Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ksodan
Participant
Jump to solution

IPv6 Address Spoofing

Greetings Everyone,

I have an external interface with IPv6 enabled (::31:2) and a default IPv6 route leading to ::31:1.

Also, Topology calculation is enabled but when I try to ping the interface ::31:2 the firewall drops it as if it is address spoofing.

I haven't found any documentation about this, also I've tried the one liner which doesn't show me much IPv6 information.

Any ideas what can be the issue here?

VSX cluster, coreXL , R81.10 T156

 

0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader

If config is correct and cannot be solved that way you have to open TAC case.

I have also new issues regarding IPV6 and AS. Custom patch was needed on fwmgmt. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

18 Replies
Chris_Atkinson
Employee Employee
Employee

What is the source address from which you are initiating the ping and what is the routing to reach that address?

CCSM R77/R80/ELITE
0 Kudos
ksodan
Participant

Source address is from IPv6 GUA range 2001::...

Routing to reach the address is the default route ::/0 through the external interface (PtP between FW and L3 leaf)

0 Kudos
the_rock
Legend
Legend

Can you run something like below? Just replace with right ipv6.

Andy

 

fw ctl zdebug + drop | grep 2001:db8:3333:4444:5555:6666:7777:8888

(1)
ksodan
Participant

Hello Andy,

thank you for your time. Here are the results (full ips omitted):

fw6 ctl zdebug + drop

Output:

@;124675495;[kern];[tid_37];[SIM-242006539];pkt_handle_no_match: packet dropped (spoofed address), conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>, ifn 35
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: (2,0) received drop, reason: Anti-Spoofing, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending single drop notification, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];do_packet_finish: SIMPKT_IN_DROP vsid=2, conn:<<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;

0 Kudos
the_rock
Legend
Legend

K, so its 100% clear from the drops its anti-spoofing related, as you described in the post. Can you send a screenshot of how those settings are configured from topology please? Just blur out any sensitive data.

Best,

Andy

0 Kudos
ksodan
Participant

Certainly, thank you for your time for reviewing this.

 

CPTopology.png

Best regards,

 Krešimir

0 Kudos
the_rock
Legend
Legend

No worries. Can you send how below is configured for that interface?

Andy

 

Screenshot_1.png

0 Kudos
ksodan
Participant

Definitely can !

Screenshot from 2024-08-28 20-06-34.png

0 Kudos
the_rock
Legend
Legend

Thank you! Hey, just wondering, does it let you set it as external zone or not? Because I find it really odd it would be giving those messages, considering there are only so many things you can change with topology on external interface.

Andy

0 Kudos
ksodan
Participant

No, thank you for taking your time reviewing my problem. Actually it's automatically set as external when I set the default routes out of the interface.

Works fine with IPv4 that's why I found it unusual in the first place.

Best regards,

Kresimir

0 Kudos
the_rock
Legend
Legend

Of course, we are always happy to help mate. By the way, apologies, I see now its VSX, so it makes sense it set it automatic like that. Question...does this ONLY happen when you give the interface ipv6 address, but otherwise no drops for anti-spoofing?

As a matter of fact, I will assign bogus ipv6 address in my lab to external interface and see what happens when I push the policy.

Will keep you posted.

Andy

0 Kudos
the_rock
Legend
Legend

Just tested in the lab, no issues, but then again, I dont have vsx to test, so cant tell really what the main difference is, but in my lab box, I have my external interface set as external zone, like below.

Andy

 

Screenshot_1.png

0 Kudos
ksodan
Participant

No issues whatsoever with IPv4. Only with IPv6 addresses.

Tried with external security zone but per documentation that should only influence any decisions if security policies are applied to the zone which I don't have at the moment.

 

0 Kudos
the_rock
Legend
Legend

Yes, thats 100% true, for the external zone. I got nothing else, sorry mate, I would see if TAC may be able to give some suggestions. Though, Im sure there must be some ipv6 gurus here as well : - )

Andy

0 Kudos
Lesley
Leader Leader
Leader

If config is correct and cannot be solved that way you have to open TAC case.

I have also new issues regarding IPV6 and AS. Custom patch was needed on fwmgmt. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
Lesley
Leader Leader
Leader

Do this 🙂 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
ksodan
Participant

Seems like I'll have to resort to this method! Thanks, just wanted to make sure I was not missing something.

0 Kudos
Baumi77
Explorer

Same here, a hotfix solved the AS problems with IPv6...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events