CDRouter IPv6 Test Summaries (Full)
Test Case Descriptions
- Modules: 43
- Test Cases: 715
Below is a full description of the testcases in each module
basic-v6.tcl
Basic IPv6 extension header processing tests
| Test |
Name |
Synopsis |
Verify DUT forwards packets with multiple extension headers |
ipv6_basic_1 |
Verify DUT forwards packets with multiple extension headers |
step 1. Generate a valid ICMPv6 Echo Request packet with the IPv6 Hop-by-Hop
Options and Destination Options extension headers using the PadN and Pad1
options, respectively
Hop-by-Hop Options Header:
Next Header = 0x3c (Destination Options)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
Destination Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
step 2. Initiate an outbound ICMPv6 Echo Request to a WAN IPv6 destination
using the extension headers generated in Step 1
step 3. Verify that an ICMPv6 Echo Reply packet is received within 3 seconds
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4: IPv6 Extension Headers
https://tools.ietf.org/html/rfc2460#section-4
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
https://tools.ietf.org/html/rfc2460#section-4.2
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.3: Hop-by-Hop Options Header
https://tools.ietf.org/html/rfc2460#section-4.3
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.6: Destination Options Header
https://tools.ietf.org/html/rfc2460#section-4.6
| Test |
Name |
Synopsis |
Verify DUT responds to packets with multiple extension headers |
ipv6_basic_2 |
Verify DUT responds to packets with multiple extension headers |
step 1. Generate a valid ICMPv6 Echo Request packet with the IPv6 Hop-by-Hop
Options and Destination Options extension headers using the PadN and
Pad1 options, respectively
Hop-by-Hop Options Header:
Next Header = 0x3c (Destination Options)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
Destination Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
step 2. Initiate an ICMPv6 Echo Request to the DUT's LAN-side IPv6
link-local address using the extension headers generated in Step 1
step 3. Verify that an ICMPv6 Echo Reply packet is received within 3 seconds
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4: IPv6 Extension Headers
https://tools.ietf.org/html/rfc2460#section-4
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
https://tools.ietf.org/html/rfc2460#section-4.2
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.3: Hop-by-Hop Options Header
https://tools.ietf.org/html/rfc2460#section-4.3
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.6: Destination Options Header
https://tools.ietf.org/html/rfc2460#section-4.6
| Test |
Name |
Synopsis |
Verify DUT discards packets with unknown extension headers |
ipv6_basic_3 |
Verify DUT discards packets with unknown extension headers |
step 1. Generate an ICMPv6 Echo Request packet containing a IPv6 Hop-by-Hop
Options extension header with a Next Header value of 200 (IP
protocol type 200 is currently unassigned)
Hop-by-Hop Options Header:
Next Header = 0xc8 (IP protocol type 200, unknown)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
Unrecognized Next Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
step 2. Initiate an ICMPv6 Echo Request (ping) to the DUT's LAN-side IPv6
link-local address using the extension headers generated in Step 1
step 3. Verify that the packet transmitted in Step 2 is discarded by
ensuring that no ICMPv6 Echo Reply packets are received within 3
seconds
step 4. Optional - if an ICMPv6 Parameter Problem packet is received, verify
that the ICMPv6 Parameter Problem message contains a value of 1 in
the Code field
step 5. Optional - if an ICMPv6 Parameter Problem packet is received, verify
that the ICMPv6 Parameter Problem message contains a value of 40 in
the Pointer field
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4: IPv6 Extension Headers
If, as a result of processing a header, a node is required to proceed
to the next header but the Next Header value in the current header is
unrecognized by the node, it should discard the packet and send an
ICMP Parameter Problem message to the source of the packet, with an
ICMP Code value of 1 ("unrecognized Next Header type encountered")
and the ICMP Pointer field containing the offset of the unrecognized
value within the original packet. The same action should be taken if
a node encounters a Next Header value of zero in any header other
than an IPv6 header.
https://tools.ietf.org/html/rfc2460#section-4
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification" Section 3.4: Parameter Problem Message
If an IPv6 node processing a packet finds a problem with a field in
the IPv6 header or extension headers such that it cannot complete
processing the packet, it MUST discard the packet and SHOULD send an
ICMPv6 Parameter Problem message to the packet's source, indicating
the type and location of the problem.
Codes 1 and 2 are more informative subsets of Code 0.
The pointer identifies the octet of the original packet's header
where the error was detected. For example, an ICMPv6 message with
Type field = 4, Code field = 1, and Pointer field = 40 would indicate
that the IPv6 extension header following the IPv6 header of the
original packet holds an unrecognized Next Header field value.
https://tools.ietf.org/html/rfc4443#section-3.4
| Test |
Name |
Synopsis |
Verify DUT discards packets with Next Header value of zero in extension header |
ipv6_basic_4 |
Verify DUT discards packets with Next Header value of zero in extension header |
step 1. Generate an ICMPv6 Echo Request packet containing the IPv6
Hop-by-Hop Options extension header with a Next Header value of 0
Hop-by-Hop Options Header:
Next Header = 0x00 (HOPOPT)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
Next Extension Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
Option Type = 0x00 (Pad1)
step 2. Initiate an ICMPv6 Echo Request (ping) to the DUT's LAN-side IPv6
link-local address using the extension headers generated in Step 1
step 3. Verify that the packet transmitted in Step 2 is discarded by
ensuring that no ICMPv6 Echo Reply packets are received within 3
seconds
step 4. Optional - if an ICMPv6 Parameter Problem packet is received, verify
that the ICMPv6 Parameter Problem message contains a value of 1 in
the Code field
step 5. Optional - if an ICMPv6 Parameter Problem packet is received, verify
that the ICMPv6 Parameter Problem message contains a value of 40 in
the Pointer field
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4: IPv6 Extension Headers
If, as a result of processing a header, a node is required to proceed
to the next header but the Next Header value in the current header is
unrecognized by the node, it should discard the packet and send an
ICMP Parameter Problem message to the source of the packet, with an
ICMP Code value of 1 ("unrecognized Next Header type encountered")
and the ICMP Pointer field containing the offset of the unrecognized
value within the original packet. The same action should be taken if
a node encounters a Next Header value of zero in any header other
than an IPv6 header.
https://tools.ietf.org/html/rfc2460#section-4
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification" Section 3.4: Parameter Problem Message
If an IPv6 node processing a packet finds a problem with a field in
the IPv6 header or extension headers such that it cannot complete
processing the packet, it MUST discard the packet and SHOULD send an
ICMPv6 Parameter Problem message to the packet's source, indicating
the type and location of the problem.
Codes 1 and 2 are more informative subsets of Code 0.
The pointer identifies the octet of the original packet's header
where the error was detected. For example, an ICMPv6 message with
Type field = 4, Code field = 1, and Pointer field = 40 would indicate
that the IPv6 extension header following the IPv6 header of the
original packet holds an unrecognized Next Header field value.
https://tools.ietf.org/html/rfc4443#section-3.4
| Test |
Name |
Synopsis |
Verify DUT ignores packets with extension header containing 'No Next Header' |
ipv6_basic_5 |
Verify DUT ignores packets with extension header containing ‘No Next Header’ |
step 1. Generate a valid ICMPv6 Echo Request packet with the IPv6 Hop-by-Hop
Options and Destination Options extension headers. The Hop-by-Hop
Options extension header will have a Next Header value of 59 (no
Next Header).
