1. IPv6 structure, addressing, unicast (link local, site local, global), multicast
In this lecture, we will talk about a quick overview of IPV6 to make sure we understand some concepts related to setting up the firewall. In IPV4, we had 32-bit addresses and addresses of type Unicast and Multicast. Then, in the unicast domain, there is unicast public routing and unicast private routing. And those are the ones in the case of activity six, where the address space expanded from 32 bits to 128 bits and the 128 bits were split into 16 bits. So you have eight of those 16 bits. And because it’s 16 bits, it’s written in hex, so you can have the addresses look like this, for example, 2001, and some of the simplifications in writing the IPV6 addresses are that if you have multiple 16-bit addresses with zeros, you replace them with this. So in this case, I’m going to substitute alters with this and finish up my address. You can also remove leading zeros. So if my address minus looks like this, I can basically simplify it by removing the leading zeros. IPV 6 supports multicast and any cast addresses, as well as various types of unicasts. So in the case of unicast, you have local links.
This is in the same segment. You have a nearby location. This is in your business environment. You first assign a site local address and then a global unicast address. This is publicly available. Site local is similar to a private IP range. Then there’s link local, which is only a local segment. The globally routable is the global unicast, and it always begins by bit wise, so it will always begin by zero. So this is the first four bits, which means two. So we have numbers ranging from two to seventeen. If we convert those into 48:15, 16:18, and 18:2, that is assigned by the in two all the way to. But the Iona is still assigning, I think, in all three ranges. So when the address begins with 20 or two sixes or 2525 and so on, this means it is a globally routable IP address. The site local, also called unique local, is unique to your environment picture. There’s the private range. This is the new RFC that specifies that the address begins with “Ft.” So you can assign as many unique local addresses as you want, but you have to translate them to a public global address when it reaches the outside of your network.
And then you have the local link local. The link local is only for use with the local segment. And it begins with Fe 80. So, to repeat, Fe 80 is your local link local. Its sole purpose is to allow hosts to communicate on the same segment. And then you have FD addresses, which are for-site local or unique local private address range like. And then you have the 2000 through 2000 plus, which is the global unicast address. Another concept we have to be familiar with is something called the EOI 64. The EI-64 is a method for automatically assigning the host’s portion of the host address. The IPV6 address is composed of two parts. The first 64 bits are for the network. The second 64 bits are for the host. And since you have such a large number of host IP addresses that you can assign, they created something called EWI 64 to automatically assign the host bits. And the way it does it, it looks at the Mac address of the device. And the Mac address is 48 bits.
You have 24 bits, 24 bits. And those 24 bits are typically in Xformat, like, for example, zero, zero, 112-233-4455. The first portion indicates the manufacturer of the net card. The second portion is the serial number of the device. The EOI-64 takes that, and because it’s just 40 bits, it needs to be 16 bits. So it splits it in half and inserts the FFF in the middle. So, when host boots up, the first thing it does is examine the link and attempt to obtain a local IP address. It does this by looking at the Mac address and splitting it down the middle, then appending fffe. And then the host IP address will become “Ffeffe” and the last 24 bits of the Mac address. So this is the Eui 64 operation. So this is a way of automatically assigning an IP address to the segment for that device. In addition, EOI 64 divides the first octet of the Mac address into parts that complement the seven bits. So this is eight bits here, 123-4567, eight. This is replaced by one. It complements it. If this is one, it’s going to change it to zero. So in our case here, the link local address will be set to zero and then followed by 48 bits of zeros. So the first 16 are zeros, and then we’ll put this because there are 48 bits of zeros, and then we’ll change it to 1122, then fffe, and finally 33445 five.
So that would be the local link address of that device. Other addresses we need to be familiar with This address denotes unspecified, and this route denotes default route. And this one is the loopback address. So now let’s talk about multicast. In the case of multicast, the address always begins with “FF 0,” then “X,” and then the address. So X could have one meaning that is specific to the host, and it could also have two meanings. This is an address, as indicated by the link local. When you link locally, all of the hosts in the same segment will see it. Five, it means site-specific. It means it will affect your entire organization, and then public or global is E. So, if you have an FF-0 e-mail address, it was assigned by the IANA and is either globally unique or globally assigned to a vendor or specific application.
