Proposal on IPv6 link-local host discovery features

[Xu Weilin <mzweilin () gmail com>]

HI all,
I have written a draft about the link-local host discovery features. I added
3 options and modified one option in the HOST DISCOVERY section, and
modified the TARGET SPECIFICATION section. Then I gave some examples at the
end of the draft. Please don't hesitate to express your suggestions.


*TARGET SPECIFICATION
Modified:
IPv6 addresses not only can be specified by their fully qualified IPv6
address or hostname. but also can be specified by CIDR. You can append
/numbits to an IPv6 address or hostname and Nmap will try to reduce the
(sometimes huge) set of IPv6 ranges into a list of active hosts during the
host discovery phase. The smalllest allowed value is /64, which scans a
typical IPv6 subnetwork. The largest value is /128, which scans just the
named host or IPv6 address.


*HOST DISCOVERY
I added three new options and modified one option. All of them need the root
privileges.

Three new options：
-PH (Invalid hop-by-hop extension header)
Nmap sends an invalid hop-by-hop extention header to the target IPv6 hosts,
expecting an ICMPv6 of Parameter Problem in return from available hosts.
Considering some hosts may refuse echo ping, this method is a backup. Note
that this option is only available when the target is on the local
subnetwork.


-PL (SLACC-based method over IPv6 network)
The new probe method for IPv6 network is based on StateLess Address
AutoConfiguration mechanism. Nmap tries to disguise as a router and
distribute new IPv6 addresses to targets which are on the same LAN. Then the
available hosts will send a NS packet to the LAN under the Duplicate Address
Detection mechanism.

Considering some hosts may refuse ICMPv6 echo Ping and the other known probe
methods, the SLAAC-based method is essential since hosts couldn't refuse RA
packet unless SEcure Neighbor Discovery(SEND) protocol is used.

Also note that this option cannot be used unless the targets are on the
local subnetwork.


--multicast (Multicast ping over IPv6 network)
Nmap sends ping packets to ff02::1, expecting tons of replys from all alive
hosts on the same LAN. The --multicast option sends an ICMPv6 echo request
and an invalid hop-by-hop extension header by default. It also can be
combined with the -PE and the -PH. If any of the two probe types is used,
the default probes are overriden. Though the SLACC-based method uses
multicast feature as a part, it is irrelevant to the --multicast option.

If an IPv6 address prefix is specified as the target, then the multicast
ping is done by default when Nmap detects the targets are are on a local
ethernet network and the -PL option is not specified. Therefore, users
usually don't need to speficy the --multicast option manually.

Note that the multicast feature is normally unavailable on tunneling IPv6
connections (e.g. teredo and ISATAP) with POINTOPOINT link flag.

One modified option：
-PR(ARP Ping or ND Ping)
On IPv4 ethernet LAN, ARP scan is much faster and more reliable than
IP-based scans. So it is done by default when scanning ethernet hosts that
Nmap detects are on a local ethernet network. Even if different ping types
(such as -PE or -PS) are specified, Nmap uses ARP instead for any of the
targets which are on the same LAN.

The IPv6 Neighbor Discovery (ND) protocol includes a feature of address
resolution that could be seen as the equivalent of ARP for the IPv6 over
ethernet. Unlike APR Ping has the highest priority on IPv4 ethernet LAN, ND
Ping won't be used if the --multicast option or the -PL option is specified.

Note that the -PR option only works on native IPv6 connection over Ethernet,
since the tunneling IPv6 links ususally contains a NOARP link flag.


Examples:
Here are some examples about the new options and the related host discovery
strategies. Note that the interface eth0 is assigned with a ULA address
fc00:602:202:abcd::1/64.

# nmap -6 fc00:602:202:abcd::1/64
The command is equivalent to '# nmap -6 -PH -PE --multicast
fc00:602:202:abcd::1/64' due to several default options. Nmap does multicast
ping scannig within the link-local, by sending an ICMPv6 echo request packet
and an IPv6 packet with invalid Hop-by-hop extension header.

# nmap -6 -PE fc00:602:202:abcd::1/64
It is similar to the first example but this command only sends multicast
ICMPv6 echo request to the local subnetwork.

# nmap -6 -PH fc00:602:202:abcd::2
Nmap does ND Ping instead of invalid hop-by-hop Ping to the target, since
-PR option has the higher priority in this situation.

# nmap -6 -PL fc00:602:202:abcd::/64
Nmap perfoms host discovery within the link-local by means of SLAAC-based
method.

-- 
Regards
许伟林 (Xu Weilin)
Beijing University of Posts & Telecommunications
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/