Hop-by-Hop Options Header:
Next Header = 0x3b (no Next Header)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
Destination Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
step 2. Initiate an ICMPv6 Echo Request (ping) to the DUT's LAN-side IPv6
link-local address using the extension header generated in Step 1
step 3. Verify that the DUT ignores the ICMPv6 Echo Request packet by
ensuring that no ICMPv6 Echo Reply packets are received within 3
seconds
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.7: No Next Header
The value 59 in the Next Header field of an IPv6 header or any
extension header indicates that there is nothing following that
header. If the Payload Length field of the IPv6 header indicates the
presence of octets past the end of a header whose Next Header field
contains 59, those octets must be ignored, and passed on unchanged if
the packet is forwarded.
https://tools.ietf.org/html/rfc2460#section-4.7
| Test |
Name |
Synopsis |
Verify DUT forwards packets with extension headers containing 'No Next Header' |
ipv6_basic_6 |
Verify DUT forwards packets with extension headers containing ‘No Next Header’ |
step 1. Generate a valid ICMPv6 Echo Request packet with the IPv6 Hop-by-Hop
Options and Destination Options extension headers. The Hop-by-Hop
Options extension header will have a Next Header value of 59 (no
Next Header).
Hop-by-Hop Options Header:
Next Header = 0x3b (no Next Header)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
Destination Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x01 (PadN)
Option Data Length = 0x04 (6 bytes)
Option Data = 0x00000000
step 2. Initiate an ICMPv6 Echo Request (ping) to a WAN IPv6 destination
address using the extension header generated in Step 1
step 3. Verify that the WAN host receives the packet transmitted in Step 2
step 4. Verify that the ICMPv6 Echo Request packet received by the WAN host
is identical to the packet that was transmitted. Note that the
ICMPv6 Echo Request packet may be displayed as as an IPv6 protocol
type 0 packet (Hop-by-Hop Options) due to the inclusion of the no
Next Header field in the Hop-by-Hop Options extension header. The
data portion of the received IPv6 packet on the WAN should be
analayzed for the original ICMPv6 Echo Request.
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.7: No Next Header
The value 59 in the Next Header field of an IPv6 header or any
extension header indicates that there is nothing following that
header. If the Payload Length field of the IPv6 header indicates the
presence of octets past the end of a header whose Next Header field
contains 59, those octets must be ignored, and passed on unchanged if
the packet is forwarded.
https://tools.ietf.org/html/rfc2460#section-4.7
| Test |
Name |
Synopsis |
Verify DUT properly processes unknown Option Type identifiers with 00 high order bits |
ipv6_basic_10 |
Verify DUT properly processes unknown Option Type identifiers with 00 high order bits |
step 1. Generate a Hop-by-Hop Options extension header with an unknown
Option Type of 17 (0x11). Option Type 17 contains high order bits of
00.
Hop-by-Hop Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x11 (type 17 unknown, 00 high order bits)
Option Data Length = 0x04 (4 bytes)
Option Data = 0x00000000
step 2. Initiate an outbound ICMPv6 Echo Request (ping) from a LAN client to
a WAN IPv6 destination using the extension header generated in
Step 1
step 3. Verify that the DUT ignores the unknown Option Type by ensuring that
an ICMPv6 Echo Reply (ping response) packet is received
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:
00 - skip over this option and continue processing the header.
01 - discard the packet.
10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.
11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.
https://tools.ietf.org/html/rfc2460#section-4.2
| Test |
Name |
Synopsis |
Verify DUT properly processes unknown Option Type identifiers with 01 high order bits |
ipv6_basic_11 |
Verify DUT properly processes unknown Option Type identifiers with 01 high order bits |
step 1. Generate a Hop-by-Hop Options extension header with an unknown
Option Type of 71 (0x47). Option Type 71 contains high order bits of
01.
Hop-by-Hop Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x47 (type 71 unknown, 01 high order bits)
Option Data Length = 0x04 (4 bytes)
Option Data = 0x00000000
step 2. Initiate an outbound ICMPv6 Echo Request (ping) from a LAN client to
a WAN IPv6 destination using the extension header generated in
Step 1
step 3. Verify that the DUT silently discards the packet transmitted in Step
2 be ensuring that it does not forward an ICMPv6 Echo Request packet
to the WAN IPv6 destination within 3 seconds
step 4. Repeat Step 2
step 5. Verify that the DUT silently discards the packet transmitted in Step
4 by ensuring that it does not send an ICMPv6 Parameter Problem
packet to the LAN source within 3 seconds
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:
00 - skip over this option and continue processing the header.
01 - discard the packet.
10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.
11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.
https://tools.ietf.org/html/rfc2460#section-4.2
| Test |
Name |
Synopsis |
Verify DUT properly processes unknown Option Type identifiers with 10 high order bits - unicast destination |
ipv6_basic_12 |
Verify DUT properly processes unknown Option Type identifiers with 10 high order bits - unicast destination |
step 1. Generate a Hop-by-Hop Options extension header with an unknown
Option Type of 135 (0x87). Option Type 135 contains high order bits
of 10.
Hop-by-Hop Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x87 (type 135 unknown, 10 high order bits)
Option Data Length = 0x04 (4 bytes)
Option Data = 0x00000000
step 2. Initiate an outbound ICMPv6 Echo Request (ping) from a LAN client to
a WAN IPv6 destination using the extension header generated in
Step 1
step 3. Verify that the DUT discards the packet transmitted in Step 2 by
ensuring that it does not forward an ICMPv6 Echo Request packet to
the WAN IPv6 destination within 3 seconds
step 4. Repeat Step 2
step 5. Verify that the DUT sends an ICMPv6 Parameter Problem packet to the
source in response to the packet transmitted in Step 4 within 3
seconds
step 6. Verify that the ICMPv6 Parameter Problem message contains a value of
2 in the Code field
step 7. Verify that the ICMPv6 Parameter Problem message contains a value of
42 in the Pointer field
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:
00 - skip over this option and continue processing the header.
01 - discard the packet.
10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.
11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.
https://tools.ietf.org/html/rfc2460#section-4.2
| Test |
Name |
Synopsis |
Verify DUT properly processes unknown Option Type identifiers with 10 high order bits - multicast destination |
ipv6_basic_13 |
Verify DUT properly processes unknown Option Type identifiers with 10 high order bits - multicast destination |
step 1. Generate a Hop-by-Hop Options extension header with an unknown
Option Type of 135 (0x87). Option Type 135 contains high order bits
of 10.
Hop-by-Hop Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0x87 (type 135 unknown, 10 high order bits)
Option Data Length = 0x04 (4 bytes)
Option Data = 0x00000000
step 2. Initiate an outbound ICMPv6 Echo Request (ping) from a LAN client to
the all routers multicast destination using the extension header
generated in Step 1
step 3. Verify that the DUT discards the packet transmitted in Step 2 be
ensuring that it does not forward an ICMPv6 Echo Request packet to
the LAN host within 3 seconds
step 4. Repeat Step 2
step 5. Verify that the DUT sends an ICMPv6 Parameter Problem packet to the
source in response to the packet transmitted in Step 4 within 3
seconds
step 6. Verify that the ICMPv6 Parameter Problem message contains a value of
2 in the Code field
step 7. Verify that the ICMPv6 Parameter Problem message contains a value of
42 in the Pointer field
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:
00 - skip over this option and continue processing the header.
01 - discard the packet.
10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.