The link between local addresses is mostly used for a lot of functionality in IPV 6. If FF-2-1 represents all nodes, FF-22 represents all routers. OSPF is an example of FF2-5. So the way the IPV-6 header looks is that you have the version number, which is half a byte of traffic class, which is the QS trading of that packet. And then you have the flow, which is 20 bits, and then you have the payload length, which is 16 bits, which gives you up to 16 bits, which is indicated by how many bytes are in the packet. The next header then informs the protocol stack of the next header in place. Is it one of those protocols (TCP, UDP, RCMP)? or additional options such as hop-by-hop type 60 destination option, 43 routing, 44 fragmentation, 51 authentication header, 50 ESP, 60 destination, destination specific option handling, and 135 IPV 6 and mobile IPV 6. If 59 is used, that means there’s no Next header.
But typically, you’ll have either one of those two options. If you have fragmentation and type 44, and if you don’t, you may have a Next header pointing to the protocol TCP, UDP, or ICMP. What is the flow label? A flow label is used to nail the packet to a specific path. It’s not the point of our conversation, but it’s nice to understand what it means. So the IPV Six packet header is 40 bytes long, and what typically happens is that the IPV Six packet header is followed by a Next header. What is the next header down, according to the Next header? Is it TCP/UDP RCMP, or is it an option? If it’s an option, one of those options, then here you will see the Next header, which will be TCP/UDP or the upper layer protocol OSPF, or so on. It’s parsed from the first header. The Next Header option is looked at. The next header information is examined to determine what comes next, and then the packet’s payload is examined.
2. IPv6 neighbor discovery, icmpv6, dhcpv6
In the case of IPV, four are utilised to identify the Mac address of the destination device. So, if you have two hosts on the same network, A and B, and they want to communicate with each other, they know the destination IP address but not the destination Mac address. In order to encapsulate the IP packet into a layer-two packet, the sending device needs to know the destination Mac and the way it was able to resolve the destination Mac. It was sent as a broadcast packet to the Macaddress all FS, and it was answered with a broadcast asking who had address IP address B. If the host is on the same network and is alive, it will basically respond with its own Mac address.
In the response, it will say, “I have this address,” and the source will be Mac. And since the host ADAU received the packet from a device claiming to have that IP address, it’s going to use the source Mac address of that to put it in the destination Mac address of the layer 2 frame. That’s how the resolution worked in IP before. If the hosts are on the same network and they want to talk to each other, they have to resolve the Mac address using ARP. If the destination host is not on the same network, then it needs to identify the default gateway Mac address in order for it to encapsulate the packet and send it out to the router, and the router will take it to the destination. ARP is a key function in IPV 4. In IPV 6, Icmpv 6 is used for that purpose, and Icmpv 6 is protocol 58. When an Icmpv-6, as discussed in the previous lecture, is encapsulated in an IPV-6 packet, the next header is Protocol 58, indicating that this is the Icmpv-6 payload and that the Icmpv-6 has different types of messages. You have zero through 127. Those are error messages like “destination unreachable,” “host unreachable,” “port unreachable,” and other error messages that we know from IPV 4.
And then you have message types 128 to 255, and those are informational messages. The informational messages are used to carry out the function that was previously performed by IP. There are two types of messages that are used for that purpose. There is a neighbour solicitation message of type 135; this is a package that is sent by the IPV6 host to verify reachability with another IPV6 host. If that host is reachable, that host will send a neighbour advertisement with ICMP Version 6 Type 136. As a result, neighbour solicitation and neighbour advertisement are used to validate host reachability and to perform a function known as duplicate address detection. When the IPV6 host boots up, a few things happen. The first thing that the host does is determine its own link local address using the method we talked about in the previous lecture. But before it starts sending packets using this, it wants to verify that nobody else is using it. So it sends something called “duplicate address detection.” And before we talk about how duplicate-address detection works, the node itself multicasts, which is a key function of IPV six.
Furthermore, all nodes are FF 21. The hosts join a multicast group that’s called solicited multicast. They become members of that group, and basically this is a multicast address for its own node. So the way it works is that if the node’s multicast IP address is IPV six link local addresses, say this is the link local address of that device, it will join a solicited node multicast address. And this solicited multicast address is composed as follows: It’s FF 21 FFF. And then this is the first 104 bits, followed by the last three octets of the Mac address or the linklocal address, which are this, this, and this. So it’s going to be 67889 nine.
