Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Proposal on IPv6 link-local host discovery features
From: Fyodor <fyodor () insecure org>
Date: Wed, 8 Jun 2011 20:16:32 -0700

On Tue, Jun 07, 2011 at 02:39:41PM +0800, Xu Weilin wrote:
HI all,
I have written a draft about the link-local host discovery features.

Thanks Xu!  This email includes some questions and comments I thought
up while reading it.  I could probably guess some of the answers, but
I thought the questions were worth clarifying and thinking about.

IPv6 addresses not only can be specified by their fully qualified IPv6
address or hostname. but also can be specified by CIDR. You can append
/numbits to an IPv6 address or hostname and Nmap will try to reduce the
(sometimes huge) set of IPv6 ranges into a list of active hosts during the
host discovery phase. The smalllest allowed value is /64, which scans a
typical IPv6 subnetwork. The largest value is /128, which scans just the
named host or IPv6 address.

At first I was ging to complain that it is unrealistic for anyone to
scan a /64, but I see that various types of multicast host discover
may be used rather than pinging each host.  In that case, would
scanning even larger spaces be feasible?

Three new options´╝Ü
-PH (Invalid hop-by-hop extension header)
Nmap sends an invalid hop-by-hop extention header to the target IPv6 hosts,
expecting an ICMPv6 of Parameter Problem in return from available hosts.
Considering some hosts may refuse echo ping, this method is a backup. Note
that this option is only available when the target is on the local

What sort of packet is sent with the hop-by-hop extnesion header?
Like is it always an echo request or SYN to port 80 or what?  So by
default (if -PH is specified by itself) it is sent to every potential
IP address, but with --multicast it is sent to the IPv6 multicast
address and only those hosts which reply are considered up?  In what
way is the header invalid?  I guess it is only supported on the local
subnetwork because any router would drop it for being invalid?

-PL (SLACC-based method over IPv6 network)
The new probe method for IPv6 network is based on StateLess Address
AutoConfiguration mechanism. Nmap tries to disguise as a router and
distribute new IPv6 addresses to targets which are on the same LAN. Then the
available hosts will send a NS packet to the LAN under the Duplicate Address
Detection mechanism.

Does this cause any negative side effects?  Like is their a risk that
when Nmap tries to distribute new IPv6 addresses, other machines will
take them and reconfigure?  Can you describe the technique in a little
more detail or provide a link?

What happens if -PH or -PL are given and some of the targets are not
on the local network?

--multicast (Multicast ping over IPv6 network)
Nmap sends ping packets to ff02::1, expecting tons of replys from all alive
hosts on the same LAN. The --multicast option sends an ICMPv6 echo request
and an invalid hop-by-hop extension header by default. It also can be
combined with the -PE and the -PH. If any of the two probe types is used,
the default probes are overriden. Though the SLACC-based method uses
multicast feature as a part, it is irrelevant to the --multicast option.

So does this modify all the other ping probes requested?  Like, if I
say "-PS80 --multicast", does Nmap send the SYN packets to the
multicast address, or does it send them unicast?  And if unicast, does
it also send some sort of multicast ping packets still in that case?
Does it make sense to send our typical probe types such as SYN/ACK
probes using IPv6 multicast?  Or are they almost guaranteed to be

If --multicast is given, it only applies to hosts on the local
networks?  And other targets are treated as though this option wasn't

If an IPv6 address prefix is specified as the target, then the multicast
ping is done by default when Nmap detects the targets are are on a local
ethernet network and the -PL option is not specified. Therefore, users
usually don't need to speficy the --multicast option manually.

That seems reasonable.  But what if users want to test everything in
the range?  I guess they just have to use -Pn (in which case Nmap
would still do ND because it needs to find the MAC addresses).

What would be the default if an IPv6 address is specified and it isn't
on the local ehternet network?  What if a prefix is specified which is
larger than the local network so it contains some local addresses and
some not?

What about ranges?  In IPv4 we allow things like "10.*.*.1" or  Should we allow such a thing for IPv6?  Like if a
provider has 2600:3c01:91ff/48 and then allocates /64's to each
customer, and most customers put a router on ::1, maybe we would want
to scan "2600:3c01:91ff:*:0:0:1".  And if we wanted to scan the first
16 addresses of each /64, maybe we would do
"2600:3c01:91ff:*:0:0:0-F".  Do you envision allowing that sort of

And if that sort of syntax is allowed, do you do multicast by default
like you would with a /netmask?

# nmap -6 fc00:602:202:abcd::1/64
The command is equivalent to '# nmap -6 -PH -PE --multicast
fc00:602:202:abcd::1/64' due to several default options. Nmap does multicast
ping scannig within the link-local, by sending an ICMPv6 echo request packet
and an IPv6 packet with invalid Hop-by-hop extension header.

What should it do if the /64 is not on the local network?

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]