Tag Archives: Router Advertisement

Basic IPv6 Messages (v2): Wireshark Captures

2026-04-23IPv6, MemorandumColoring Rules, DHCPv6, Dual-Stack, IPv6, IPv6 Duplicate Address Detection, Neighbor Discovery, pcap, ProfiShark, Router Advertisement, Windows, WiresharkJohannes Weber

In my IPv6 classes, I always teach the basic IPv6 messages as seen on the wire. There’s so much new stuff, such as Router Advertisements, Duplicate Address Detections, Neighbour Solicitations, and so on. Therefore, I’m using a rather simple packet capture showing the starting process of a client getting its addresses.

For the last 10 years, I used this capture, which I took on a Knoppix Linux along with a German Speedport router, in which SLAAC was used for getting the addresses. However, it turned out that in enterprise-grade networks, stateful DHCPv6 is used more commonly. Hence, I did it again and captured the very first IPv6 messages as seen on an IPv6 node, but this time on a Windows 11 PC and a Debian 13, along with stateful DHCPv6.

Continue reading Basic IPv6 Messages (v2): Wireshark Captures →

DHCPv6 Prefix Delegation on a FortiGate Firewall

2025-02-13DHCP/DHCPv6, Fortinet, IPv6Bug, DHCPv6-PD, FortiGate, Fortinet, IPv6, IPv6 Dynamic Prefix, Router Advertisement, WiresharkJohannes Weber

I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! ✅ Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:

Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall →

DHCPv6 Prefix Delegation on Palo Alto’s NGFW

2024-03-15DHCP/DHCPv6, IPv6, Palo Alto NetworksDHCPv6-PD, IPv6, IPv6 Dynamic Prefix, Palo Alto Networks, Router Advertisement, WiresharkJohannes Weber

Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the IPv6-Internet that is) on many kinds of ISP connections. Remember: To get a routed IPv6 prefix requires DHCPv6-PD (if you’re not a BGP-homed enterprise). Hence, without that feature, we could not connect to the Internet with a Palo directly.

With DHCPv6-PD, the firewall can receive a prefix from the ISP (commonly a /48 or a /56), while handing out /64s to downstream layer 3 interfaces. Here we go:

Continue reading DHCPv6 Prefix Delegation on Palo Alto’s NGFW →

Palo Alto NGFW: Handling of IPv6 on the Interface

2023-06-20IPv6, Palo Alto NetworksEUI-64, IPv6, IPv6 Interface Identifier, IPv6 Prefix, Link-Local Address, Palo Alto Networks, Router AdvertisementJohannes Weber

For the last few years, I have been confused about Palo Alto NGFWs’ various options for configuring an IPv6 address on a layer 3 interface. Let’s have a look at some details:

Continue reading Palo Alto NGFW: Handling of IPv6 on the Interface →

IPv6 Crash Course @ SharkFest’22 EUROPE

2022-11-16Conference Talks, IPv6DNS64, IPv6, IPv6 Duplicate Address Detection, IPv6 Global Unicast Address, Legacy IP, NAT64, Router Advertisement, SharkFest, WiresharkJohannes Weber

Fortunately, there was a SharkFest – the “Wireshark Developer and User Conference” – this year in Europe again. I was there and gave an IPv6 Crash Course likewise. Yeah! It’s my favourite topic, you know. 75 minutes full of content, hence the name crash course.

Here are my slides as well as the video recording. If you want a crash course for IPv6, here we go:

Continue reading IPv6 Crash Course @ SharkFest’22 EUROPE →

SharkFest’19 EUROPE: IPv6 Crash Course

2020-04-14Conference Talks, IPv6DAD, IPv6, IPv6 Duplicate Address Detection, IPv6 Neighbor Discovery, Router Advertisement, SharkFest, WiresharkJohannes Weber

I gave a session about IPv6 at SharkFest’19 EUROPE, the annual Wireshark developer and user community conference, named “IPv6 Crash Course: Understanding IPv6 as seen on the wire“. The talk is about the IPv6 basics, which are: IPv6 addresses & address assignment, link-layer address resolution, and ICMPv6. Tips for using Wireshark coloring rules and display filters round things up.

As I have not yet published the slides, here they are. Unfortunately, we were not able to record the session due to technical problems. Neither the video nor the audio. ;( Hence, here are only mere slides.

Continue reading SharkFest’19 EUROPE: IPv6 Crash Course →

More Capture Details

2020-03-11NetworkDDNS, DHCPv6-PD, DNS, DNS Suffix Search List, DNSSL, Dynamic DNS, Follow TCP Stream, GRE, GSS-TSIG, IPv6, Kerberos, NetFlow, nsupdate, RDNSS, Router Advertisement, Telnet, Ultimate PCAP, WiresharkJohannes Weber

In the previous post, I released my Ultimate PCAP which includes every single pcap I had so far on my blog. But that’s not all: I have some packets in there that were not yet published up to now. That is, here are some more details about those (probably well-known) protocols. These are:

Continue reading More Capture Details →

Trying to change an IPv6 Link-Local Address on a FortiGate

2018-11-30Fortinet, IPv6EUI-64, fail, FortiGate, Fortinet, IPv6, IPv6 Interface Identifier, Link-Local Address, Palo Alto Networks, Router Advertisement, WiresharkJohannes Weber

I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the Fortinet documentation nor on Google.

