For this post, we're going to get deeper into Firewall Analys, with a special focus over IPv6.
Why Firewall Analysis
Where Firewall Testing just aims to check the results of a particular model / configuration ( open IP and ports, ingress/egress filtering, resistance to DoS, security features ), Firewall Analysis goal is to understand how a particular model functions, its inner functionning.
Here is an example : As most Network Routers have a Statefull Firewall, it is dubious to say if an incomming traffic has been allowed in by virtue of the inbound policy, or because a statefull permission has been created by a previous outgoing flow. Think of an ICMPv6 Echo Reply : Does it get in because an outbound Echo Request has been initiated ?
Or an inbound ICMPv6 Time Exceeded triggered by an outbound TCP with a too short TTL.
Firewall Analysis aims at discovering the inner functionning of a Firewall.
We're going to see some ways to study an IPv6 Firewall ICMPv6 functionning.
Practical Test Lab
We're going to trigger five types of ICMPv6 messages : ICMPv6 Echo Reply, ICMPv6 Time Exceeded ( hop limit exceeded ) created by an echo request, ICMPv6 Time Exceeded ( hop limit exceeded ) created by an outbound TCP 80 request, Destination Unreachable ( No route to destination ) created by an echo request and Destination Unreachable ( No route to destination ) created by an outbound TCP request.
Here is the setup :
Router1 is our tested-router. PC1 will issue requests and monitor replies using Wireshark network monitor. OS router is an OS IPv6 Router, with a WIreshark network monitor and a Packet Replay software ( Ostinato ).
To trigger ICMPv6 Echo Reply, we'll just need PC1 to ping OS Router :
ping [OS Router IPv6 Lan Address ]
To trigger ICMPv6 Time Exceeded ( hop limit exceeded ), we'll have PC1 to ping OS Router with a too short TTL :
ping -i 2 [ OS Router IPv6 Lan Address ]
To trigger ICMPv6 Time Exceeded ( hop limit exceeded ) created by an outbound TCP 80 request, we'll setup PC1 hop limit to 2 :
netsh int IPv6 set int [Idx] currenthoplimit=2
and open a web browser on PC1, using the Web Server IPv6 address in the address bar. Please note two things :
. We use the IPv6 address of the web server, to bypass any DNS resolution.
. The currenthoplimit command in Windows seems volatile ( 5s ). A script is needed in Windows OS to perform the command in a 2s loop. Here is a short batch file for this :
for /L %%n in (1,1,100) do (
netsh int ipv6 set int 12 currenthop=2
@ECHO [ Press a Key to Close ]
To trigger ICMPv6 Destination Unreachable ( No route to destination ) we can just plug Router 2 into our CPE, but keep the CPE unpowered. Then, we'll ping an internet IPv6 address and open a web browser on PC1, using an Internet Web Server IPv6 address in the address bar.
We'll be generating Genuine ICMPv6 Traffic from PC1, and monitor the inbound passing packets reaching back PC1 using WIreshark on PC1 :
We'll then be able to replay these 5 error messages at will, from OS Router, without any previous Firewall State ( record ) having been created :
By using Packet Replay, we can be sure we're issuing carbon-copy packets, wich are perfectly well crafted. For this we replay them using ' raw mode ' in Ostinato ( no packet dissection / analysis / crafting )
Finally, we can use Packet Crafting ( Ostinato packet crafter ) to try to generate all types of ICMPv6 messages that may be difficult to genuinely trigger :
Although conclustions based upon messages generated by pure packet crafting have to be considered with precaution, as they may be mis-crafted. It's less reliable than raw-packet replay
Tests Results and Analysis
By comparing outbound genuine traffic with replay traffic, we can see what the firewall allows in by virtue of a state and what is allowed in by virtue of an inbound policy.
We can check the statefull nature of a firewall, as well as the way it treats state-related traffic ( ex : an inbound ICMP message in response of an outbound TCP request )
By using pure packet-crafting, we can wide-shower the firewall wan side, to see for passing messages types.
A few practical tips
To replay raw packets using Wireshark and Ostinato :
Using wireshark, export the packets :
. Edit ) Mark Packet
. File ) Export Specified Packets ....
. format : Wireshark/tcpdump/.... -libpcap ( second choice )
. packet range : Marked packets
Using Ostinato, import the wireshark-saved packet :
. File ) Open Streams
. uncheck intelligent import