Category: IPv6

The New Way of Generating IPv6 – SLAAC EUI-64 Address Format

There was an old way of generating Interface IPv6 address using SLAAC process (Stateless autoconfiguration). You simply configured that you want SLAAC autoconfiguration and the interface IPv6 was generated by squeezing “FFFE” in hex (11111111 11111110 bits) between two parts of physical MAC address of that interface.

Then, after a while, several comments came to IETF about the use of predictable Interface Identifiers in IPv6 addresses. They were pointing to the ease of correlation of host activities within the same network and across multiple networks. If Interface Identifiers are constant across networks this is negatively affecting the privacy and security of users on that network.

IPv6 Generated with EUI-64 Has a Strange Bit Inside

UPDATE on 22 Mar 2018:
Although the article is correctly explaining the IPv6 address generated in the example at the bottom, it seems that the process of generating the IPv6 address with EUI-64 has been changed from what is described in RFC2373 to something like RFC4291 and then to something like RFC7217. Thanks to @FernandoGont for pointing to this issue. A new article is here which describes newly suggested technique on how SLAAC implementation should work in new network device/NIC implementations.

What is universal/local bit in IPv6 EUI-64 address?

One of my readers contacted me with an interesting question in comments of “IPv6 – SLAAC EUI-64 Address Format” article. The question was:

“How come that the ipv6 address after the prefix is 21C:C4FF:FECF:4ED0 if the mac address is 00-1C-C4-CF-4E-D0?”

Of course, we all know from the previous article that EUI-64 process is taking the interface MAC address (if that is an Ethernet interface) and it creates 64 bits Interface ID with it by shimming additional FFFE (16bits in hex) in between the MAC address bits.

The reader was confused with an additional change that I did not cover in that article which is called universal/local bit of the IPv6 address Interface ID part.

Let’s go.

IPv6 address is 128 bit. First ‘n’ bits (first 64 bits of EUI-64 created IPv6 address) are called “subnet prefix” and the other half of bits are called “Interface ID”.

If we use EUI-64 process to generate a unique IPv6 address of the interface, then we are generating Interface ID from MAC address (or some other kind of L2 address if this is not about Ethernet).

|                     n bits                     |   128-n bits   |
+------------------------------------------------+----------------+
|                  subnet prefix                 |  interface ID  |
+------------------------------------------------+----------------+

On RFC 2373 page 18 chapter: “APPENDIX A : Creating EUI-64 based Interface Identifiers”, you can find that 7th bit on Interface ID part of an IPv6 address (the last 64 bits) is called “universal/local bit”.

If this bit is set to “0” it indicates local scope IPv6 address and if it is “1” then the generated IPv6 address has global scope (it is globally unique).

Solicited-node multicast address

Some time ago I was working on IPv6 implementation and in that period I wrote an article about NDP (you can read it here). After a while, I received some comments that it is not written very well so I reviewed a huge part of it. It looks my English was far worst two years ago that I was really aware of 🙂

In the reviewing process, I realised that NDP usage of Solicited-Node multicast addresses was not clearly explained. This is the follow-up article which should explain how and why Solicited-Node multicast address are used in NDP. After all, this kind of multicast addresses are there to enable IPv6 neighbour discovery function of NDP to work properly.

Let’s go!

Solicited-node multicast address is the IPv6 multicast address used on the local L2 subnet by NDP Network Discovery Protocol. NDP uses that multicast address to be able to find out L2 link-local addresses of other nodes present on that subnet.

NDP replaces ARP

As we know, NDP in IPv6 networks replaced the ARP function from IPv4 networks. In IPv4 world, ARP used broadcast to send this kind of discovery messages and find out about neighbours IPv4 addresses on the subnet. With IPv6 and NDP use of broadcast is not really a good solution so we use a special type of multicast group addresses to which all nodes join to enable NDP communication.

