Solved: IPv6 address question

tsmullins · ‎03-13-2013

Good morning everyone,

I need to find this address:

fe80::404d:9415:115a:f39c

It looks like a link local address. But there is no ffee inserted between the 6th and 10th bits where the mac address would be inserted. Can I find the mac address from this IP address?

Thanks

Shane

James Leinweber · ‎03-13-2013

There is no requirement that a host use an EUI-64 style mapped 48 bit ethernet MAC to make the host part of its link local address. In the case of something like SEND, the host part would be based on a cryptographic hash, for example. So there is unlikely to be any way to recover a MAC from the IPv6 address in this case.

Your next best alternatives are:

(1) if you can be on-link with it, do neighbor discovery to find the MAC address

(2) if you can't be on-link, but have control of the switching infrastructure, you may be able to poll the switch ports via SNMP

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

James Leinweber · ‎03-13-2013

If the address is being seen on a span port, your best bet might be snooping ICMPv6 neighbor solicitation packets with that address as the source. It's probably a windows-7 box somewhere; other vendors such as Apple or Linux tend to use the EUI-64 mappings on their link-local addresses. In an Active Directory environment you can use group policy to discourage use of v6 privacy addresses by windows systems.

Depending on your DNS infrastructure, the dual-stack (presumably) box might be registering 6to4 or other AAAA records. The 6to4 case is only likely if it's IPv4 address is public, rather than rfc-1918 private.

For SNMP, I shouldn't have said ports; you want the MIB that lets you query the neighbor discovery table of whatever is doing the vlan routing; be that a switch, firewall, or an actual router.

An example of a European university doing this sort of monitoring is described at:

http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-cbpd132.pdf

FYI, if you have dual-stack devices on your network, I presume you are filtering for rogue RA devices and rogue DHCPv6 servers, e.g. on our client switchs we define:

ip access-list extended v4client

deny udp any eq bootps any eq bootpc

deny icmp any any redirect

permit ip any any

ipv6 access-list v6client

deny udp any eq 547 any eq 546

deny icmp any any router-advertisement

deny icmp any any redirect

permit ipv6 any any

and then on the client device interface switchports we filter:

ip access-group v4client in

ipv6 traffic-filter v6client in

This requires v6 allocations in the TCAM of course, e.g.

sdm prefer dual-ipv4-and-ipv6 default

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

James Leinweber · ‎03-13-2013

There is no requirement that a host use an EUI-64 style mapped 48 bit ethernet MAC to make the host part of its link local address. In the case of something like SEND, the host part would be based on a cryptographic hash, for example. So there is unlikely to be any way to recover a MAC from the IPv6 address in this case.

Your next best alternatives are:

(1) if you can be on-link with it, do neighbor discovery to find the MAC address

(2) if you can't be on-link, but have control of the switching infrastructure, you may be able to poll the switch ports via SNMP

-- Jim Leinweber, WI State Lab of Hygiene

tsmullins · ‎03-13-2013

Thanks very much Jim,

The address is coming from a Span port on our core switch. I do have control of the switch, how would I poll the ports with SNMP? We do use SNMP on this switch.

Shane

James Leinweber · ‎03-13-2013

If the address is being seen on a span port, your best bet might be snooping ICMPv6 neighbor solicitation packets with that address as the source. It's probably a windows-7 box somewhere; other vendors such as Apple or Linux tend to use the EUI-64 mappings on their link-local addresses. In an Active Directory environment you can use group policy to discourage use of v6 privacy addresses by windows systems.

Depending on your DNS infrastructure, the dual-stack (presumably) box might be registering 6to4 or other AAAA records. The 6to4 case is only likely if it's IPv4 address is public, rather than rfc-1918 private.

For SNMP, I shouldn't have said ports; you want the MIB that lets you query the neighbor discovery table of whatever is doing the vlan routing; be that a switch, firewall, or an actual router.

An example of a European university doing this sort of monitoring is described at:

http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-cbpd132.pdf

FYI, if you have dual-stack devices on your network, I presume you are filtering for rogue RA devices and rogue DHCPv6 servers, e.g. on our client switchs we define:

ip access-list extended v4client

deny udp any eq bootps any eq bootpc

deny icmp any any redirect

permit ip any any

ipv6 access-list v6client

deny udp any eq 547 any eq 546

deny icmp any any router-advertisement

deny icmp any any redirect

permit ipv6 any any

and then on the client device interface switchports we filter:

ip access-group v4client in

ipv6 traffic-filter v6client in

This requires v6 allocations in the TCAM of course, e.g.

sdm prefer dual-ipv4-and-ipv6 default

-- Jim Leinweber, WI State Lab of Hygiene

tsmullins · ‎03-14-2013

Thanks again Jim,

Your post and the white paper both provide some great information. Very helpful.

Shane