Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] IPv6 firewall filter feature for fragmented packets

0

0

Article ID: KB31208 KB Last Updated: 27 Oct 2016Version: 2.0
Summary:

Junos uses different methods to process IPv6 fragmented packets on MPC and DPC cards. This article explains the different methods used between the two cards and how it affects IPv6 firewall filter when dealing with IPv6 fragmented packets. This article may also be used as supplemental information to the document, Firewall Filter Match Conditions for IPv6 Traffic.

Symptoms:

MPC and DPC uses different methods to process IPv6 fragmented packets. MPC can read the next header in a fragment header whereas DPC is not capable of reading it for such packets. This makes MPC capable of filtering IPv6 fragmented packets using the contents of the protocol header.

Eample IPv6 packet:
ICMP, Size 9008 byte(L3)
This packet is divided into 7 fragment packets.
(1448 * 6 + 320 byte)

Fragmentation packet (1st packet)

*** packet data ***
------ MAC Header ------
Destination Address : 00 BB BB BB BB BB
Source Address      : 00 AA AA AA AA AA
Type                : 0x86DD (Ethernet II)
------ IPv6 Header ------
Version             : 6          (0x6)
Traffic Class       : 000        (0x00)
Flow Label          : 0000000    (0x00000)
Payload Length      : 01456      (0x05b0)
Next Header         : 044        (0x2C)  <--- Next Header : IPv6 fragment
Hop Limit           : 064        (0x40)       Filter Match Condition : next-header  
Source Address      : 1000::1                 MPC : Supportable, DPC : Supportable  
Destination Addres  : 2000::2
------ Fragment Header ------
Next Header         : 058        (0x3B)  <--- Next Header : ICMPv6
Reserved Octet      : 000        (0x00)       Filter Match Condition : payload-protocol  
Fragment Offset     : 0000       (0x0000)     MPC : Supportable, DPC : Not Supportable  
Reserved bits       : 0          (0x0)
More Fragment       : 1          (0x1)
Identification      : 0286335522 (0x11112222)
------ ICMPv6 Header ------
Type                : 128        (0x80)  <--- Type : Echo Request
Code                : 0          (0x00)       Filter Match Condition : icmp-type  
Checksum            : 4369       (0x1111)     MPC : Supportable, DPC : Not Supportable  
Identifier          : 8738       (0x2222)
Sequence            : 0          (0x0000)
......


Fragmentation packet (2nd packet - 6th packet)

*** packet data ***

------ MAC Header ------
Destination Address : 00 BB BB BB BB BB
Source Address      : 00 AA AA AA AA AA
Type                : 0x86DD (Ethernet II)
------ IPv6 Header ------
Version             : 6          (0x6)
Traffic Class       : 000        (0x00)
Flow Label          : 0000000    (0x00000)
Payload Length      : 01456      (0x05b0)
Next Header         : 044        (0x2C)  <---Next Header : IPv6 fragment
Hop Limit           : 064        (0x40)      Filter Match Condition : next-header  
Source Address      : 1000::1                MPC : Supportable, DPC : Supportable  
Destination Addres  : 2000::2
------ Fragment Header ------
Next Header         : 058        (0x3B)  <---Next Header : ICMPv6
Reserved Octet      : 000        (0x00)      Filter Match Condition : payload-protocol  
Fragment Offset     : xxxx       (0xXXXX)    MPC : Supportable, DPC : Not Supportable  
Reserved bits       : 0          (0x0) 
More Fragment       : 1          (0x1) 
Identification      : 0286335522 (0x11112222) 
......                                   <---2nd - 6th packets don't have ICMPv6 header. 
                                             "icmp-type" cannot be used.



Fragmentation packet (7th packet)

*** packet data ***

------ MAC Header ------

Destination Address : 00 BB BB BB BB BB
Source Address      : 00 AA AA AA AA AA
Type                : 0x86DD (Ethernet II)
------ IPv6 Header ------
Version             : 6          (0x6)
Traffic Class       : 000        (0x00)
Flow Label          : 0000000    (0x00000)
Payload Length      : 00328      (0x0148)
Next Header         : 044        (0x2C)  <---Next Header : IPv6 fragment
Hop Limit           : 064        (0x40)      Filter Match Condition : next-header
Source Address : 1000::1 MPC : Supportable, DPC : Supportable
Destination Addres : 2000::2 ------ Fragment Header ------ Next Header : 058 (0x3B) <---Next Header : ICMPv6 Reserved Octet : 000 (0x00) Filter Match Condition : payload-protocol Fragment Offset : 1086 (0x043E) MPC : Supportable, DPC : Not Supportable
Reserved bits : 0 (0x0) More Fragment : 0 (0x0) Identification : 0286335522 (0x11112222) ...... <---7th packet doesn't have ICMPv6 header. "icmp-type" cannot be used.
Solution:

The following topology illustrates an example of filtering fragmented IPv6 packets using protocol header information.