11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.
https://tools.ietf.org/html/rfc2460#section-4.2
| Test |
Name |
Synopsis |
Verify DUT properly processes unknown Option Type identifiers with 11 high order bits - unicast destination |
ipv6_basic_14 |
Verify DUT properly processes unknown Option Type identifiers with 11 high order bits - unicast destination |
step 1. Generate a Hop-by-Hop Options extension header with an unknown
Option Type of 199 (0xc7). Option Type 199 contains high order bits
of 11.
Hop-by-Hop Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0xc7 (type 199 unknown, 11 high order bits)
Option Data Length = 0x04 (4 bytes)
Option Data = 0x00000000
step 2. Initiate an outbound ICMPv6 Echo Request (ping) from a LAN client to
a WAN IPv6 destination using the extension header generated in
Step 1
step 3. Verify that the DUT discards the packet transmitted in Step 2 be
ensuring that it does not forward an ICMPv6 Echo Request packet to
the WAN IPv6 destination within 3 seconds
step 4. Repeat Step 2
step 5. Verify that the DUT sends an ICMPv6 Parameter Problem packet to the
source in response to the packet transmitted in Step 4 within 3
seconds
step 6. Verify that the ICMPv6 Parameter Problem message contains a value of
2 in the Code field
step 7. Verify that the ICMPv6 Parameter Problem message contains a value of
42 in the Pointer field
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:
00 - skip over this option and continue processing the header.
01 - discard the packet.
10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.
11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.
https://tools.ietf.org/html/rfc2460#section-4.2
| Test |
Name |
Synopsis |
Verify DUT properly processes unknown Option Type identifiers with 11 high order bits - multicast destination |
ipv6_basic_15 |
Verify DUT properly processes unknown Option Type identifiers with 11 high order bits - multicast destination |
step 1. Generate a Hop-by-Hop Options extension header with an unknown
Option Type of 199 (0xc7). Option Type 199 contains high order bits
of 11.
Hop-by-Hop Options Header:
Next Header = 0x3a (ICMP)
Length = 0x00 (8 bytes)
Option Type = 0xc7 (type 199 unknown, 11 high order bits)
Option Data Length = 0x04 (4 bytes)
Option Data = 0x00000000
step 2. Initiate an outbound ICMPv6 Echo Request (ping) from a LAN client to
the all routers multicast destination using the extension header
generated in Step 1
step 3. Verify that the DUT discards the packet transmitted in Step 2 and
does not send an ICMPv6 Parameter Problem packet to the source
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.2: Options
The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:
00 - skip over this option and continue processing the header.
01 - discard the packet.
10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.
11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.
https://tools.ietf.org/html/rfc2460#section-4.2
| Test |
Name |
Synopsis |
Verify DUT discards packets with Type 0 Routing Extension Header as an Intermediary Node |
ipv6_basic_20 |
Verify DUT discards packets with Type 0 Routing Extension Header as an Intermediary Node |
step 1. Generate an ICMP Echo Request packet containing an IPv6 Routing
extension header. The destination address is the gateway's global
address, which forces header processing. The segment is set to the
RemoteHost's IPv6 address.
Routing Extension Header:
Next Header = 0x3a (ICMPv6)
Length = 0x06 (56 bytes)
Routing Type = 0x00 (Source Routing)
Segments Left: = 0x01
step 2. The RemoteHost is inspected to verify the gateway did not resend the
packet
step 3. The packet is resent
step 4. ICMPv6 Parameter Problem packet is verified as delivered to the LAN
client
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 5095 "Deprecation of Type 0 Routing Headers in IPv6" Section 3: Deprecation of RH0
An IPv6 node that receives a packet with a destination address
assigned to it and that contains an RH0 extension header MUST NOT
execute the algorithm specified in the latter part of Section 4.4 of
[RFC2460] for RH0. Instead, such packets MUST be processed according
to the behaviour specified in Section 4.4 of [RFC2460] for a datagram
that includes an unrecognised Routing Type value, namely:
If Segments Left is zero, the node must ignore the Routing header
and proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header.
If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type.
https://tools.ietf.org/html/rfc5095#section-3
| Test |
Name |
Synopsis |
Verify DUT processes packets with Type 0 Routing Extension Header as an End Node |
ipv6_basic_21 |
Verify DUT processes packets with Type 0 Routing Extension Header as an End Node |
step 1. Generate an ICMP Echo Request packet containing an IPv6 Routing
extension header. The destination address is the gateway's global
address, which forces header processing. The segment is set to the
RemoteHost's IPv6 address.
Routing Extension Header:
Next Header = 0x3a (ICMPv6)
Length = 0x06 (56 bytes)
Routing Type = 0x00 (Source Routing)
Segments Left: = 0x00
step 2. The RemoteHost is inspected to verify the gateway did not resend the
packet
step 3. The packet is resent
step 4. The LAN client is inspected to verify the ICMPv6 Echo Reply was
received from the gateway
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 5095 "Deprecation of Type 0 Routing Headers in IPv6" Section 3: Deprecation of RH0
An IPv6 node that receives a packet with a destination address
assigned to it and that contains an RH0 extension header MUST NOT
execute the algorithm specified in the latter part of Section 4.4 of
[RFC2460] for RH0. Instead, such packets MUST be processed according
to the behaviour specified in Section 4.4 of [RFC2460] for a datagram
that includes an unrecognised Routing Type value, namely:
If Segments Left is zero, the node must ignore the Routing header
and proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header.
If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type.
https://tools.ietf.org/html/rfc5095#section-3
| Test |
Name |
Synopsis |
Verify DUT discards packets with Unknown Routing Extension Header as an Intermediary Node |
ipv6_basic_22 |
Verify DUT discards packets with Unknown Routing Extension Header as an Intermediary Node |
step 1. Generate an ICMP Echo Request packet containing an IPv6 Routing
extension header. The destination address is the gateway's global
address, which forces header processing. The segment is set to the
RemoteHost's IPv6 address.
Routing Extension Header:
Next Header = 0x3a (ICMPv6)
Length = 0x06 (56 bytes)
Routing Type = 0x33 (Unknown Type)
Segments Left: = 0x01
step 2. The RemoteHost is inspected to verify the gateway did not resend the
packet
step 3. The packet is resent
step 4. ICMPv6 Parameter Problem packet is verified as delivered to the LAN
client
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.4: Routing Header
If, while processing a received packet, a node encounters a Routing
header with an unrecognized Routing Type value, the required behavior
of the node depends on the value of the Segments Left field, as
follows:
If Segments Left is zero, the node must ignore the Routing header
and proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header.
If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type.
https://tools.ietf.org/html/rfc2460#section-4.4
| Test |
Name |
Synopsis |
Verify DUT processes packets with Unknown Routing Extension Header as an End Node |
ipv6_basic_23 |
Verify DUT processes packets with Unknown Routing Extension Header as an End Node |
step 1. Generate an ICMP Echo Request packet containing an IPv6 Routing
extension header. The destination address is the gateway's global
address, which forces header processing. The segment is set to the
RemoteHost's IPv6 address.
Routing Extension Header:
Next Header = 0x3a (ICMPv6)
Length = 0x06 (56 bytes)
Routing Type = 0x33 (Unknown Type)
Segments Left: = 0x00
step 2. The RemoteHost is inspected to verify the gateway did not resend the
packet
step 3. The packet is resent
step 4. The LAN client is inspected to verify the ICMPv6 Echo Reply was
received from the gateway
References:
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IPv6 Ready Test Specification Core Protocols
http://ipv6ready.org/docs/Core_Conformance_Latest.pdf
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.4: Routing Header
If, while processing a received packet, a node encounters a Routing
header with an unrecognized Routing Type value, the required behavior
of the node depends on the value of the Segments Left field, as
follows:
If Segments Left is zero, the node must ignore the Routing header
and proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header.
