ipv6 hop limit field

Can the experts explain to me why the Hop Limit can be seen as a secured functionality? I did read some article but I am not sure I get it. Thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You could specify a hop count such that it would guarantee that all traffic is relatively local.

e.g. a low hop count could be used to specify the number of hops to equal the number of hops it takes to remain in your network, anything higher and you have left your network and thus considered untrusted.

harbor235 ;}
Security (in the sense): Hop Count of 255 Enforced to Limit External Attacks.
Hop limit is 8bit field. Hence max value is 255(2^8-1). It was mainly introduced to prevent loop. If there is a loop, then the packet will be discarded when hop limit count reaches 255. So the packet does not go around indefinitely in case of loop.

In RFC 2460 also you will see the main function for hop count is:- decremented by 1 every time and after 255 hops when it reaches zero, it's discarded. That's the primary function of this field.

It's not the best definition of this field, if you call it a secure functionality. If loop prevention is secure Fn, then Spanning tree is also secure Fn. But yes, remotely if some orphaned packet is compromising your security and trying to flood, then it will die out after 255 hops. In that sense, it's somewhat can be called secure Fn.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

You can also set a hop count limit for router advertisements and as such limit the scope of the discovery and arguably be more secure.

IPv6 Neighbor Discovery Attacks include the following:

    Neighbor Solicitation
        Redirect traffic to bogus link-layer address
        Unreachability Detection error
        Duplicate Address Detection: "Address in Use" DoS
    Malicious Last-Hop Router-bogus router or false parameters for real routers
    Eliminate Legitimate Routers-crash, DoS, bogus Router Advertisement (RAdv) message
        Nodes send to off -link hosts as if they were on-link-impersonate off -link nodes
    Spoofed redirect-route packets to different link-layer address
    Bogus on-link prefix
        Impersonate nodes on bogus link
        Nodes use source with bogus prefix and get no response
    Bogus Parameters-set low hop limit from router, use stateful address configuration (DHCP)
    Replay Attacks-replay any previous neighbor or router discovery packet
    Neighbor Discovery DoS-send packet to unused address and cause router to perform neighbor discovery


harbor235 ;}
leblancAccountingAuthor Commented:
ok. I am trying to understand the explanation of the Hop Count field as a security measure at http://www.youtube.com/watch?v=SNfHHaOUCJs (at 7:50). Does somebody understand Sam's explanation? Thanks
What he is saying is "hop Count of 255 Enforced to Limit External Attacks" using different words.  He provides a bit more explanation as to how this is used to disallow "arp" from outside of the local area network.  

How: Set it to 255,  (router) increments by 1 and "they are gone".
leblancAccountingAuthor Commented:
So within my LAN, if I set my hop limit on my packet to 255, what will happen?
I believe to understand the hop limit and using it for security (insufficient, however) it is important to understand the Neighbor Discovery for IP Version 6 (IPv6) specification (mentioned by harbor235 above). The RFC can be found at:

http://www.ietf.org/rfc/rfc2461.txt >.

In a nutshell, however: "Neighbor discovery messages have a hop limit value of 255, and requests with a lower hop limit are not answered. This makes Neighbor discovery immune to remote hosts that try to sneak into your link because their packets have decremented hop limit and are thus ignored."
nociSoftware EngineerCommented:
It may travel 254 nodes beyond your router.  So setting it to 255 is hardly a security feature, it allows a packets to travel 4 times the regular distance.

Setting it to one limits it to the LAN (unroutable) if you have 3 routers between your system and the internet setting it to 3 will limit it to your net.

BTW, the default Hopcount = 64 for IPv4 as well as IPv6.
If you use traceroute you see the hopcount in action...

first batch of 3 packets with hopcount =1
second batch with hopcount = 2
3rd batch with hopcount = 3
Please do not take my (or any one's) words for granted. Please read the RFCs.  :-)
nociSoftware EngineerCommented:
@Aadih: your talking about the ND special case, the Q is about Hopcount in general.

This is a special case, because you can then VERIFY that the packet didn't pass a router
And i DO agree on reading the RFC's they clarify how things SHOULD work  .
[N]oci, my comment was not directed at your post.  :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.