topic Re: IPv6 Address Spoofing in Firewall and Security Management

IPv6 Address Spoofing

ksodan — Tue, 27 Aug 2024 08:38:31 GMT

Greetings Everyone,

I have an external interface with IPv6 enabled (::31:2) and a default IPv6 route leading to ::31:1.

Also, Topology calculation is enabled but when I try to ping the interface ::31:2 the firewall drops it as if it is address spoofing.

I haven't found any documentation about this, also I've tried the one liner which doesn't show me much IPv6 information.

Any ideas what can be the issue here?

VSX cluster, coreXL , R81.10 T156

Re: IPv6 Address Spoofing

Chris_Atkinson — Tue, 27 Aug 2024 11:08:43 GMT

What is the source address from which you are initiating the ping and what is the routing to reach that address?

Re: IPv6 Address Spoofing

ksodan — Tue, 27 Aug 2024 11:21:06 GMT

Source address is from IPv6 GUA range 2001::...

Routing to reach the address is the default route ::/0 through the external interface (PtP between FW and L3 leaf)

Re: IPv6 Address Spoofing

the_rock — Tue, 27 Aug 2024 19:23:07 GMT

Can you run something like below? Just replace with right ipv6.

Andy

fw ctl zdebug + drop | grep 2001:db8:3333:4444:5555:6666:7777:8888

Re: IPv6 Address Spoofing

Lesley — Tue, 27 Aug 2024 20:09:49 GMT

If config is correct and cannot be solved that way you have to open TAC case.

I have also new issues regarding IPV6 and AS. Custom patch was needed on fwmgmt.

Re: IPv6 Address Spoofing

ksodan — Wed, 28 Aug 2024 13:08:18 GMT

Hello Andy,

thank you for your time. Here are the results (full ips omitted):

fw6 ctl zdebug + drop

Output:

@;124675495;[kern];[tid_37];[SIM-242006539];pkt_handle_no_match: packet dropped (spoofed address), conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>, ifn 35
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: (2,0) received drop, reason: Anti-Spoofing, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending single drop notification, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];do_packet_finish: SIMPKT_IN_DROP vsid=2, conn:<<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;

Re: IPv6 Address Spoofing

the_rock — Wed, 28 Aug 2024 13:21:02 GMT

K, so its 100% clear from the drops its anti-spoofing related, as you described in the post. Can you send a screenshot of how those settings are configured from topology please? Just blur out any sensitive data.

Best,

Andy

Re: IPv6 Address Spoofing

ksodan — Wed, 28 Aug 2024 17:15:54 GMT

Certainly, thank you for your time for reviewing this.

Best regards,

Krešimir

Re: IPv6 Address Spoofing

the_rock — Wed, 28 Aug 2024 17:30:06 GMT

No worries. Can you send how below is configured for that interface?

Andy

Re: IPv6 Address Spoofing

ksodan — Wed, 28 Aug 2024 18:08:16 GMT

Definitely can !

Re: IPv6 Address Spoofing

the_rock — Wed, 28 Aug 2024 18:28:03 GMT

Thank you! Hey, just wondering, does it let you set it as external zone or not? Because I find it really odd it would be giving those messages, considering there are only so many things you can change with topology on external interface.

Andy

Re: IPv6 Address Spoofing

ksodan — Wed, 28 Aug 2024 18:32:30 GMT

No, thank you for taking your time reviewing my problem. Actually it's automatically set as external when I set the default routes out of the interface.

Works fine with IPv4 that's why I found it unusual in the first place.

Best regards,

Kresimir

Re: IPv6 Address Spoofing

Lesley — Wed, 28 Aug 2024 18:36:07 GMT

Do this 🙂

Re: IPv6 Address Spoofing

the_rock — Wed, 28 Aug 2024 18:36:24 GMT

Of course, we are always happy to help mate. By the way, apologies, I see now its VSX, so it makes sense it set it automatic like that. Question...does this ONLY happen when you give the interface ipv6 address, but otherwise no drops for anti-spoofing?

As a matter of fact, I will assign bogus ipv6 address in my lab to external interface and see what happens when I push the policy.

Will keep you posted.

Andy

Re: IPv6 Address Spoofing

the_rock — Wed, 28 Aug 2024 18:56:32 GMT

Just tested in the lab, no issues, but then again, I dont have vsx to test, so cant tell really what the main difference is, but in my lab box, I have my external interface set as external zone, like below.

Andy

Re: IPv6 Address Spoofing

ksodan — Thu, 29 Aug 2024 12:22:09 GMT

No issues whatsoever with IPv4. Only with IPv6 addresses.

Tried with external security zone but per documentation that should only influence any decisions if security policies are applied to the zone which I don't have at the moment.

Re: IPv6 Address Spoofing

ksodan — Thu, 29 Aug 2024 12:23:09 GMT

Seems like I'll have to resort to this method! Thanks, just wanted to make sure I was not missing something.

Re: IPv6 Address Spoofing

the_rock — Thu, 29 Aug 2024 12:23:46 GMT

Yes, thats 100% true, for the external zone. I got nothing else, sorry mate, I would see if TAC may be able to give some suggestions. Though, Im sure there must be some ipv6 gurus here as well : - )

Andy

Re: IPv6 Address Spoofing

Baumi77 — Tue, 03 Sep 2024 05:34:57 GMT

Same here, a hotfix solved the AS problems with IPv6...