If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type.
https://tools.ietf.org/html/rfc2460#section-4.4
frag-v6.tcl
IPv6 fragmentation tests
| Test |
Name |
Synopsis |
Verify DUT responds to fragmented ICMPv6 Echo Requests |
ipv6_frag_1 |
Verify DUT responds to fragmented ICMPv6 Echo Requests |
step 1. Generate a valid 3000 byte ICMPv6 Echo Request packet
step 2. Set IPv6 MTU of the LAN to 1280 bytes
step 3. Initiate an outbound ICMPv6 Echo Request (ping) to the DUT's
LAN-side IPv6 link-local address using the packet generated in
Step 1
step 4. Verify that an ICMPv6 Echo Reply packet is received within 3 seconds
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.5: Fragment Header
https://tools.ietf.org/html/rfc2460#section-4.5
| Test |
Name |
Synopsis |
Verify DUT forwards fragmented ICMPv6 packets |
ipv6_frag_2 |
Verify DUT forwards fragmented ICMPv6 packets |
step 1. Generate a valid 3000 byte ICMPv6 Echo Request packet
step 2. Set IPv6 MTU of the LAN client to 1280 bytes
step 3. Set IPv6 MTU of the remoteHost WAN server to 1280 bytes
step 4. Initiate an outbound ICMPv6 Echo Request to a WAN IPv6 destination
using the packet generated in Step 1
step 5. Verify that an ICMPv6 Echo Reply packet is received within 3 seconds
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.5: Fragment Header
https://tools.ietf.org/html/rfc2460#section-4.5
| Test |
Name |
Synopsis |
Verify DUT forwards fragmented UDP packets |
ipv6_frag_3 |
Verify DUT forwards fragmented UDP packets |
step 1. Generate a valid 3000 byte UDP Echo packet
step 2. Set IPv6 MTU of the LAN client to 1280 bytes
step 3. Set IPv6 MTU of the remoteHost WAN server to 1280 bytes
step 4. Initiate an outbound UDP Echo to a WAN IPv6 destination using the
packet generated in Step 1
step 5. Verify that a UDP Echo response is received on the LAN
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 4.5: Fragment Header
https://tools.ietf.org/html/rfc2460#section-4.5
ndp.tcl
Neighbor Discovery Protocol and Router Advertisement tests for IPv6 devices
| Test |
Name |
Synopsis |
Verify DUT responds to Router Solicitations on the LAN |
ipv6_ndp_1 |
Verify DUT responds to Router Solicitations on the LAN |
step 1. Send a Router Solicitation from the LAN
step 2. Wait for a Router Advertisement from the DUT
step 3. Verify the fields in the Router Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT periodically sends unsolicited Router Advertisements |
ipv6_ndp_2 |
Verify DUT periodically sends unsolicited Router Advertisements |
step 1. Listen for a Router Advertisement on the LAN
step 2. Wait for a second Router Advertisement on the LAN
step 3. Verify that the DUT is periodically sending Advertisments
NOTE: The testvar ipv6RAInterval will control how long this test waits for a
Router Advertisement.
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to Neighbor Solicitations for its link-local address |
ipv6_ndp_10 |
Verify DUT responds to Neighbor Solicitations for its link-local address |
step 1. Send a Neighbor Solicitation on the LAN for the DUT's link-local address
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify fields of the Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to Neighbor Solicitations for its global IPv6 address |
ipv6_ndp_11 |
Verify DUT responds to Neighbor Solicitations for its global IPv6 address |
step 1. Send a Neighbor Solicitation on the LAN for the DUT's global IPv6 address
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify fields of Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT ignores Neighbor Solicitations with an invalid hop-count |
ipv6_ndp_12 |
Verify DUT ignores Neighbor Solicitations with an invalid hop-count |
step 1. Send an Neighbor Solicitation for the DUT's link-local address with a hop-count of 64
step 2. Verify the DUT ignores the Solicitation and doesn't respond with a Neighbor Advertisement
step 3. Send a valid Neighbor Solicitation to make sure DUT is properly responding
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to DAD-style Neighbor Solicitations for link-local address on LAN |
ipv6_ndp_13 |
Verify DUT responds to DAD-style Neighbor Solicitations for link-local address on LAN |
step 1. Send a Duplicate-Address-Detection (DAD) style Neighbor Solicition
for the DUT's link-local address on the LAN
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify source, destination, and contents of Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.4: Duplicate Address Detection
https://tools.ietf.org/html/rfc4862#section-5.4
| Test |
Name |
Synopsis |
Verify DUT ignores Neighbor Solicitations with a different target than itself |
ipv6_ndp_14 |
Verify DUT ignores Neighbor Solicitations with a different target than itself |
step 1. Send an Neighbor Solicitation for the lanStack's link-local address to the DUT's link-local address
and its global address
step 2. Verify the DUT ignores the Solicitation and doesn't respond with a Neighbor Advertisement
step 3. Send a valid Neighbor Solicitation to make sure DUT is properly responding
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT ignores Neighbor Solicitations sent to the wrong Solicited-Node Multicast Address |
ipv6_ndp_15 |
Verify DUT ignores Neighbor Solicitations sent to the wrong Solicited-Node Multicast Address |
step 1. Send an Neighbor Solicitation for the DUT's link-local address, but sent to the wrong
Solicited-Node Multicast Address
step 2. Verify the DUT ignores the Solicitation and doesn't respond with a Neighbor Advertisement
step 3. Send a valid Neighbor Solicitation to make sure DUT is properly responding
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to DAD-style Neighbor Solicitations for global address on LAN |
ipv6_ndp_16 |
Verify DUT responds to DAD-style Neighbor Solicitations for global address on LAN |
step 1. Send a Duplicate-Address-Detection (DAD) style Neighbor Solicition
for the DUT's global address on the LAN
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify source, destination, and contents of Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.4: Duplicate Address Detection
https://tools.ietf.org/html/rfc4862#section-5.4
| Test |
Name |
Synopsis |
Verify DUT sends ICMPv6 Redirect messages for neighbor traffic forwarded to it |
ipv6_ndp_20 |
Verify DUT sends ICMPv6 Redirect messages for neighbor traffic forwarded to it |
step 1: Create a new client on the LAN
step 2: Send a ping to the Global-Unicast-Address of the new client
step 3: Verify the DUT sends an ICMPv6 Redirect messsage
step 4. Verify the ICMPv6 Redirect message
step 5: Verify the new client responds to the ping
NOTE: This test is similar to ipv6_forward_3, except it verifies that the
DUT is sending valid ICMPv6 Redirect messages back to the sender. Test
ipv6_forward_3 verifies that the packet is forwarded to the correct
destination.
