Junos uses different methods to process IPv6 fragmented packets on MPC and DPC cards. This article explains the different methods used between the two cards and how it affects IPv6 firewall filter when dealing with IPv6 fragmented packets. This article may also be used as supplemental information to the document, Firewall Filter Match Conditions for IPv6 Traffic.
MPC and DPC uses different methods to process IPv6 fragmented packets. MPC can read the next header in a fragment header whereas DPC is not capable of reading it for such packets. This makes MPC capable of filtering IPv6 fragmented packets using the contents of the protocol header.
Eample IPv6 packet:
ICMP, Size 9008 byte(L3)
This packet is divided into 7 fragment packets.
(1448 * 6 + 320 byte)
Fragmentation packet (1st packet)
*** packet data ***
------ MAC Header ------
Destination Address : 00 BB BB BB BB BB
Source Address : 00 AA AA AA AA AA
Type : 0x86DD (Ethernet II)
------ IPv6 Header ------
Version : 6 (0x6)
Traffic Class : 000 (0x00)
Flow Label : 0000000 (0x00000)
Payload Length : 01456 (0x05b0)
Next Header : 044 (0x2C) <--- Next Header : IPv6 fragment
Hop Limit : 064 (0x40) Filter Match Condition : next-header
Source Address : 1000::1 MPC : Supportable, DPC : Supportable
Destination Addres : 2000::2
------ Fragment Header ------
Next Header : 058 (0x3B) <--- Next Header : ICMPv6
Reserved Octet : 000 (0x00) Filter Match Condition : payload-protocol
Fragment Offset : 0000 (0x0000) MPC : Supportable, DPC : Not Supportable
Reserved bits : 0 (0x0)
More Fragment : 1 (0x1)
Identification : 0286335522 (0x11112222)
------ ICMPv6 Header ------
Type : 128 (0x80) <--- Type : Echo Request
Code : 0 (0x00) Filter Match Condition : icmp-type
Checksum : 4369 (0x1111) MPC : Supportable, DPC : Not Supportable
Identifier : 8738 (0x2222)
Sequence : 0 (0x0000)
......
Fragmentation packet (2nd packet - 6th packet)
*** packet data ***
------ MAC Header ------
Destination Address : 00 BB BB BB BB BB
Source Address : 00 AA AA AA AA AA
Type : 0x86DD (Ethernet II)
------ IPv6 Header ------
Version : 6 (0x6)
Traffic Class : 000 (0x00)
Flow Label : 0000000 (0x00000)
Payload Length : 01456 (0x05b0)
Next Header : 044 (0x2C) <---Next Header : IPv6 fragment
Hop Limit : 064 (0x40) Filter Match Condition : next-header
Source Address : 1000::1 MPC : Supportable, DPC : Supportable
Destination Addres : 2000::2
------ Fragment Header ------
Next Header : 058 (0x3B) <---Next Header : ICMPv6
Reserved Octet : 000 (0x00) Filter Match Condition : payload-protocol
Fragment Offset : xxxx (0xXXXX) MPC : Supportable, DPC : Not Supportable
Reserved bits : 0 (0x0)
More Fragment : 1 (0x1)
Identification : 0286335522 (0x11112222)
...... <---2nd - 6th packets don't have ICMPv6 header.
"icmp-type" cannot be used.
Fragmentation packet (7th packet)
*** packet data ***
------ MAC Header ------
Destination Address : 00 BB BB BB BB BB
Source Address : 00 AA AA AA AA AA
Type : 0x86DD (Ethernet II)
------ IPv6 Header ------
Version : 6 (0x6)
Traffic Class : 000 (0x00)
Flow Label : 0000000 (0x00000)
Payload Length : 00328 (0x0148)
Next Header : 044 (0x2C) <---Next Header : IPv6 fragment
Hop Limit : 064 (0x40) Filter Match Condition : next-header
Source Address : 1000::1 MPC : Supportable, DPC : Supportable
Destination Addres : 2000::2
------ Fragment Header ------
Next Header : 058 (0x3B) <---Next Header : ICMPv6
Reserved Octet : 000 (0x00) Filter Match Condition : payload-protocol
Fragment Offset : 1086 (0x043E) MPC : Supportable, DPC : Not Supportable
Reserved bits : 0 (0x0)
More Fragment : 0 (0x0)
Identification : 0286335522 (0x11112222)
...... <---7th packet doesn't have ICMPv6 header.
"icmp-type" cannot be used.
The following topology illustrates an example of filtering fragmented IPv6 packets using protocol header information.