Example topology


          ---------------------------------------------> ipv6 ping

                         filter
                           |
                           v
  +---------+               +---------+               +---------+
  |  LSYS1  |ge-1/0/0       |   DUT   |ge-1/0/2       |  LSYS2  |
  |         |---------------|         |---------------|         |
  |         |       ge-1/0/1|         |       ge-1/0/3|         |
  +---------+               +---------+               +---------+

Example configuration

set logical-systems LSYS1 interfaces ge-1/0/0 unit 0 family inet6 address 1000::1/64
set logical-systems LSYS1 routing-options rib inet6.0 static route ::/0 next-hop 1000::2
set logical-systems LSYS2 interfaces ge-1/0/3 unit 0 family inet6 address 2000::2/64
set logical-systems LSYS2 routing-options rib inet6.0 static route ::/0 next-hop 2000::1
set interfaces ge-1/0/1 unit 0 family inet6 filter input TEST
set interfaces ge-1/0/1 unit 0 family inet6 address 1000::2/64
set interfaces ge-1/0/2 unit 0 family inet6 address 2000::1/64
set routing-options rib inet6.0 static route 2000::/64 next-hop 2000::2
set routing-options rib inet6.0 static route 1000::/64 next-hop 1000::1
set firewall family inet6 filter TEST term 1 from icmp-type neighbor-solicit               ---+
set firewall family inet6 filter TEST term 1 from icmp-type neighbor-advertisement            |
set firewall family inet6 filter TEST term 1 from icmp-type router-solicit                    |---> term 1
set firewall family inet6 filter TEST term 1 from icmp-type router-advertisement              |
set firewall family inet6 filter TEST term 1 then count Count1_NDP                            |
set firewall family inet6 filter TEST term 1 then accept                                   ---+
set firewall family inet6 filter TEST term 2 from payload-protocol icmp6                   ---+
set firewall family inet6 filter TEST term 2 then count Count2_protocol-header_or_content     |---> term 2
set firewall family inet6 filter TEST term 2 then accept                                   ---+
set firewall family inet6 filter TEST term 3 from next-header fragment                     ---+
set firewall family inet6 filter TEST term 3 then count Count3_next-header_fragment           |---> term 3
set firewall family inet6 filter TEST term 3 then accept                                   ---+
set firewall family inet6 filter TEST term 4 then count Count4_others                      ---+
set firewall family inet6 filter TEST term 4 then accept                                      |---> term 4
                                                                                           ---+

  term 1 : For NDP
  term 2 : For Next Header in Fragment Header
  term 3 : For normal Next Header
  term 4 : For other pakets

Test pattern 1

Junos: 14.2R6.5
FPC : MPC (MPC Type 2 3D)

In this pattern, MPC can filter on the protocol level. Since subsequent fragmented packets also have protocol number information (next header information in fragmentation header), all fragmented packets matches term 2.


user@router-re0> ping 2000::2 logical-system LSYS1 size 9000 count 1
PING6(9048=40+8+9000 bytes) 1000::1 --> 2000::2
9008 bytes from 2000::2, icmp_seq=0 hlim=63 time=2.529 ms

--- 2000::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 2.529/2.529/2.529/0.000 ms

user@router-re0> show firewall

Filter: TEST
Counters:
Name                                                Bytes              Packets
Count1_NDP                                              0                    0
Count2_protocol-header_or_content                    9344                    7 <<<<<<<<<<
Count3_next-header_fragment                             0                    0
Count4_others                                           0                    0

Filter: __default_bpdu_filter__


Test pattern 2

Junos: 14.2R6.5
FPC : MPC (MPC Type 2 3D)

To understand the fragment packet feature more, change firewall filter to the following. Since subsequent fragmented packets don't have protocol detailed information, only the first fragmented packet matches term 2. We need to consider this feature when we set firewall filter for IPpv6 fragment packets.


set firewall family inet6 filter TEST term 2 from icmp-type echo-request             ---+
set firewall family inet6 filter TEST term 2 then count Count_term2_protocols_header    |---> term 2
set firewall family inet6 filter TEST term 2 then accept                             ---+

  term 2 : For protocol content


user@router-re0> ping 2000::2 logical-system LSYS1 size 9000 count 1
PING6(9048=40+8+9000 bytes) 1000::1 --> 2000::2
9008 bytes from 2000::2, icmp_seq=0 hlim=63 time=2.561 ms

--- 2000::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 2.561/2.561/2.561/0.000 ms

user@router-re0> show firewall

Filter: TEST
Counters:
Name                                                Bytes              Packets
Count1_NDP                                              0                    0
Count2_protocol-header_or_content                    1496                    1 <<<<<<<<<<
Count3_next-header_fragment                          7848                    6
Count4_others                                           0                    0

Filter: __default_bpdu_filter__


Test pattern 3

Junos: 14.2R6.5
FPC : DPC (DPCE 20x 1GE R EQ)

DPC cannot filter on protocols level. The pattern 1 firewall filter config cannot be set on DPC interface. The "payload-protocol" is not supported for DPC. In this test, pattern 2 config is used.

user@router-re0> ping 2000::2 logical-system LSYS1 size 9000 count 1
PING6(9048=40+8+9000 bytes) 1000::1 --> 2000::2
9008 bytes from 2000::2, icmp_seq=0 hlim=63 time=1.295 ms

--- 2000::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 1.295/1.295/1.295/0.000 ms

user@router-re0> show firewall

Filter: TEST
Counters:
Name                                             Bytes              Packets
Count1_NDP                                           0                    0
Count2_protocol-header_or_content                    0                    0
Count3_next-header_fragment                       9344                    7 <<<<<<<<<<
Count4_others                                        0                    0

Filter: __default_bpdu_filter__

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search