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)" Section 8: Redirect Function
https://tools.ietf.org/html/rfc4861#section-8
| Test |
Name |
Synopsis |
Verify Router Advertisements contain M bit and O bit based on LAN mode |
ipv6_ndp_30 |
Verify Router Advertisements contain M bit and O bit based on LAN mode |
step 1. Listen for a Router Advertisement on the LAN
step 2. Check the "managed address configuration" flag (M bit) in the Router
Advertisement received in Step 1
step 3. If the DUT is configured to provide global addresses via DHCPv6 on
the LAN, the M bit should be set; if autoconfiguration is used
instead, the M bit should not be set
step 4. If the DUT is configured to provide global addresses via
autoconfiguration on the LAN, and the "other stateful configuration"
flag (O bit) is set, send a DHCPv6 Information-request including an
Option Request for DHCPv6 Options 23 'DNS Recursive Name Server'
and 24 'Domain Search List' to the DUT. Skip to Step 6.
step 5. If the DUT is configured to provide global addresses via
DHCPv6 and the "managed address configuration" flag
(M bit) is set, send a DHCPv6 Information-request including an
Option Request for DHCPv6 Options 23 'DNS Recursive Name Server'
and 24 'Domain Search List' to the DUT
step 6. Verify that the DUT sends a DHCPv6 Reply in response to the DHCPv6
Information-request message sent by the client in Steps 4 or 5
step 7. Verify that the DUT's DHCPv6 Reply includes DHCPv6 Options 23 and 24
Step 8. Verify the DNS server information provided by the DUT. If the testvar
ipv6DNStoLAN is set to "yes", the DNS server addresses provided should
match the addresses of the DNS servers configured on the WAN. If the
ipv6DNStoLAN testvar is set to "no", the LAN side IPv6 address of the
DUT should be provided as the DNS server.
step 9. Verify the domain search list information provided by the DUT
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)" Section 4.2: Router Advertisement Message Format
https://tools.ietf.org/html/rfc4861#section-4.2
| Test |
Name |
Synopsis |
Verify Router Advertisements contain valid prefix, A bit, and L bit based on LAN settings |
ipv6_ndp_31 |
Verify Router Advertisements contain valid prefix, A bit, and L bit based on LAN settings |
step 1. Listen for Router Advertisements on the LAN for one Router
Advertisement interval
step 2. Verify at least one Router Advertisement contains a valid prefix
based on the DUT's LAN IPv6 address
step 3. Verify that the prefix length associated with the prefix discovered
in Step 2 is the same as the DUT's configured LAN prefix length
(skip this step if the IPv6 WAN mode is 6to4)
step 4. Verify that the prefix discovered in Step 2 contains a valid
lifetime
step 5. Verify that the prefix discovered in Step 2 has the autonomous
address-configuration flag (A bit) set to either 0 or 1
step 6. Verify that the prefix discovered in Step 2 has the on-link flag
(L bit) set
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)" Section 4.6.2: Prefix Information
https://tools.ietf.org/html/rfc4861#section-4.6.2
| Test |
Name |
Synopsis |
Verify Router Advertisements contain RDNSS option |
ipv6_ndp_32 |
Verify Router Advertisements contain RDNSS option |
step 1. Listen for a Router Advertisement on the LAN
step 2. Verify that one or more RDNSS options (25) are present in RA
step 3. Verify the addresses provided in RDNSS options. If the testvar
ipv6DNStoLAN is set to "yes", the DNS server addresses listed
in the RDNSS option should match the addresses of the DNS
servers configured on the WAN. If the ipv6DNStoLAN testvar is
set to "no", the RDNSS option should list only the LAN side
IPv6 address of the DUT (global or link-local address).
step 4. Verify the RDNSS option lifetime
NOTE: This test is skipped if the testvar ipv6RdnssSupport is set to no
indicating that the device does not support the RDNSS option.
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 6106 "IPv6 Router Advertisement Options for DNS Configuration"
https://tools.ietf.org/html/rfc6106
| Test |
Name |
Synopsis |
Verify Router Advertisements contain DNSSL option |
ipv6_ndp_33 |
Verify Router Advertisements contain DNSSL option |
step 1. Listen for a Router Advertisement on the LAN
step 2. Verify that one or more DNSSL options (31) are present in RA
step 3. Verify the domain search list provided in the DNSSL option. The
domain search list should contain the domain name specified by the
testvar wanDomainName.
step 4. Verify the DNSSL option lifetime
NOTE: This test is skipped if the testvar ipv6DnsslSupport is set to no
indicating that the device does not support the DNSSL option.
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 6106 "IPv6 Router Advertisement Options for DNS Configuration"
https://tools.ietf.org/html/rfc6106
| Test |
Name |
Synopsis |
Verify DUT does not advertise itself as a default router when WAN RA lifetime is 0 |
ipv6_ndp_34 |
Verify DUT does not advertise itself as a default router when WAN RA lifetime is 0 |
step 1. Send Router Advertisements on the WAN with a Router Lifetime of 0
step 2. Listen for RAs from the DUT on the LAN for up to the [dhcpv6PDLatency
+ 1 LAN RA interval]
step 3. Verify that the DUT eventually stops advertising itself as a default
router by setting the Router Lifetime in LAN RAs to a value of 0
step 3. Restore original Router Lifetime on WAN and start sending Router
Advertisements on the WAN with a non-zero Router Lifetime
step 4. Verify that the DUT starts advertising itself as a default router by
setting the Router Lifetime in LAN RAs to a value greater than 0
step 5. Wait for the duration of the dhcpv6PDLatency testvar and perform a
connectivity check to ensure that the WAN link is operational
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.1: General Requirements
G-4: By default, an IPv6 CE router that has no default
router(s) on its WAN interface MUST NOT advertise
itself as an IPv6 default router on its LAN interfaces.
That is, the "Router Lifetime" is set to zero in all
Router Advertisement messages it originates [RFC4861].
https://tools.ietf.org/html/rfc7084#section-4.1
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.1: General Requirements
G-5: By default, if the IPv6 CE router is an advertising router and
loses its IPv6 default router(s) and/or detects loss of
connectivity on the WAN interface, it MUST explicitly
invalidate itself as an IPv6 default router on each of its
advertising interfaces by immediately transmitting one or more
Router Advertisement messages with the "Router Lifetime" field
set to zero [RFC4861].
https://tools.ietf.org/html/rfc7084#section-4.1
| Test |
Name |
Synopsis |
Verify Neighbor Unreachability Detection |
ipv6_ndp_40 |
Verify Neighbor Unreachability Detection |
step 1. Disable LAN client to prevent the DUT from receiving
reachability confirmations
step 2. Wait (ReachableTime + DELAY_FIRST_PROBE_TIME +
(MAX_UNICAST_SOLICIT * RetransTimer)) seconds to ensure DUT's
neighbor cache entry (NCE) for LAN client is deleted
step 3. Enable LAN client
step 4. Send a Neighbor Solicitation on the LAN for the DUT's
link-local address to create a NCE on the DUT for the LAN
client's link-local address in the STALE state
step 5. Verify a Neighbor Advertisement is received from the DUT
step 6. Send an ICMPv6 Echo Request from the LAN to the DUT's
link-local address to transition the NCE on the DUT from
STALE to DELAY state.