Example topology
---------------------------------------------> ipv6 ping
filter
|
v
+---------+ +---------+ +---------+
| LSYS1 |ge-1/0/0 | DUT |ge-1/0/2 | LSYS2 |
| |---------------| |---------------| |
| | ge-1/0/1| | ge-1/0/3| |
+---------+ +---------+ +---------+
Example configuration
set logical-systems LSYS1 interfaces ge-1/0/0 unit 0 family inet6 address 1000::1/64
set logical-systems LSYS1 routing-options rib inet6.0 static route ::/0 next-hop 1000::2
set logical-systems LSYS2 interfaces ge-1/0/3 unit 0 family inet6 address 2000::2/64
set logical-systems LSYS2 routing-options rib inet6.0 static route ::/0 next-hop 2000::1
set interfaces ge-1/0/1 unit 0 family inet6 filter input TEST
set interfaces ge-1/0/1 unit 0 family inet6 address 1000::2/64
set interfaces ge-1/0/2 unit 0 family inet6 address 2000::1/64
set routing-options rib inet6.0 static route 2000::/64 next-hop 2000::2
set routing-options rib inet6.0 static route 1000::/64 next-hop 1000::1
set firewall family inet6 filter TEST term 1 from icmp-type neighbor-solicit ---+
set firewall family inet6 filter TEST term 1 from icmp-type neighbor-advertisement |
set firewall family inet6 filter TEST term 1 from icmp-type router-solicit |---> term 1
set firewall family inet6 filter TEST term 1 from icmp-type router-advertisement |
set firewall family inet6 filter TEST term 1 then count Count1_NDP |
set firewall family inet6 filter TEST term 1 then accept ---+
set firewall family inet6 filter TEST term 2 from payload-protocol icmp6 ---+
set firewall family inet6 filter TEST term 2 then count Count2_protocol-header_or_content |---> term 2
set firewall family inet6 filter TEST term 2 then accept ---+
set firewall family inet6 filter TEST term 3 from next-header fragment ---+
set firewall family inet6 filter TEST term 3 then count Count3_next-header_fragment |---> term 3
set firewall family inet6 filter TEST term 3 then accept ---+
set firewall family inet6 filter TEST term 4 then count Count4_others ---+
set firewall family inet6 filter TEST term 4 then accept |---> term 4
---+
term 1 : For NDP
term 2 : For Next Header in Fragment Header
term 3 : For normal Next Header
term 4 : For other pakets
Test pattern 1
Junos: 14.2R6.5
FPC : MPC (MPC Type 2 3D)
In this pattern, MPC can filter on the protocol level. Since subsequent fragmented packets also have protocol number information (next header information in fragmentation header), all fragmented packets matches term 2.
user@router-re0> ping 2000::2 logical-system LSYS1 size 9000 count 1
PING6(9048=40+8+9000 bytes) 1000::1 --> 2000::2
9008 bytes from 2000::2, icmp_seq=0 hlim=63 time=2.529 ms
--- 2000::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 2.529/2.529/2.529/0.000 ms
user@router-re0> show firewall
Filter: TEST
Counters:
Name Bytes Packets
Count1_NDP 0 0
Count2_protocol-header_or_content 9344 7 <<<<<<<<<<
Count3_next-header_fragment 0 0
Count4_others 0 0
Filter: __default_bpdu_filter__
Test pattern 2
Junos: 14.2R6.5
FPC : MPC (MPC Type 2 3D)
To understand the fragment packet feature more, change firewall filter to the following. Since subsequent fragmented packets don't have protocol detailed information, only the first fragmented packet matches term 2. We need to consider this feature when we set firewall filter for IPpv6 fragment packets.
set firewall family inet6 filter TEST term 2 from icmp-type echo-request ---+
set firewall family inet6 filter TEST term 2 then count Count_term2_protocols_header |---> term 2
set firewall family inet6 filter TEST term 2 then accept ---+
term 2 : For protocol content
user@router-re0> ping 2000::2 logical-system LSYS1 size 9000 count 1
PING6(9048=40+8+9000 bytes) 1000::1 --> 2000::2
9008 bytes from 2000::2, icmp_seq=0 hlim=63 time=2.561 ms
--- 2000::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 2.561/2.561/2.561/0.000 ms
user@router-re0> show firewall
Filter: TEST
Counters:
Name Bytes Packets
Count1_NDP 0 0
Count2_protocol-header_or_content 1496 1 <<<<<<<<<<
Count3_next-header_fragment 7848 6
Count4_others 0 0
Filter: __default_bpdu_filter__
Test pattern 3
Junos: 14.2R6.5
FPC : DPC (DPCE 20x 1GE R EQ)
DPC cannot filter on protocols level. The pattern 1 firewall filter config cannot be set on DPC interface. The "payload-protocol" is not supported for DPC. In this test, pattern 2 config is used.
user@router-re0> ping 2000::2 logical-system LSYS1 size 9000 count 1
PING6(9048=40+8+9000 bytes) 1000::1 --> 2000::2
9008 bytes from 2000::2, icmp_seq=0 hlim=63 time=1.295 ms
--- 2000::2 ping6 statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 1.295/1.295/1.295/0.000 ms
user@router-re0> show firewall
Filter: TEST
Counters:
Name Bytes Packets
Count1_NDP 0 0
Count2_protocol-header_or_content 0 0
Count3_next-header_fragment 9344 7 <<<<<<<<<<
Count4_others 0 0
Filter: __default_bpdu_filter__