This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ksodan
Participant
yesterday

IPv6 Address Spoofing

Greetings Everyone,

I have an external interface with IPv6 enabled (::31:2) and a default IPv6 route leading to ::31:1.

Also, Topology calculation is enabled but when I try to ping the interface ::31:2 the firewall drops it as if it is address spoofing.

I haven't found any documentation about this, also I've tried the one liner which doesn't show me much IPv6 information.

Any ideas what can be the issue here?

VSX cluster, coreXL , R81.10 T156

 

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
yesterday

What is the source address from which you are initiating the ping and what is the routing to reach that address?

CCSM R77/R80/ELITE
0 Kudos
ksodan
Participant
yesterday
In response to Chris_Atkinson

Source address is from IPv6 GUA range 2001::...

Routing to reach the address is the default route ::/0 through the external interface (PtP between FW and L3 leaf)

0 Kudos
the_rock
Legend
Legend
yesterday

Can you run something like below? Just replace with right ipv6.

Andy

 

fw ctl zdebug + drop | grep 2001:db8:3333:4444:5555:6666:7777:8888

(1)
ksodan
Participant
4 hours ago
In response to the_rock

Hello Andy,

thank you for your time. Here are the results (full ips omitted):

fw6 ctl zdebug + drop

Output:

@;124675495;[kern];[tid_37];[SIM-242006539];pkt_handle_no_match: packet dropped (spoofed address), conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>, ifn 35
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: (2,0) received drop, reason: Anti-Spoofing, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>;
@;124675495;[kern];[tid_37];[SIM-242006539];sim_pkt_send_drop_notification: sending single drop notification, conn: <<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;
@;124675495;[kern];[tid_37];[SIM-242006539];do_packet_finish: SIMPKT_IN_DROP vsid=2, conn:<<2001:xxxx::dce7,1,fdca::xxxx:32:2,128,58>>;

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to ksodan

K, so its 100% clear from the drops its anti-spoofing related, as you described in the post. Can you send a screenshot of how those settings are configured from topology please? Just blur out any sensitive data.

Best,

Andy

0 Kudos
ksodan
Participant
11m ago
In response to the_rock

Certainly, thank you for your time for reviewing this.

 

CPTopology.png

Best regards,

 Krešimir

0 Kudos
Lesley
Leader Leader
Leader
yesterday

If config is correct and cannot be solved that way you have to open TAC case.

I have also new issues regarding IPV6 and AS. Custom patch was needed on fwmgmt. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events