step 7. Verify an ICMPv6 Echo Reply is received from the DUT
step 8. Disable neighbor discovery (ND) on LAN client to prevent
the sending of Neighbor Advertisements
step 9. Wait DELAY_FIRST_PROBE_TIME-1 seconds to allow the NCE on
the DUT to transition from DELAY to PROBE state
step 10. Wait RetransTimer+1 seconds for the DUT to send a unicast
Neighbor Solicitation for the LAN client's link local address
step 11. Verify LAN client receives a unicast Neighbor Solicitation
step 12. Repeat steps 10 and 11 to ensure that MAX_UNICAST_SOLICIT
Neighbor Solications are sent. On the
MAX_UNICAST_SOLICIT'th Neighbor Solication, reenable
neighbor discovery on LAN client and respond to the
Neighbor Solicitation with a Neighbor Advertisement to
allow the DUT's NCE to transition from PROBE to REACHABLE
state
step 13. Disable LAN client to prevent the DUT from receiving
reachability confirmations
step 14. Wait ReachableTime+1 seconds to allow DUT's NCE to
transition from REACHABLE to STALE state
step 15. Enable LAN client
step 16. Send an ICMPv6 Echo Request from the LAN to the DUT's
link-local address to transition the NCE on the DUT from
STALE to DELAY state.
step 17. Verify an ICMPv6 Echo Reply is received from the DUT
step 18. Disable neighbor discovery (ND) on LAN client to prevent
the sending of Neighbor Advertisements
step 19. Wait DELAY_FIRST_PROBE_TIME-1 seconds to allow the NCE on
the DUT to transition from DELAY to PROBE state
step 20. Wait RetransTimer+1 seconds for the DUT to send a unicast
Neighbor Solicitation for the LAN client's link local address
step 21. Verify LAN client receives a unicast Neighbor Solicitation
step 22. Repeat steps 20 and 21 to ensure that MAX_UNICAST_SOLICIT
Neighbor Solications are sent. The DUT's NCE should now
be deleted
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)" Section 7.3: Neighbor Unreachability Detection
https://tools.ietf.org/html/rfc4861#section-7.3
| Test |
Name |
Synopsis |
Verify ICMPv6 Destination Unreachable sent on address resolution failure |
ipv6_ndp_41 |
Verify ICMPv6 Destination Unreachable sent on address resolution failure |
step 1. Wait 60 seconds to ensure DUT has no neighbor cache entry
(NCE) for ipv6WanIspNextIp
step 2. Send an ICMPv6 Echo Request from the LAN to ipv6WanIspNextIp
step 3. Wait 2 seconds for DUT to send a Neighbor Solicitation on
the WAN.
step 4. Verify that the Neighbor Solicitation is sent to the
solicited-node multicast corresponding to ipv6WanIspNextIp
with target ipv6WanIspNextIp and includes a Source
Link-Layer Address option
step 5. Repeat steps 3 & 4 MAX_MULTICAST_SOLICIT (3) times
step 6. Verify DUT sends an ICMPv6 Destination Unreachable message
to the LAN client with code 3 (Address Unreachable)
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)" Section 7.2.2: Sending Neighbor Solicitations
https://tools.ietf.org/html/rfc4861#section-7.2.2
ndp-wan.tcl
Neighbor Discovery Protocol and Router Advertisement tests for the WAN side of IPv6 devices
| Test |
Name |
Synopsis |
Verify if DUT responds to Router Solicitations on the WAN |
ipv6_ndp_wan_1 |
Verify if DUT responds to Router Solicitations on the WAN |
step 1. Send a Router Solicitation from the WAN
step 2. Wait to see if DUT sends a Router Advertisement on the WAN
step 3. Verify the expected behavior
Note: The testvar ipv6ExpectRAonWan determines if this test should
expect to see Router Advertisements from the DUT on the WAN
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify if DUT periodically sends unsolicited Router Advertisements |
ipv6_ndp_wan_2 |
Verify if DUT periodically sends unsolicited Router Advertisements |
step 1. Wait for a Router Advertisement on the WAN
step 2. Wait for a second Router Advertisement on the WAN
step 3. Verify if the DUT is periodically sending Advertisments as expected
Notes: The testvar ipv6ExpectRAonWan determines if this test should
expect to see Router Advertisements from the DUT on the WAN
The testvar ipv6RAInterval will control how long
this test waits for a Router Advertisement.
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to Neighbor Solicitations on the WAN for its link-local address |
ipv6_ndp_wan_10 |
Verify DUT responds to Neighbor Solicitations on the WAN for its link-local address |
step 1. Send a Neighbor Solicitation on the WAN for the DUT's link-local address
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify fields of the Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to Neighbor Solicitations on the WAN for its global IPv6 address |
ipv6_ndp_wan_11 |
Verify DUT responds to Neighbor Solicitations on the WAN for its global IPv6 address |
step 1. Send a Neighbor Solicitation on the WAN for the DUT's global IPv6 address
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify fields of Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT ignores invalid Neighbor Solicitations sent on the WAN |
ipv6_ndp_wan_12 |
Verify DUT ignores invalid Neighbor Solicitations sent on the WAN |
step 1. Send an invalid Neighbor Solicitation for the DUT's WAN-side global address
step 2. Verify the DUT ignores the Solicitation and doesn't respond with a Neighbor Advertisement
step 3. Send a valid Neighbor Solicitation to make sure DUT is properly responding
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to DAD-style Neighbor Solicitations on the WAN for its link local address |
ipv6_ndp_wan_13 |
Verify DUT responds to DAD-style Neighbor Solicitations on the WAN for its link local address |
step 1. Send a Duplicate-Address-Detection style Neighbor Solicition for the DUT's
link-local address on the WAN
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify source, destination, and contents of Neighbor Advertisement
Reference: RFC 4862 Section 5.4
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.4: Duplicate Address Detection
https://tools.ietf.org/html/rfc4862#section-5.4
| Test |
Name |
Synopsis |
Verify DUT ignores Neighbor Solicitations with a different target than itself |
ipv6_ndp_wan_14 |
Verify DUT ignores Neighbor Solicitations with a different target than itself |
step 1. Send an Neighbor Solicitation for the wanStack's link-local address to the DUT's
link-local address and its global address
step 2. Verify the DUT ignores the Solicitation and doesn't respond with a Neighbor Advertisement
step 3. Send a valid Neighbor Solicitation to make sure DUT is properly responding
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT ignores Neighbor Solicitations sent to the wrong Solicited-Node Multicast Address |
ipv6_ndp_wan_15 |
Verify DUT ignores Neighbor Solicitations sent to the wrong Solicited-Node Multicast Address |
step 1. Send an Neighbor Solicitation for the DUT's link-local address, but sent to the wrong
Solicited-Node Multicast Address
step 2. Verify the DUT ignores the Solicitation and doesn't respond with a Neighbor Advertisement
step 3. Send a valid Neighbor Solicitation to make sure DUT is properly responding
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
| Test |
Name |
Synopsis |
Verify DUT responds to DAD-style Neighbor Solicitations on the WAN for its global IPv6 address |
ipv6_ndp_wan_16 |
Verify DUT responds to DAD-style Neighbor Solicitations on the WAN for its global IPv6 address |
step 1. Send a Duplicate-Address-Detection style Neighbor Solicition for the DUT's
global address on the WAN
step 2. Wait for a Neighbor Advertisement from the DUT
step 3. Verify source, destination, and contents of Neighbor Advertisement
References:
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)"
https://tools.ietf.org/html/rfc4861
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.4: Duplicate Address Detection
https://tools.ietf.org/html/rfc4862#section-5.4
dhcpv6-c.tcl
DHCPv6 client tests for the WAN side of the router
| Test |
Name |
Synopsis |
Verify client requests the assignment of a non-temporary address |
dhcpv6_1 |
Verify client requests the assignment of a non-temporary address |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify Valid and Preferred lifetimes for binding
step 4. Verify that the binding has not expired
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 17: DHCP Server Solicitation
https://tools.ietf.org/html/rfc3315#section-17
| Test |
Name |
Synopsis |
Verify client renews non-temporary address when current binding expires |
dhcpv6_2 |
Verify client renews non-temporary address when current binding expires |
step 1. Wait for DHCPv6 client's current non-temporary address binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Verify Renew contains Server Identifier option (2) with correct
server DUID
step 4. Verify Renew contains IA_NA option (3) for same non-temporary
address
step 5. Send valid Reply to update binding
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.3: Creation and Transmission of Renew Messages
To extend the valid and preferred lifetimes for the addresses
associated with an IA, the client sends a Renew message to the server
from which the client obtained the addresses in the IA containing an
IA option for the IA. The client includes IA Address options in the
IA option for the addresses associated with the IA. The server
determines new lifetimes for the addresses in the IA according to the
administrative configuration of the server.
