IPv6 Tools
Basic tools
Important things to note:
Different operating systems deal with the addition of IPv6 differently. For example,
on linux and OS X, if you want to use a command line tool that is using IPv6, it is a different
tool than the one that is used for IPv4. On linux and OS X, if you want to ping
“ipv6.google.com”, you would use the command “ping6 ipv6.google.com”.
Because the host “ipv6.google.com” does not have an IPv4 address assigned, if you attempt
“ping ipv6.google.com”, ping will fail (see the example below):
$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2607:f388:1082:ffff:223:dfff:dead:beef -->
2001:4860:b002::68
16 bytes from 2001:4860:b002::68, icmp_seq=0 hlim=53 time=53.465 ms
16 bytes from 2001:4860:b002::68, icmp_seq=1 hlim=53 time=44.402 ms
$ ping ipv6.google.com
ping: cannot resolve ipv6.google.com: Unknown host
However, if you attempt “ping ipv6.google.com” from a Windows system, it will work.
This is true for all of the other typical commands as well (traceroute6 vs. traceroute)
TRY THIS:
From the Linux image, Open the Terminal and try pinging the windows host
“wes08.lockdown” with both versions of the ping command: “ping” and “ping6”.
[root@rhel53 ~]# ping wes08.lockdown
[root@rhel53 ~]# ping6 wes08.lockdown
What differences do you see?
Now, from the Windows image (open the command prompt from the Start menu), ping the
linux host “rhel53.lockdown”.
C:\Users\Administrator>ping rhel53.lockdown
What is the default behavior of “ping” on Windows (hint: try the “-4” flag)?
C:\Users\Administrator>ping -4 rhel53.lockdown
1
IPv6 Tools
Firewall Support
It is important to note that on linux, iptables does NOT handle IPv6 traffic at all. iptables
only handles IPv4 traffic. Most firewall configuration packages (at the moment) only write
firewall rules for IPv4!
NOTE: RedHat Enterprise Server does it right and creates firewall rules for IPv6 and IPv4
in parallel. The same cannot be said for most other linux distributions (specifically
Debian).
Outside of linux, both Mac OS X and Windows Vista firewall IPv6 with the same rules as its
IPv4 counterpart.
In linux, to do IPv6 firewalling, you need to use ‘ip6tables’ and not iptables. While the
syntax is the same as it’s IPv4 counterpart, it is slightly different. A basic, deny all, firewall
for ip6tables can be accomplished with the following script:
##
##
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT-RULES – [0:0]
-A INPUT –j LOCAL-INPUT-RULES
-A FORWARD –j LOCAL-INPUT-RULES
-A LOCAL-INPUT-RULES –i lo –j ACCEPT
-A LOCAL-INPUT-RULES –p icmpv6 –j ACCEPT
-A LOCAL-INPUT-RULES –j REJECT --reject-with icmp6-adm-prohibited
COMMIT
##
##
Save the contents to a file (‘/etc/network/ip6tables’ for example) and then install the load
the firewall rules with ‘/sbin/ip6tables-restore /etc/network/ip6tables’. You can get
fancier with your rulesets, but that is a good place to start.
To check and see if your firewall rules loaded, use the command “ip6tables –L”
2
IPv6 Tools
Alive6 and getting the Hardware Address
Together, the utility “alive6” and linux’s “neighbor table” can be used to get the information
that ARP used to give you. Alive6 causes all of the IPv6 hosts to respond to a ping and the
neighbor table shows the associated hardware address. Combine these two tools and you
have the information that you wanted.
TRY THIS:
Open the Terminal on the Linux image and run the command:
[root@rhel53 ~]# alive6 eth0
What kind of information is returned? How many addresses do you see?
Now, look in your neighbor table with the command:
[root@rhel53 ~]# ip -f inet6 neighbor show
With the information that you have, you can now locate the host using the switch data. By
archiving this information, you could keep track of Windows hosts when they change their
temporary IPv6 addresses.
3
IPv6 Tools
Nmap
It is important to recognize that IPv6 support in nmap is quite limited and at the moment, it
can only perform basic scans. To scan an IPv6 host, you need to add the flag “-6” to the list
of arguments that you feed nmap. To illustrate the lack of information that IPv6 scanning
gives you, try the following:
TRY THIS:
From the Windows host, start the ‘nmap’ program and in the “Command:” field, enter the
following:
nmap –v –sT -6 rhel53.lockdown
What kind of information did you get back? Did you get OS information or anything like
that?
Now, try the scan again (this time on the IPv4 address) with the default nmap settings:
Target: rhel53.lockdown
Profile: Intense scan
Now what kind of information did you get back? What does this tell you about the ability of
IPv6 scanning?
4