Source-based routing in IPv4 and IPv6 networks

In my current studies, I did some work about security inside networking data paths. In my recent work, I tried to get some experiments done that needed to use source based routing in order to be completed. Like most of the scientific work that tries to get from paper to experiment and then to something useful, it failed at the very beginning. If I can be more precise and improve a bit the appearance of my failure here. I can do it by explaining what happened and what did I came across while researching my idea. It’s something as simple as this:

Source based routing, by the suggestion of IETF needs to be disabled by default on networking devices. At least it should be as the feature itself is recognised as a major security threat and IETF itself is trying to get rid of it.

Of course that can be considered like a stop sign in an experiment where you are relying solely on source based routing to get your thing running.   (:

When you look at the networking technology these days that’s probably IP protocol that you are talking about. Okay maybe you are new age junkie and you are probably speaking about IPv6 protocol. Either way, the very first and main principle of routing packet across data network is based on the destination IP address routing/decision making. Router is making decision on where will he send some packet based more or less solely on destination IP address. It is doing so by reading his locally built routing table of destination subnets. From that table router gets the info out of which interface will he sent the packet that is destined for some address.

IPv6 First-Hop Security

All methods to mitigate IPv6 security issues
Real life security intro

In the process of configuring our corporate network test segment for IPv6, there was a direct demand to pay particular attention to security. It was my role to go trough all materials I could get to learn more about IPv6 security.

It was my role to go trough all materials I could get to learn more about IPv6 security. In that process, first stop was my favourite packetpushers podcast. They published more that 200 podcast till now and one of them was about IPv6 security that I needed. In that security show from last year

They published more that 200 podcast till now and one of them was about IPv6 security that I needed. In that security show from last year Healthy Paranoia Show 4:IPv6 Security Smackdown! Mrs. Y with bunch of great hosts discussed IPv6 security. They speak about almost all stuff that exists today in securing IPv6 enabled networks. One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on

One of the guests was Mr. Eric Vyncke, Cisco Distinguished Consulting Engineer who wrote IPv6 Security book for CiscoPress. Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on

Later, I did see that this book was everything you need to learn IPv6 security.  Of course, it’s easy to get edge router to run IPv6 on Internet-facing interface, but my goal is to get IPv6 inside our LAN environment and that part is still tricky if you include all the stuff needed to be done (especially on firewall part of the story).

I searched for additional information and some examples on how to configure Cisco gear for IPv6. Specially helpful were IPv6 webinars from long followed Networking/Cisco genius Ivan Pepelnjak at his great site ipspace.net (one of my homepage tabs). Here the guest is again Eric Vyncke.

After I gathered the knowledge out of those resources, I was ready to deploy IPv6 on my test segments and make it secure. Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out

Here are just a few rows about every one of IPv6 first-hop security features that are available on Cisco equipment. Just for the info, not all the equipment has all the features. Some of them came out

Just for the info, not all the equipment has all the features. Some of them came out a few months ago so older switches and routers may not have all of these implemented. Sometimes you will be limited by the license to. I need to mention that other vendor’s equipment also supports most features mentioned below. For

I need to mention that other vendor’s equipment also supports most features mentioned below. For now it seems that Cisco invested the most effort and gathered the best team of engineers to add all possible features for IPv6 first-hop security inside IOS.

Let’s go with the list:

IPv6 RA Guard – RA messages are important part of IPv6 architecture. They are the only way to get default gateway info to host in the network segment (beside static configuration). DHCPv6 does not carry this information in his messages unlike DHCPv4. RA messages are Router Advertisement messages send from main router that is default gateway for that specific network segment. Having that in mind it’s clear that, only port on the switch that needs to receive RA messages inbound, is the port connecting the router. All other switch ports for hosts are only forwarding RA messages to host devices but there is no need for host to send RA messages back to switch. Even better, it is wrong if some host sends RA messages because he is then practically trying to take the role of default gateway away from router. Configuring RA Guard on all switch ports except port that heads towards the router is preventing rouge RA advertisements on that segment.