IPv6 (5.6)

IPv6 (5.6)

New IPv6 features added to FortiOS 5.6.

FortiGate can reply to an anycast probe from the interface’s unicast address (308872)

A new setting has been added within the CLI that can enable the FortiGate to reply to an anycast probe from the FortiGate’s unicast IP address. config system global set ipv6-allow-anycast-probe [enable|disable] end

Enable: Enable probing of IPv6 address space through Anycast, by responding from the unicast IP address Disable: Disable probing of IPv6 address space through Anycast

Secure Neighbor Discovery (355946)

Additional settings have been added to the configuration for interfaces with IPv6 so that they comply more closely to the parameters of RFC 3971

The context of the new settings is

config system interface edit <interface> config ipv6 The new options with IPv6 are:

ndmode

Neighbor discovery mode set ndmode [basic | SEND]

Basic: Does not support SEND. SEND-compatible: Supports SEND.

nd-cert

Neighbor discovery certificate

set nd-cert <string of Name of certificate to be used> Example string: “Fortinet_Factory local” n-security-level

Neighbor discovery security level set nd-security-level <integer> IPv6

• Integer values from 0 – 7 l 0 = least secure l 7 = most secure l default = 0 nd-timestamp-delta –

Neighbor discovery timestamp delta value set nd-timestamp-delta <integer of time in seconds>

• Range: 1 – 3600 sec l default = 300 nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor set nd-timestamp-fuzz <integer of time in seconds>

• Range: 1 – 60 sec l default = 1

Additional related technical information Kerenl l Redirects ICMPv6 packets to user space if they require SEND options verification or build.

Radvd

• Verifies NS/RS SEND options including CGA, RSA, Timestamp, NONCE, etc. Daemon also creates neighbor cache for future timestamp checking, any entry gets flushed in 4 hours.
• Helps kernel build NA/RA SEND options including CGA, RSA, Timestamp, NONCE, etc. CGA parameters are kept in cache for each interface. CGA modifier is kept in CMDB.

Diagnose command for radvd diag test application radvd

• Shows statistics l Toggles message dump

Add multicast-PMTU to allow FGT to send ICMPv6 Too Big Message (373396)

New multicast-PMTU feature added to better comply with RFC 4443.

Normally, a “Packet Too Big” icmp6 message is sent by a routing device in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link. For security reasons, these message may be disabled because attackers can use the information about a victim’s ip address as the source address to do IP address spoofing.

IPv6 (5.6)

In FortiOS’s implementation of this function, a setting in the CLI, has been added to make this behavior optional on the FortiGate.

The syntax for the option is:

config router multicast6 set multicast-PMTU [enable|disable] end

Logging and Reporting (5.6.1)