Basically, the node would join its own multicast group that was intended for itself only; that’s called the solicited node multicast. The node would determine its own IPV 6-linklocal address and join its own solicitor node multicast. In order to check, it now wants to ensure that no one else is using that address. It’s going to send a message about duplicate address detection. And for duplicate address detection, we have layer two, followed by layer three, which is ICMPv 6. So in layer two, it’s going to use its own physical Mac address as a source. And then the destination Mac address would be the destination Mac address of the multicast group that it belongs to. So the multicast address for IPV6 is followed by the last three octets of the Mac address. So it’s going to be 67889 nine.So this message is for anyone with the same Mac address, and it will include the destination Mac address of that player three.
In ICMP version 6, there is also neighbour solicitation. So it’s going to send an ICMPv-6 neighbour solicitation in layer 2, the physical Mac address source. And then the destination Mac address is the destination Mac address of the solicited node multicast group. And then came the neighbour solicitation. The layer three portion of it, the IPV-6 source, is unknown, which we talked about last time. The destination IPV 6 is the solicited node multicast address source. This unsolicited multicast address has an unknown destination. So, this is the detection of duplicate addresses. If there’s another device using this Mac address, it’s going to respond. And if it does, then this device cannot use this IPV6 address. So the solicited node multicast comes into play. Each node joins the network using its own IPV six linklocal address and solicited node multicast address. This is yet another function that employs a hash to detect duplicate addresses.
We discussed the neighbour solicitation, message 135, and the neighbour advertisement, message 136. The “Neighbor” advertisement is then a duplicate address detection. This is another. So duplicate address detection is used to find out if the link’s local address is already in use or not. And then this elicited the node’s multicast address, which is the multicast address group that the node joins for it to receive traffic for itself and also for it to validate that nobody else is using it. This is composed of FF two, FF one, followed by the last three of the Mac address 104. Now. So this is for neighbour solicitations and neighbour advertisements. Those are key messages that are used to identify the neighbours on the network. So let’s see this in action. Here. I have a Windows 8 machine behind the Palo Alto Firewall that’s configured for IPV. Six. And we’ll use a capture to look at neighbour solicitation and neighbour advertisement to get an idea. So I’m going to capture it, so in here we have a Windows 8 firewall machine behind the Palo Alto Firewall that has IPV 6.
And we’re going to look to see what the duplicate address detection, neighbour solicitation, and neighbour advertisement are. So we’ll record the interface filter on Icbv Six. And here’s the device coming up. This is the first message that it’s going to send, basically to do duplicate address detection. It determines its own IPV six-link local address and is basically sending the duplicate assets section message with the layer two source of its own Mac address. The three three FF has three bites of its own Mac address and three bites of its own link local address. The answer is AB two four. It’s sending an ICMP message here with IPV six.The IPV-6 source is unknown because it’s not going to use that IPV-6 address until it determines that nobody else is using it. The destination is then the solicited multicast address, FF-1, followed by the last three bytes of the link local address. And this is messed up at 135. And it says to send that out. And if it doesn’t receive any response, then it’s going to start using it and then do the next step, which is out of solicitation, which we’re going to talk about in the next lecture.
3. IPv6 Stateles, Statefull DHCP, M Flag O Flag concepts
In this lecture, we’ll talk about the difference between IPV 4 and IPV 6 and how they get their IP addresses. So, with an IPV4, there are two ways to assign an IP address. You have a manual or staff static IP and DHCP. In IPV6, the IPV6 can function without a DHCP server, so the IPV6 relies on router solicitation. In IPV6, the router on the network sends router advertisement messages. The router advertisement messages are used by the host to get their router’s IP address and their own IP address as well. When an IPV6 host boots up, it assigns itself an IPV6 link local address, detects duplicate addresses, and sends a router solicitation message.
The router solicitation message is sent to the multicast addressFF-2, which is listened to by all routers. This is ICMP. This is IPC using Icmpv six. This is message type 133. This message is sent to the multicast address of all routers. The router on the network that is configured to do router advertisement would then send a router advertisement message, with the source of this router advertisement being the router’s link local address. This message gets to the host, and this message includes the six IPV prefixes. It could be multiple prefixes the host can use to get to the outside of the network. For example, here’s an IPV6 server, and here’s a router. The router is configured to be the sending router for the Thesman IPV 60, Prepix 2000, and 164.