https://tools.ietf.org/html/rfc3315#section-18.1.3
| Test |
Name |
Synopsis |
Verify client obtains address from server using various undefined server DUID values |
dhcpv6_4 |
Verify client obtains address from server using various undefined server DUID values |
step 1. Configure the server to use an undefined server DUID format
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew or Rebind messages from client
step 4. Verify client sends Solicit message and obtains an IPv6 address
step 5. Repeat steps 1 - 4 for various undefined DUID server formats
step 6. Reestablish the DHCPv6 binding using the original DUID format
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 9: DHCP Unique Identifier (DUID)
https://tools.ietf.org/html/rfc3315#section-9
| Test |
Name |
Synopsis |
Verify client ignores replies with mismatched client DUID |
dhcpv6_10 |
Verify client ignores replies with mismatched client DUID |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_NA option (3)
step 5. Respond to first Solicit message with incorrect Client
Identifier option(1) DUID
step 6. Verify client restransmits Solicit message
step 7. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 17.1.2: Transmission of Solicit Messages
If the client does not receive any Advertise messages before the
first RT has elapsed, it begins the retransmission mechanism
described in section 14. The client terminates the retransmission
process as soon as it receives any Advertise message, and the client
acts on the received Advertise message without waiting for any
additional Advertise messages.
https://tools.ietf.org/html/rfc3315#section-17.1.2
| Test |
Name |
Synopsis |
Verify client ignores unknown or invalid DHCPv6 packets |
dhcpv6_11 |
Verify client ignores unknown or invalid DHCPv6 packets |
step 1. Send invalid DHCPv6 packet with message type 0 to client
on the WAN
step 2. Verify that client does not respond to packet transmitted
in Step 1
step 3. Repeat steps 1 and 2 for message types 1 through 255
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify client handles fragmented IPv6 packets |
dhcpv6_14 |
Verify client handles fragmented IPv6 packets |
step 1. Configure DHCPv6 server to use a large User Class option (15)
to force IPv6 fragmentation
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew or Rebind messages from client
step 4. Verify client sends Solicit message
step 5. Respond to first Solicit message with Advertise containing
large User Class Option (15) causing fragmentation
step 6. Verify client sends valid Request in response to Advertise
step 7. Disable server User Class option (15) created in Step 1
step 8. If client fails Step 6, cleanup and wait for client to
retransmit Solicit message
step 9. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1: Client Behavior
https://tools.ietf.org/html/rfc3315#section-18.1
| Test |
Name |
Synopsis |
Verify client ignores server messages with invalid UDP checksum |
dhcpv6_15 |
Verify client ignores server messages with invalid UDP checksum |
step 1. Configure DHCPv6 server to use bad UDP checksums
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew or Rebind messages from client
step 4. Verify client sends Solicit message
step 5. Respond to first Solicit message with Advertise containing
invalid UDP checksum
step 6. Verify client does not send valid Request in response to
Advertise
step 7. Configure DHCPv6 server to use valid UDP checksums
step 8. Wait for client to retransmit Solicit message
step 9. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify client composes DUID correctly |
dhcpv6_16 |
Verify client composes DUID correctly |
step 1. Wait for DHCPv6 client's current non-temporary address binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Inspect the composition of the DUID to ensure correctness
Reference: IETF RFC 3315 Section 9 "DHCP Unique Identifier (DUID)"
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 9: DHCP Unique Identifier (DUID)
https://tools.ietf.org/html/rfc3315#section-9
| Test |
Name |
Synopsis |
Verify client restarts when NoBinding failure occurs during Renew |
dhcpv6_20 |
Verify client restarts when NoBinding failure occurs during Renew |
step 1. Wait for DHCPv6 client's current non-temporary address binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Verify Renew contains IA_NA option (3) for same non-temporary
address
step 4. Send valid DHCPv6 Reply with NoBinding status code (3)
step 5. Verify DHCPv6 client sends Request message
step 6. Verify Request contains IA_NA option (3) for same non-temporary
address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.8: Receipt of Reply Messages
When the client receives a Reply message in response to a Renew or
Rebind message, the client examines each IA independently. For each
IA in the original Renew or Rebind message, the client:
- sends a Request message if the IA contained a Status Code option
with the NoBinding status (and does not send any additional
Renew/Rebind messages)
- sends a Renew/Rebind if the IA is not in the Reply message
- otherwise accepts the information in the IA
https://tools.ietf.org/html/rfc3315#section-18.1.8
| Test |
Name |
Synopsis |
Verify client restarts when UnspecFail failure occurs during Renew |
dhcpv6_21 |
Verify client restarts when UnspecFail failure occurs during Renew |
step 1. Wait for DHCPv6 client's current non-temporary address binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Verify Renew contains IA_NA option (3) for same non-temporary
address
step 4. Send valid DHCPv6 Reply with UnspecFail status code (1)
step 5. Verify DHCPv6 client recovers by retransmitting Renew or
sending Request
step 6. Verify Renew or Request contains IA_NA option (3) for same
non-temporary address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.8: Receipt of Reply Messages
If the client receives a Reply message with a Status Code containing
UnspecFail, the server is indicating that it was unable to process
the message due to an unspecified failure condition. If the client
retransmits the original message to the same server to retry the
desired operation, the client MUST limit the rate at which it
retransmits the message and limit the duration of the time during
which it retransmits the message.
https://tools.ietf.org/html/rfc3315#section-18.1.8
| Test |
Name |
Synopsis |
Verify client restarts DHCPv6 when Reply to Request contains IA lifetimes set to 0 |
dhcpv6_22 |
Verify client restarts DHCPv6 when Reply to Request contains IA lifetimes set to 0 |
step 1. Allow the DHCPv6 client to restart DHCPv6 by waiting for the IA_NA
lifetime to expire without replying to any DHCPv6 messages
step 2. Send a valid Advertise message in response to the DHCPv6 client's
Solicit message
step 3. Verify the DHCPv6 client sends a Request message
step 4. Send a valid Reply message with all IA lifetimes set to 0
step 5. Verify the DHCPv6 client sends a DHCPv6 Solicit message
step 6. Verify the DHCPv6 client and server complete the DHCPv6 2 or 4 message
exchange
step 7. Verify DHCPv6 client recovered by waiting for the client to transmit
a Renew at T1
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.10.1: Reply for Solicit (with Rapid Commit), Request, Renew, or Rebind
If the Reply message contains any IAs but the client finds no usable
addresses and/or delegated prefixes in any of these IAs, the client
may either try another server (perhaps restarting the DHCP server
discovery process) or use the Information-request message to obtain
other configuration information only.
