’19 EUROPE: IPv6 Crash Course

2020-04-14Conference Talks, IPv6DAD, IPv6, IPv6 Duplicate Address Detection, IPv6 Neighbor Discovery, Router Advertisement, SharkFest, WiresharkJohannes Weber

I gave a session about IPv6 at SharkFest’19 EUROPE, the annual Wireshark developer and user community conference, named “IPv6 Crash Course: Understanding IPv6 as seen on the wire“. The talk is about the IPv6 basics, which are: IPv6 addresses & address assignment, link-layer address resolution, and ICMPv6. Tips for using Wireshark coloring rules and display filters round things up.

As I have not yet published the slides, here they are. Unfortunately, we were not able to record the session due to technical problems. Neither the video nor the audio. ;( Hence, here are only mere slides.

Continue reading SharkFest’19 EUROPE: IPv6 Crash Course →

I Love IPv6 Addressing!

2019-11-25At a Glance, IPv6Advantages, IP Address, IPv6, Legacy IPJohannes Weber

Probably the biggest prejudice when it comes to IPv6 is: “I don’t like those long addresses – they are hard to remember.” While this seems to be obvious due to the length and hexadecimal presentation of v6 addresses, it is NOT true. In the end, you’ll love IPv6 addresses in your own networks. This is why – summed up in one poster:

Continue reading I Love IPv6 Addressing! →

Incorrect Working IPv6 NTP Clients/Networks

2019-10-23IPv6, NTPfail, ICMPv6, IPv6, NTP, NTP Pool Project, pcap, ProfiShark, Profitap, tshark, WiresharkJohannes Weber

During my analysis of NTP and its traffic to my NTP servers listed in the NTP Pool Project I discovered many ICMP error messages coming back to my servers such as port unreachables, address unreachables, time exceeded or administratively prohibited. Strange. In summary, more than 3 % of IPv6-enabled NTP clients failed in getting answers from my servers. Let’s have a closer look:

Continue reading Incorrect Working IPv6 NTP Clients/Networks →

6in4 Traffic Capture

2019-07-22IPv66in4, Challenge, Follow TCP Stream, Hurricane Electric, IPv6, pcap, Tunnel Broker, WiresharkJohannes Weber

Since my last blogposts covered many 6in4 IPv6 tunnel setups (1, 2, 3) I took a packet capture of some tunneled IPv6 sessions to get an idea how these packets look like on the wire. Feel free to download this small pcap and to have a look at it by yourself.

A couple of spontaneous challenges from the pcap round things up. ;)

Continue reading 6in4 Traffic Capture →

Juniper ScreenOS with a 6in4 Tunnel

2019-07-20IPv6, Juniper Networks6in4, Hurricane Electric, IPv6, Juniper ScreenOS, Juniper SSG, Tunnel BrokerJohannes Weber

Yes, I know I know, the Juniper ScreenOS devices are Out-of-Everything (OoE), but I am still using them for a couple of labs. They simply work as a router and VPN gateway as well as a port-based firewall. Perfect for labs.

For some reasons I had another lab without native IPv6 Internet. Hence I used the IPv6 Tunnel Broker one more time. Quite easy with the SSGs, since HE offers a sample config. But even through the GUI it’s just a few steps:

Continue reading Juniper ScreenOS with a 6in4 Tunnel →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP