Present Location: News >> Blog >> Testing IPv6 Node Information Queries

Blog

> Testing IPv6 Node Information Queries
Posted by prox, from Seattle, on December 31, 2017 at 20:25 local (server) time

After reading There’s No Place Like ::1 — Enumerating Local IPv6 networks, I decided to try it out on a couple of my local LANs.  Surprisingly enough, Linux, Solaris, IRIX (yes, IRIX), and Windows do not seem to respond to these (RFC 4620) queries but FreeBSD, iOS, and macOS do.

Here's a segment with a few Apple hosts on it:

(trill:17:07:PST)% ping -c 2 -N name ff02::1%br0
PING ff02::1%br0(ff02::1%br0) 56 data bytes
30 bytes from fe80::223:dfff:fe7f:2678%br0: odyssey; seq=1; ttl=64
26 bytes from fe80::885:e847:e16b:a305%br0: atv; seq=1; ttl=64 (DUP!)
28 bytes from fe80::dea9:4ff:fe8b:dd95%br0: orion; seq=1; ttl=64 (DUP!)
29 bytes from fe80::10b3:60fb:bef0:90d2%br0: lantea; seq=1; ttl=64 (DUP!)
30 bytes from fe80::223:dfff:fe7f:2678%br0: odyssey; seq=2; ttl=64

--- ff02::1%br0 ping statistics ---
2 packets transmitted, 2 received, +3 duplicates, 0% packet loss, time 1001ms

atv is an AppleTV, orion & odyssey run macOS (varying versions), and lantea is an iPod.  Now, here's a segment with a few Linux & Windows hosts:

(starfire:17:13:PST)% ping -c 2 -N name ff02::1%eth3
PING ff02::1%eth3(ff02::1%eth3) 56 data bytes
27 bytes from fe80::200:aaff:feac:f871%eth3: host; seq=1; ttl=64
27 bytes from fe80::200:aaff:feac:f871%eth3: host; seq=2; ttl=64

--- ff02::1%eth3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms

Not much here, except a strange reply from something calling itself host, which is actually my Xerox Phaser 6280 laser printer.

Also, Junos (FreeBSD-based), Cisco IOS, and IOS-XR (QNX-based) seem to ignore these too.

The conclusion here is, of course, that layer 2 is insecure.  But really, who cares about a name if most things run some sort of mDNS agent nowadays, anyway?

> Add Comment