It sends this as a router advertisement. The IPV6 host boots up, obtains its own er 64 address for local sync, sends a duplicate address section, and then sends router solicitation. This router solicitation is sent to the host. The router would listen to that and respond back to the router advertisement. This router advertisement has the IPV numbers 66, 2000, and 164. This tells the host, “All right, you can use the Nipv-6 address.” A prefix of this and the host would put on their UI 64 and use it to obtain an IPV6 address on this network. But before it starts using it, it needs to do duplicate address detection one more time. If nobody responds, then it starts using this address. So you technically don’t need any GSCP servers. And this is why it’s called a stateless address. auto-configuration or slack. Simply by having a router on the network that is configured to do router advertisement, the host will obtain the IPV6 prefixes, assign them to an IPV6 address in the range, and begin using the network. However, there’s a caveat. The caveat is: what about DNS? How should I choose a DNS server? Pretty much everything relies on DNS, so the router advertisement includes a flag called “O,” which is other information.
If this flag is set to one that tells the host, “Hey,” you can use the IPV 60 prefix but send the DHCP request to get other information. The host would get the router advertisement with the prefix, and it would assign itself six IP addresses in that range. And then it starts looking for DHCP servers, and the GCP server will respond. Given the DNS and domain information, the old flag has to be set to one for the host to be able to do that. Another option is to configure the host directly with a DNS server and domain name. The host is assigned a PVC prefix, and the machine is already set up with a DNS server and a domain name. This way, it knows how to function once it does the Slack stateless address configuration. So far, we’ve discussed Slackusing option equal one, which indicates that we’re dealing with what’s known as stateless DCP. Why? because the GCP server is not keeping information about the host.
All it does is just assign the DNS information to the DNS server. You can have a managed flag, you can have the router send the managed flag, and if the managed flag is one, this tells the host, “Hey, do not use Slack; find a DHCP server to get your IP address information.” So the host would do the HCP request, and the DCP server would respond with the address. And in this manner, you ensure that each host has the same IPG six address. This is called stateful DHCP. You have the M flag set to 1, and you should also have the O flag set to 1, because it will obtain DNS information from the server. If you set the managed flag to zero, it means it will use the configuration’s stickless address or equal one. It will obtain information about DNS and DNS servers from the GCP server. M equals zero, and O equals zero if the server host is going to get his address using Slack and it’s statically assigned with a DNS server and a domain name.
4. IPv6 basic firewall configuration example
In this lecture, We’re going to set up a PALATO firewall for IPV 6, and we’re going to have only IPV 6 on this network. On the inside, or the trust side, we are going to use the site local, unique local address of FD 564. This is the network we’re going to choose on the inside. On the outside, it’s connected to an ISP. The connection to the network is 2000 and 164.
The Palo Alto file is 2001-164. The outside router is assigned 2000 and 564. This is going to be the default gateway to get to the Internet. It’s going to be confined to this lab, but we’re just going to see how to do the routes and other details about this. Here’s the Ethernet interface; this is the untrusted or external interface. We’re going to change this to layer three. The virtual router’s default security zone is untrusted, and we are going to configure the IPV6 address. And here you have to check to enable IPV6 on the interface. We’re not going to use Eri 64; we’re going to add an address and choose the address manually. Enable addresses on the interface. We’re not going to send out our advertisement for this because it faces the service provider. We need to send the router advertisement to the clients connected to the network. The other option is going to be applicable once we start configuring the inside interface. You can enable duplicate address detection on the outside untrusted interface to make sure that there’s no other device with the same IPV 6-link local address and IPV 6-global Unicast address.
Click OK, and then here we go. Configure the trust interface. This is going to be layer three. Trust IPV 6 is the virtual router’s default zone. We’ll use the address FD five plus 64. In this case, we’re going to use the interface Idas host portion, which will basically enable AI 64. We have to enable IPV6 on the interface and then enable router advertisement. This way, the Windows host here knows how to get to the outside of the network. And because we want to assign a DHCP server as well, we’re going to check the other configuration so that the client realises that it needs to get the DNS server from the DSCP server on the inside. We can also enable duplicate address detection, and we’re going to bring the state up and the interface up. I’m going to choose the management profile inside the interface so I can pin the interface to test it out, click Okay, and bring this interface up as well. And now we’re going to create a virtual router. We’re going to need to set a default route for the Internet router.
