AOS-CX Switch Simulator

Hy Community, 

I'm working on IPv6 security. I've created the following ACL.When I execute ICMPv6 type 3 (Time Exceeded) attacks, the rule matches ACE 110. Another case occurs when I execute an ICMPv6 type 1 (unreachable) attack from a host with address 2001:db8:20::10 to another host 2001:db8:20::11. The traffic is not filtered, and the attack is successful. It seems the rule doesn't evaluate the ICMP-type condition.Is this due to some simulator limitation? My configuration is:

conf t
nd-snooping enable
access-list ipv6 sec
100 permit icmpv6 2001:db8:20::/64 2001:db8:20::/64 icmp-type echo
110 deny icmpv6 any any icmp-type 1 log 
120 deny icmpv6 any any icmp-type 3 log
130 deny icmpv6 any ff02::1 icmp-type echo log
exit
vlan 20
nd-snooping
exit
interface 1/1/1
no routing
vlan trunk native 20
nd-snooping trust
no shutdown
exit
interface 1/1/2-1/1/5
no routing
vlan access 20
apply access-list ipv6 sec in
no shutdown
exit
access-list ipv6 sec

 show version
-----------------------------------------------------------------------------
AOS-CX
(c) Copyright Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version      : Virtual.10.14.1000

Thanks a lot

When you say "Is this due to some simulator limitation?" do you mean that you are running this on GNS or EVE-NG? 

Issue could be that many of these platforms do not process ICMPv6 traffic at the control plane with full fidelity, especially regarding type-specific ACL evaluations.

Also, ACL rule 100 permits echo requests. If the ICMPv6 Type 1 (Destination Unreachable) is somehow misinterpreted as not matching any specific "icmp-type", and no more specific deny is hit, it might be permitted by default ACL behavior.
110 deny icmpv6 any any icmp-type 1 log should then block it. 

So either the icmp-type match is bugged in the simulator, or it is not actually ICMPv6 type 1 (possible misinterpretation by the tool generating the attack).

Try positioning this rule: 90 deny icmpv6 any any log and check if this will block everything and then you can confirm whether if its a bug in the simulator or something else.

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: Apr 16, 2025 08:01 PM
From: ernestosv73
Subject: ICMPv6 Type in IPv6 ACL AOS-CX 10.14

Hy Community, 

I'm working on IPv6 security. I've created the following ACL.When I execute ICMPv6 type 3 (Time Exceeded) attacks, the rule matches ACE 110. Another case occurs when I execute an ICMPv6 type 1 (unreachable) attack from a host with address 2001:db8:20::10 to another host 2001:db8:20::11. The traffic is not filtered, and the attack is successful. It seems the rule doesn't evaluate the ICMP-type condition.Is this due to some simulator limitation? My configuration is:

conf t
nd-snooping enable
access-list ipv6 sec
100 permit icmpv6 2001:db8:20::/64 2001:db8:20::/64 icmp-type echo
110 deny icmpv6 any any icmp-type 1 log 
120 deny icmpv6 any any icmp-type 3 log
130 deny icmpv6 any ff02::1 icmp-type echo log
exit
vlan 20
nd-snooping
exit
interface 1/1/1
no routing
vlan trunk native 20
nd-snooping trust
no shutdown
exit
interface 1/1/2-1/1/5
no routing
vlan access 20
apply access-list ipv6 sec in
no shutdown
exit
access-list ipv6 sec

 show version
-----------------------------------------------------------------------------
AOS-CX
(c) Copyright Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version      : Virtual.10.14.1000

Thanks a lot

Dear Shpat, 

Thank you very much for your response.I'm using Containerlab, (https://containerlab.dev/manual/kinds/vr-aoscx/) to create the network topology, integrating vrnetlab to run the aruba-cx VM inside a container. I've tested the same topology in GNS3, and the behavior is the same. Following your advice, I added ACL 90 deny icmpv6 any any log, and it effectively blocks all ICMPv6 traffic.
 

Original Message:
Sent: Apr 18, 2025 12:05 AM
From: shpat
Subject: ICMPv6 Type in IPv6 ACL AOS-CX 10.14

When you say "Is this due to some simulator limitation?" do you mean that you are running this on GNS or EVE-NG? 

Issue could be that many of these platforms do not process ICMPv6 traffic at the control plane with full fidelity, especially regarding type-specific ACL evaluations.

Also, ACL rule 100 permits echo requests. If the ICMPv6 Type 1 (Destination Unreachable) is somehow misinterpreted as not matching any specific "icmp-type", and no more specific deny is hit, it might be permitted by default ACL behavior.
110 deny icmpv6 any any icmp-type 1 log should then block it. 

So either the icmp-type match is bugged in the simulator, or it is not actually ICMPv6 type 1 (possible misinterpretation by the tool generating the attack).

Try positioning this rule: 90 deny icmpv6 any any log and check if this will block everything and then you can confirm whether if its a bug in the simulator or something else.