Well, I could not find anything either. What’s up? It’s not new to me that you cannot really configure IPv6 on the FortiGate GUI, but even on the CLI I couldn’t find anything about changing this link-local IPv6 address from the default EUI-64 based one to a manually assigned one. Hence I opened a ticket at Fortinet. It turned out that you cannot *change* this address at all, but that you must *add* another LL address which will be used for the router advertisements (RA) after a reboot (!) of the firewall. Stupid design!

Continue reading Trying to change an IPv6 Link-Local Address on a FortiGate →

SharkFest’18 Europe: Crash Course: IPv6 and Network Protocols

2018-11-21Conference Talks, IPv6, Routing, SwitchingIPv6, IPv6 Duplicate Address Detection, IPv6 Prefix, Network Protocol, Router Advertisement, SharkFest, Switch, WiresharkJohannes Weber

I did a session at SharkFest’18 Europe in Vienna with the title of “Crash Course: IPv6 and Network Protocols“. Since the presentation slides + audio were recorded you can listen to the talk, too. Here are some notes about the motivation for this session as well as feedback from the attendees.

Continue reading SharkFest’18 Europe: Crash Course: IPv6 and Network Protocols →

PAN NGFW IPv6 NDP RA RDNSS & DNSSL

2017-08-23DNS/DNSSEC, IPv6, Palo Alto NetworksDNS, DNS Suffix Search List, DNSSL, IPv6, Palo Alto Networks, RDNSS, rdnssd, Router Advertisement, Ubuntu, Windows, WiresharkJohannes Weber

Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router Advertisements with Recursive Domain Name System Server and Domain Name System Search List options. ;) I am showing how to use it and how Windows and Linux react to it.

Continue reading PAN NGFW IPv6 NDP RA RDNSS & DNSSL →

Juniper ScreenOS: DHCPv6 Prefix Delegation

2015-10-05DHCP/DHCPv6, IPv6, Juniper Networks, Routing, Tutorial/HowtoCPE, DHCPv6, IPv6, IPv6 Dynamic Prefix, ISP, Juniper ScreenOS, Juniper SSG, Prefix Delegation, Router AdvertisementJohannes Weber

The Juniper ScreenOS firewall is one of the seldom firewalls that implements DHCPv6 Prefix Delegation (DHCPv6-PD). It therefore fits for testing my dual stack ISP connection from Deutsche Telekom, Germany. (Refer to this post for details about this dual stack procedure.)

It was *really* hard to get the correct configuration in place. I was not able to do this by myself at all. Also Google did not help that much. Finally, I opened a case by Juniper to help me finding the configuration error. After four weeks of the opened case, I was told which command was wrong. Now it’s working. ;) Here we go.

Continue reading Juniper ScreenOS: DHCPv6 Prefix Delegation →

Basic IPv6 Messages: Wireshark Capture

2015-05-13IPv6, Linux, MemorandumDHCPv6, Dual-Stack, IPv6, IPv6 Neighbor Discovery, ISP, Knoppix, pcap, Router Advertisement, SLAAC, Speedport, WiresharkJohannes Weber

When explaining IPv6 I am always showing a few Wireshark screenshots to give a feeling on how IPv6 looks like. Basically, the stateless autoconfiguration feature (SLAAC), DHCPv6, Neighbor Discovery, and a simple ping should be seen/understood by any network administrator before using the new protocol.

Therefore I captured the basic IPv6 autoconfiguration with a Knoppix Linux behind a Telekom Speedport router (German ISP, dual-stack) and publish this capture file here. I am using this capture to explain the basic IPv6 features.

Continue reading Basic IPv6 Messages: Wireshark Capture →

Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

2015-04-21Cisco ASA, Fortinet, IPv6, Juniper Networks, Palo Alto NetworksAdministration, Cisco ASA, DHCPv6, FortiGate, Fortinet, IPv6, Juniper ScreenOS, Juniper SSG, Palo Alto Networks, Policy, Router Advertisement, SLAACJohannes Weber

Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration capabilities, they vary significantly.

Here comes my short evaluation of the IPv6 functions on the following four firewalls: Cisco ASA, Fortinet FortiGate, Juniper SSG, and Palo Alto.

Continue reading Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo →

IPv6 Security Master Thesis

2013-05-06IPv6, SecurityCisco ASA, DoS, Firewall, IPv6, IPv6 Security, Juniper ScreenOS, Juniper SSG, Man-in-the-Middle, Neighbor Discovery, Palo Alto Networks, Router Advertisement, THC-IPv6Johannes Weber

Hello world,

with this post I want to publish my own master thesis which I finished in February 2013 about the topic “IPv6 Security Test Laboratory”. (I studied the Master of IT-Security at the Ruhr-Uni Bochum.) I explained many IPv6 security issues in detail and tested three firewalls (Cisco ASA, Juniper SSG, Palo Alto PA) against all these IPv6 security attacks.

[UPDATE]Before reading the huge master thesis, this overview of IPv6 Security may be a good starting point for IPv6 security issues.[/UPDATE]

Continue reading IPv6 Security Master Thesis →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP