Nmap Development mailing list archives
Proposal on IPv6 link-local host discovery features
From: Xu Weilin <mzweilin () gmail com>
Date: Tue, 7 Jun 2011 14:39:41 +0800
HI all, I have written a draft about the link-local host discovery features. I added 3 options and modified one option in the HOST DISCOVERY section, and modified the TARGET SPECIFICATION section. Then I gave some examples at the end of the draft. Please don't hesitate to express your suggestions. *TARGET SPECIFICATION Modified: IPv6 addresses not only can be specified by their fully qualified IPv6 address or hostname. but also can be specified by CIDR. You can append /numbits to an IPv6 address or hostname and Nmap will try to reduce the (sometimes huge) set of IPv6 ranges into a list of active hosts during the host discovery phase. The smalllest allowed value is /64, which scans a typical IPv6 subnetwork. The largest value is /128, which scans just the named host or IPv6 address. *HOST DISCOVERY I added three new options and modified one option. All of them need the root privileges. Three new options: -PH (Invalid hop-by-hop extension header) Nmap sends an invalid hop-by-hop extention header to the target IPv6 hosts, expecting an ICMPv6 of Parameter Problem in return from available hosts. Considering some hosts may refuse echo ping, this method is a backup. Note that this option is only available when the target is on the local subnetwork. -PL (SLACC-based method over IPv6 network) The new probe method for IPv6 network is based on StateLess Address AutoConfiguration mechanism. Nmap tries to disguise as a router and distribute new IPv6 addresses to targets which are on the same LAN. Then the available hosts will send a NS packet to the LAN under the Duplicate Address Detection mechanism. Considering some hosts may refuse ICMPv6 echo Ping and the other known probe methods, the SLAAC-based method is essential since hosts couldn't refuse RA packet unless SEcure Neighbor Discovery(SEND) protocol is used. Also note that this option cannot be used unless the targets are on the local subnetwork. --multicast (Multicast ping over IPv6 network) Nmap sends ping packets to ff02::1, expecting tons of replys from all alive hosts on the same LAN. The --multicast option sends an ICMPv6 echo request and an invalid hop-by-hop extension header by default. It also can be combined with the -PE and the -PH. If any of the two probe types is used, the default probes are overriden. Though the SLACC-based method uses multicast feature as a part, it is irrelevant to the --multicast option. If an IPv6 address prefix is specified as the target, then the multicast ping is done by default when Nmap detects the targets are are on a local ethernet network and the -PL option is not specified. Therefore, users usually don't need to speficy the --multicast option manually. Note that the multicast feature is normally unavailable on tunneling IPv6 connections (e.g. teredo and ISATAP) with POINTOPOINT link flag. One modified option: -PR(ARP Ping or ND Ping) On IPv4 ethernet LAN, ARP scan is much faster and more reliable than IP-based scans. So it is done by default when scanning ethernet hosts that Nmap detects are on a local ethernet network. Even if different ping types (such as -PE or -PS) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN. The IPv6 Neighbor Discovery (ND) protocol includes a feature of address resolution that could be seen as the equivalent of ARP for the IPv6 over ethernet. Unlike APR Ping has the highest priority on IPv4 ethernet LAN, ND Ping won't be used if the --multicast option or the -PL option is specified. Note that the -PR option only works on native IPv6 connection over Ethernet, since the tunneling IPv6 links ususally contains a NOARP link flag. Examples: Here are some examples about the new options and the related host discovery strategies. Note that the interface eth0 is assigned with a ULA address fc00:602:202:abcd::1/64. # nmap -6 fc00:602:202:abcd::1/64 The command is equivalent to '# nmap -6 -PH -PE --multicast fc00:602:202:abcd::1/64' due to several default options. Nmap does multicast ping scannig within the link-local, by sending an ICMPv6 echo request packet and an IPv6 packet with invalid Hop-by-hop extension header. # nmap -6 -PE fc00:602:202:abcd::1/64 It is similar to the first example but this command only sends multicast ICMPv6 echo request to the local subnetwork. # nmap -6 -PH fc00:602:202:abcd::2 Nmap does ND Ping instead of invalid hop-by-hop Ping to the target, since -PR option has the higher priority in this situation. # nmap -6 -PL fc00:602:202:abcd::/64 Nmap perfoms host discovery within the link-local by means of SLAAC-based method. -- Regards 许伟林 (Xu Weilin) Beijing University of Posts & Telecommunications _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Proposal on IPv6 link-local host discovery features Xu Weilin (Jun 06)
- Re: Proposal on IPv6 link-local host discovery features David Fifield (Jun 08)
- Re: Proposal on IPv6 link-local host discovery features Xu Weilin (Jun 10)
- Re: Proposal on IPv6 link-local host discovery features Fyodor (Jun 08)
- Re: Proposal on IPv6 link-local host discovery features David Fifield (Jun 08)