[j-nsp] ipv6 firewall filter matching MLD
Zenon Mousmoulas
zmousm at admin.grnet.gr
Fri Jun 10 03:53:32 EDT 2011
Hi,
I want to match MLD packets in an IPv6 firewall filter. The filter is applied ingress on a loopback interface.
Quoting from RFC 3810:
MLDv2 is a sub-protocol of ICMPv6, that is, MLDv2 message types are a
subset of ICMPv6 messages, and MLDv2 messages are identified in IPv6
packets by a preceding Next Header value of 58. All MLDv2 messages
described in this document MUST be sent with a link-local IPv6 Source
Address, an IPv6 Hop Limit of 1, and an IPv6 Router Alert option
[RFC2711] in a Hop-by-Hop Options header. (The Router Alert option
is necessary to cause routers to examine MLDv2 messages sent to IPv6
multicast addresses in which the routers themselves have no
interest.) MLDv2 Reports can be sent with the source address set to
the unspecified address [RFC3513], if a valid link-local IPv6 source
address has not been acquired yet for the sending interface. (See
section 5.2.13. for details.)
I've tried to match it using such filter conditions:
from {
next-header icmpv6;
icmp-type [ membership-report membership-termination membership-query ];
}
from {
next-header icmpv6;
icmp-type [ 130 131 132 143 ];
}
or even just match on icmpv6:
from {
next-header icmpv6;
}
but none of this matches MLD packets. The only thing that works is matching on the hop-by-hop options header:
from {
next-header hop-by-hop;
}
but you can not match on both this header and the next header, i.e. ICMPv6:
from {
next-header [ hop-by-hop icmpv6 ];
}
So it seems that JUNOS is not capable of matching a nested next-header but rather only identifies the packet from the first header, even if it is a special header that is bound to be followed by a protocol header, as in the case of hop-by-hop options.
This is verified by looking at the firewall log. It shows that packets which are most certainly carrying MLD payload (judging from the MLDv2 Listener Report destination address ff02::16) are identified as protocol 0 (H-B-H) rather than ICMPv6.
Time Filter Action Interface Protocol Src Addr Dest Addr
16:25:11 pfe A ge-0/0/8.400 ICMPv6 fe80::a4a9:1ddc:484:87e6 ff02::1:ff38:e808
16:24:18 pfe A ge-0/0/8.400 0 fe80::a4a9:1ddc:484:87e6 ff02::16
16:24:17 pfe A ge-0/0/8.400 0 fe80::9571:e508:f653:e2d5 ff02::16
16:24:17 pfe A ge-0/0/8.400 0 fe80::a4a9:1ddc:484:87e6 ff02::16
16:24:16 pfe A ge-0/0/8.400 0 fe80::607d:b982:9750:bdc4 ff02::16
Since H-B-H is mainly used to carry the Router Alert option, which is required also e.g. for RSVP, is it right to assume that JUNOS firewall filter will not match any such protocols?
Am I missing something? Any ideas?
This has been tested on 9.6R3.8 and 10.4R4.5 (multiple platforms, but that is irrelevant).
Thanks,
Zenon Mousmoulas
More information about the juniper-nsp
mailing list