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: Apr 16, 2025 08:01 PM
From: ernestosv73
Subject: ICMPv6 Type in IPv6 ACL AOS-CX 10.14

Hy Community, 

I'm working on IPv6 security. I've created the following ACL.When I execute ICMPv6 type 3 (Time Exceeded) attacks, the rule matches ACE 110. Another case occurs when I execute an ICMPv6 type 1 (unreachable) attack from a host with address 2001:db8:20::10 to another host 2001:db8:20::11. The traffic is not filtered, and the attack is successful. It seems the rule doesn't evaluate the ICMP-type condition.Is this due to some simulator limitation? My configuration is:

conf t
nd-snooping enable
access-list ipv6 sec
100 permit icmpv6 2001:db8:20::/64 2001:db8:20::/64 icmp-type echo
110 deny icmpv6 any any icmp-type 1 log 
120 deny icmpv6 any any icmp-type 3 log
130 deny icmpv6 any ff02::1 icmp-type echo log
exit
vlan 20
nd-snooping
exit
interface 1/1/1
no routing
vlan trunk native 20
nd-snooping trust
no shutdown
exit
interface 1/1/2-1/1/5
no routing
vlan access 20
apply access-list ipv6 sec in
no shutdown
exit
access-list ipv6 sec

 show version
-----------------------------------------------------------------------------
AOS-CX
(c) Copyright Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version      : Virtual.10.14.1000

Thanks a lot

This for sure must be something related to the fact that Virtualized environment do not process ICMPv6 traffic at the control plane with full fidelity, especially regarding type-specific ACL evaluations.

In your case, i would add the following line (marked in Bold):
access-list ipv6 sec
100 permit icmpv6 2001:db8:20::/64 2001:db8:20::/64 icmp-type echo
110 deny icmpv6 any any icmp-type 1 log
120 deny icmpv6 any any icmp-type 3 log
130 deny icmpv6 any ff02::1 icmp-type echo log
140 deny icmpv6 any any log
exit

And that should solve it somehow.

Dear Shpat, 

Thank you very much for your response.I'm using Containerlab, (https://containerlab.dev/manual/kinds/vr-aoscx/) to create the network topology, integrating vrnetlab to run the aruba-cx VM inside a container. I've tested the same topology in GNS3, and the behavior is the same. Following your advice, I added ACL 90 deny icmpv6 any any log, and it effectively blocks all ICMPv6 traffic.
 

Original Message:
Sent: Apr 18, 2025 12:05 AM
From: shpat
Subject: ICMPv6 Type in IPv6 ACL AOS-CX 10.14

When you say "Is this due to some simulator limitation?" do you mean that you are running this on GNS or EVE-NG? 

Issue could be that many of these platforms do not process ICMPv6 traffic at the control plane with full fidelity, especially regarding type-specific ACL evaluations.

Also, ACL rule 100 permits echo requests. If the ICMPv6 Type 1 (Destination Unreachable) is somehow misinterpreted as not matching any specific "icmp-type", and no more specific deny is hit, it might be permitted by default ACL behavior.
110 deny icmpv6 any any icmp-type 1 log should then block it. 

So either the icmp-type match is bugged in the simulator, or it is not actually ICMPv6 type 1 (possible misinterpretation by the tool generating the attack).

Try positioning this rule: 90 deny icmpv6 any any log and check if this will block everything and then you can confirm whether if its a bug in the simulator or something else.

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: Apr 16, 2025 08:01 PM
From: ernestosv73
Subject: ICMPv6 Type in IPv6 ACL AOS-CX 10.14

Hy Community, 

I'm working on IPv6 security. I've created the following ACL.When I execute ICMPv6 type 3 (Time Exceeded) attacks, the rule matches ACE 110. Another case occurs when I execute an ICMPv6 type 1 (unreachable) attack from a host with address 2001:db8:20::10 to another host 2001:db8:20::11. The traffic is not filtered, and the attack is successful. It seems the rule doesn't evaluate the ICMP-type condition.Is this due to some simulator limitation? My configuration is:

conf t
nd-snooping enable
access-list ipv6 sec
100 permit icmpv6 2001:db8:20::/64 2001:db8:20::/64 icmp-type echo
110 deny icmpv6 any any icmp-type 1 log 
120 deny icmpv6 any any icmp-type 3 log
130 deny icmpv6 any ff02::1 icmp-type echo log
exit
vlan 20
nd-snooping
exit
interface 1/1/1
no routing
vlan trunk native 20
nd-snooping trust
no shutdown
exit
interface 1/1/2-1/1/5
no routing
vlan access 20
apply access-list ipv6 sec in
no shutdown
exit
access-list ipv6 sec

 show version
-----------------------------------------------------------------------------
AOS-CX
(c) Copyright Hewlett Packard Enterprise Development LP
-----------------------------------------------------------------------------
Version      : Virtual.10.14.1000

Thanks a lot