Click on “static route.” PVsix adds default, and as we saw in the previous lecture, the default is a couple of lectures back at zero. We’re going to send this out over the Ethernet, and then put the IPV-6 address of 2001 and five for the next hop. So it sends 2005 for the next hop; it sends it out the untrust interface and to the ISP this way. Okay, now we need to create a security policy. The security policy would have just gone to “allow everything.” So we’re going to let pretty much everything in. And I’m just having trouble logging, so I removed the profile, and now you are filtering alerts so I can see what URLs we’re seeing on my Syslog server. So on the internet router, it needs to point to the FD-5 network, pointing it to the firewall. But I’m not doing this because I want to show you guys the net feature in the next lecture.
So we’re going to start by just looking and seeing how the Windows host gets its IPV6 address and guessing the DNS information. The duplicate routers detection, which we saw in the previous lecture, appeared in cache. But we see the router solicitation message. This router solicitation message is sent to all FF22 routers, and we’re waiting for a response from the server, the Icmpv-6, which has the router solicitation. We should see the router advertisement here. We just saw the router solicitation, but we didn’t see the router. Here’s the router advertisement. So the router advertisement says that this is the link local address of the router, and it’s sending it to all host destinations. All hosts are sending the router advertisement. If we look at the flags here, we have the all flag set that tells the host that it needs to get the information from the DNS from the HTTP server. We should see this here.
This message is also a duplicate address detection for the assigned IPV-6 address. Let’s take a look at the host to see if it received the information. Maybe something is wrong, so it did not get the information. Let’s check and see what it is. I’ll get the DNS server and domain name, but the global address was not obtained. So let’s find out why this happened. Let’s make sure that this is configured correctly. 55, 64, and other configurations are set, and we need to send router advertisements that were not checked. Let’s commit now, see, and enable. So, after a shutdown unshubby interface, we have two duplicate address detections. One of them is for the FD-5 interface address because it got the router advertisement here, it had the other flag set, and it had the prefix information, which is prefixes FT-5 plus 64.
So that tells the host, “Hey, you can use FD 5 as your prefix.” The host will assign itself an EOI-64 address, and it’s going to send an advertisement rather than an enabled solicitation message for duplicate address detection, which is FF-1 followed by the last three octets of the Mac address. and it will send the target address. It’s going to basically target itself as an address before it starts using it, and then it’s going to start using that address. Let’s take a look at the status here. Details here. The FPV-6 address is Ft. 59136, blah blah blah. And then the physical address Let’s see what the default gateway is. That’s the default gateway. So obviously, it’s too long. I cannot see if I can ping it just to verify that it can ping the router. And this is the default gateway, and it can be pinned. You will not be able to ping anything outside. The firewall itself can ping outside, but because I’ve had it out on the outside network for the Ft.
Five network, it’s not going to be able to get to anything outside that network. idea on how to configure the firewall to provide stateless address auto configuration to devices and also let the devices know that it needs to get additional information from the DNS server. And then we saw the host getting the router advertisement, picking up the prefix from the router advertisement, assigning itself an address using the Er 64, and sending duplicate address detection. If nobody responds, it’s going to start using that IPB Six prefix. So to prove that we can ping from the firewall, I’m going to establish an association with the firewall. So from the firewall itself, let’s take a look at some information that really links to IPV 6. All we see On Ethernet, this is the IPV-6 address. This is the local link; this is the global Unicast address. And we see Ethernet ones and two on the inside interface. We see the link as local, and we see the site as local address.Based on what we see here, the next year at the top is 2005. And I can pin that default router here. And also, I have another interface here, the loopback interface, that I can use to test. I have the 2003 one, so I can check that to make sure that ICMP IPV6 is working.
