Nmap IPv6 does not obey -e flag

[Daniel Miller <bonsaiviking () gmail com>]

Hey list,

I could be wrong in my assumption in the subject line, but I think this 
is what is going on. Essentially, I want to scan a bunch of link-local 
IPv6 addresses, generated from MAC addresses on my LAN. I tried this first:

$ sudo nmap -6 -v -oA lan-ipv6-%y%m%d -iL ipv6.hosts
Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-05-31 12:29 CDT
Initiating Ping Scan at 12:29
Scanning 16 hosts [2 ports/host]
Strange error from connect (22):Invalid argument
Completed Ping Scan at 12:29, 0.00s elapsed (16 total hosts)
Initiating System DNS resolution of 16 hosts. at 12:29
Completed System DNS resolution of 16 hosts. at 12:29, 0.00s elapsed
[... lots of hosts down ...]
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 16 IP addresses (0 hosts up) scanned in 0.15 seconds

The "strange error from connect" is EINVAL, which I get trying to ping 
my own link-local address:

$ ping6 fe80::211:2fff:fed3:d902
connect: Invalid argument
$ ping6 -I eth0 fe80::211:2fff:fed3:d902
PING fe80::211:2fff:fed3:d902(fe80::211:2fff:fed3:d902) from 
fe80::211:2fff:fed3:d902 eth0: 56 data bytes
64 bytes from fe80::211:2fff:fed3:d902: icmp_seq=1 ttl=64 time=0.053 ms
^C
--- fe80::211:2fff:fed3:d902 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.053/0.053/0.053/0.000 ms

The reason is that sockets with link-local addresses need to be told 
what interface to use. Not sure why, though, since the kernel routing 
table knows which to use:

$ route -n -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref 
Use If
fe80::/64                      ::                         U    256 0     
0 eth0
::/0                           ::                         !n   -1  1    
79 lo
::1/128                        ::                         Un   0   1   
271 lo
fe80::211:2fff:fed3:d902/128   ::                         Un   0   1    
26 lo
ff00::/8                       ::                         U    256 0     
0 eth0
::/0                           ::                         !n   -1  1    
79 lo

When ping6 is given the -I flag, strace shows this call:

setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "eth0\0", 5) = 0

A check through the Nmap source tree shows that Nping sets this sockopt, 
but nowhere else. At this point, I'm not ready to take the deep dive 
into the source that would be necessary to figure out where (and if) 
this should be added to Nmap, but I would really like to be able to scan 
link-local IPv6 addresses. Perhaps one of the GSoC students would be 
willing to look into it.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/