4. IPv6 Network Prefix Translation NPTv6 configuration example
In this lecture, we’ll talk about IPV6 network address translation using network prefix translation. So network prefix translation gives you the ability to translate between six IPV prefixes. For example, expanding on the example we had last time, if we have on the inside FD564 and the public service provider gives us 2000 and 364, we can configure the firewall to translate FD5 prefixes to 2003 prefixes. Since the first five prefixes of site local are not routed on the Internet, if that traffic is to leave your internal network, it needs to be translated. There is no such thing as a dynamic network. This is a one-to-one translation. There’s no dynamic network in IPV 6. So let’s see how to configure this. In our example here, we have V-5 on the inside of the network, and the service provider assigned us 2000 and 364 as an example.
And we want to translate the traffic from the internal hosts behind 2000 and 364. The service provider is pointing ports 2000 and 364 to the address of the firewall. If we look at the outside router here, there’s an astatic route to 2000 and 264, not 2000 and 364. 2000, and 264 according to the 2001 one. So any resource provider is advertising this global unicorn address on the Internet, and when it gets traffic to it, it’s going to forward it onto the firewall. The traffic from the trust to the untrustwood Ft 564s prefix will be translated to the 2002 prefix. So let’s see how to configure that on the firewall. Then there’s the net. Then we’ll be able to create a netto translation of the site’s local prefix. Someone you know and trust will be the source. The destination would be suspect; the source must be the network, the prefix. So it’s FD 564 and then the translated packet. If you want a single white translation, we must specify IPV-6 and MPTV-6 here. If you want translation, you will see that a dynamic IP import is not available. We’re going to use the 2264 for static IP. If you want the router to do bidirectional translation, meaning it’s going to re-point back the address of the 2002 corresponding to the address of the inside host, you need to configure bidirectional.
So what does that mean? That is, if I have an FD-5 host that is assigned eri 64, say 112-2344, the firewall will translate traffic from the inside host to 112-2344. Perfect will be translated back to the corresponding Ft. 5 address if it comes in from the outside, is initiated from the outside, and is destined for 2002. I’m going to go ahead and enable bi-directional and click Okay. And then I’m going to hit, and now I’m going to connect to the outside router from the Windows hosts. I created a host file entry for it. And this is the one from 2003. This is the IP address of the loopback interface. And if I put an SSH into it, it becomes it. can be accomplished via IPV6 or host within your host entry If I go to the firewall, I have a session currently in place with that router. If I show users, I can see that my address is being received from 2002 Fab 8, BD 0, BC 5, B 5, and so on. I look here at my address. This is the address that I have; this is the temporary PV-6 address that I have, which is the IP-6 address that’s assigned to the site local address prefix FP five.
So let’s look at the session on the firewall and see how it looks like.Display users and sessions. All I see here is a telnet session, and if I do, it’s session 1156, showing session ID 1156. I see here that the client server flow is from the site local address. The IPV-6 global Unicast address is used as the destination. The server decline flow is then the global InCAST address to the US address. If I see here that the Nat is the Natrule, that is the site prefix Nat that I created. So your connection is valid, and it applies.
If I try to connect from the router, I won’t be able to ping that host. Let’s see if I can ping this host. So I’m going to try to bring this one in from the outside router now. And here I’m able to bring it back if I look at the session and then the server to client flow, which is my Windows host, with the IPV 6-site local address translated back to the 20010 five.So you see, it’s doing translation bidirectionally and identifying the application correctly. I created a test rule here to show you that the IPV-6 policies work. I created a custom IPS policy that triggers on the URL. I’m going to create this from trust to untrust, and the service action is allow profile. The profile that I created tests and logs mail forwarding to my server. So basically, this is a custom IPS policy that just has one signature that triggers on traffic matching the URL. And we did that a couple of times. There’s no need to go over it again. So I’m going to try to trigger the policy by going to the router and running tests 1, 2, and three test.
And basically, it’s not going to go through. If I look at my system here, my internal system that does the logging sees your threat vulnerability and captures that as the custom signature that I created. So, once IPV 6 is enabled, you can protect your internal IPV 6 hosts from external threats in the same way that IPV 4 does. You have to make sure that you enable IPV6, whether you use it or not. Because if you don’t enable IPV6 and there are IPV6 tunnels on your network, that traffic will be routed unchecked. because PV.6 is not enabled. So if you’re not actually using IPV 6 on the production network, it’s recommended that you enable IPV 6 on the outside interfaces. An internal interface will be assigned an IPV six address link local. It’s not going to be doing anything except protecting you from IPV-6 threats.