https://tools.ietf.org/html/rfc8415#section-18.2.10.1
| Test |
Name |
Synopsis |
Verify client restarts DHCPv6 when Reply to Renew contains IA lifetimes set to 0 |
dhcpv6_23 |
Verify client restarts DHCPv6 when Reply to Renew contains IA lifetimes set to 0 |
step 1. Wait for DHCPv6 client's current IA_NA binding T1 timer to expire
step 2. Verify the DHCPv6 client sends a DHCPv6 Renew
step 3. Send a valid Reply message with all IA lifetimes set to 0
step 4. Verify the DHCPv6 client sends a DHCPv6 Solicit message
step 5. Verify the DHCPv6 client and server complete the DHCPv6 2 or 4 message
exchange
step 6. Verify the DHCPv6 client recovered by waiting for the client to transmit
a Renew at T1
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.10.1: Reply for Solicit (with Rapid Commit), Request, Renew, or Rebind
If the Reply message contains any IAs but the client finds no usable
addresses and/or delegated prefixes in any of these IAs, the client
may either try another server (perhaps restarting the DHCP server
discovery process) or use the Information-request message to obtain
other configuration information only.
https://tools.ietf.org/html/rfc8415#section-18.2.10.1
| Test |
Name |
Synopsis |
Verify client restarts DHCPv6 when Reply to Rebind contains IA lifetimes set to 0 |
dhcpv6_24 |
Verify client restarts DHCPv6 when Reply to Rebind contains IA lifetimes set to 0 |
step 1. Wait for DHCPv6 client's current IA_NA binding T2 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Rebind
step 3. Send a valid Reply message with all IA lifetimes set to 0
step 4. Verify the DHCPv6 client sends a DHCPv6 Solicit message
step 5. Verify the DHCPv6 client and server complete the DHCPv6 2 or 4 message
exchange
step 6. Verify the DHCPv6 client recovered by waiting for the client to transmit
a Renew at T1
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.10.1: Reply for Solicit (with Rapid Commit), Request, Renew, or Rebind
If the Reply message contains any IAs but the client finds no usable
addresses and/or delegated prefixes in any of these IAs, the client
may either try another server (perhaps restarting the DHCP server
discovery process) or use the Information-request message to obtain
other configuration information only.
https://tools.ietf.org/html/rfc8415#section-18.2.10.1
| Test |
Name |
Synopsis |
Verify client sends Rebind message if Renew for non-temporary address fails |
dhcpv6_30 |
Verify client sends Rebind message if Renew for non-temporary address fails |
step 1. Wait for DHCPv6 client's current non-temporary address binding
T1 to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Do not respond to Renew message
step 4. Verify DHCPv6 client sends Rebind message
step 5. Verify Rebind contains IA_NA option (3) for same non-temporary
address
step 6. Send valid Reply to update binding
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.4: Creation and Transmission of Rebind Messages
At time T2 for an IA (which will only be reached if the server to
which the Renew message was sent at time T1 has not responded), the
client initiates a Rebind/Reply message exchange with any available
server. The client includes an IA option with all addresses
currently assigned to the IA in its Rebind message.
https://tools.ietf.org/html/rfc3315#section-18.1.4
| Test |
Name |
Synopsis |
Verify client sends Solicit message if Renew and Rebind for non-temporary address fails |
dhcpv6_31 |
Verify client sends Solicit message if Renew and Rebind for non-temporary address fails |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_NA option (3)
step 5. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.4: Creation and Transmission of Rebind Messages
The message exchange is terminated when the valid lifetimes of all
the addresses assigned to the IA expire (see section 10), at which
time the client has several alternative actions to choose from; for
example:
- The client may choose to use a Solicit message to locate a new
DHCP server and send a Request for the expired IA to the new
server.
- The client may have other addresses in other IAs, so the client
may choose to discard the expired IA and use the addresses in the
other IAs.
https://tools.ietf.org/html/rfc3315#section-18.1.4
| Test |
Name |
Synopsis |
Verify client supports DHCPv6 Reconfigure Key Authentication |
dhcpv6_32 |
Verify client supports DHCPv6 Reconfigure Key Authentication |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not a non-temporary address binding
exists
step 3. Verify DHCPv6 Reconfigure Key exists for binding
step 4. Send Reconfigure message requesting Renew
step 5. Verify DHCPv6 client sends DHCPv6 Renew
Reference:
IETF RFC 3315 Section 21.5 "Reconfigure Key Authentication Protocol"
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 21.5: Reconfigure Key Authentication Protocol
https://tools.ietf.org/html/rfc3315#section-21.5
| Test |
Name |
Synopsis |
Verify client ignores DHCPv6 Reconfigure without Authentication option |
dhcpv6_33 |
Verify client ignores DHCPv6 Reconfigure without Authentication option |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not a non-temporary address binding
exists
step 3. Verify DHCPv6 Reconfigure Key exists for binding
step 4. Send Reconfigure message requesting Renew without
Authentication option
step 5. Verify DHCPv6 client does not send DHCPv6 Renew, Rebind or
Information-Request
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15.11: Reconfigure Message
https://tools.ietf.org/html/rfc3315#section-15.11
| Test |
Name |
Synopsis |
Verify client ignores DHCPv6 Reconfigure with incorrect Reconfigure Key |
dhcpv6_34 |
Verify client ignores DHCPv6 Reconfigure with incorrect Reconfigure Key |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not a non-temporary address binding
exists
step 3. Verify DHCPv6 Reconfigure Key exists for binding
step 4. Send Reconfigure message requesting Renew using
incorrect DHCPv6 Reconfigure Key
step 5. Verify DHCPv6 client does not send DHCPv6 Renew, Rebind or
Information-Request
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15.11: Reconfigure Message
https://tools.ietf.org/html/rfc3315#section-15.11
| Test |
Name |
Synopsis |
Verify client supports DHCPv6 Reconfigure with Rebind request |
dhcpv6_35 |
Verify client supports DHCPv6 Reconfigure with Rebind request |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not a non-temporary address binding
exists
step 3. Verify DHCPv6 Reconfigure Key exists for binding
step 4. Send Reconfigure message requesting Rebind
step 5. Verify DHCPv6 client sends DHCPv6 Rebind
References:
IETF RFC 6644 "Rebind Capability in DHCPv6 Reconfigure Messages" Section 5: Client Behavior
https://tools.ietf.org/html/rfc6644#section-5
| Test |
Name |
Synopsis |
Verify client ignores DHCPv6 Reconfigure requesting a Solicit |
dhcpv6_36 |
Verify client ignores DHCPv6 Reconfigure requesting a Solicit |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not a non-temporary address binding
exists
step 3. Verify DHCPv6 Reconfigure Key exists for binding
step 4. Send Reconfigure message requesting Solicit
step 5. Verify DHCPv6 client does not send DHCPv6 Solicit, Renew,
Rebind or Information-Request
References:
IETF RFC 6644 "Rebind Capability in DHCPv6 Reconfigure Messages" Section 5: Client Behavior
https://tools.ietf.org/html/rfc6644#section-5
| Test |
Name |
Synopsis |
Verify client retransmits DHCPv6 Solicit messages for non-temporary address |
dhcpv6_50 |
Verify client retransmits DHCPv6 Solicit messages for non-temporary address |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_NA option (3)
step 5. Do not respond to first Solicit message
step 6. Verify client restransmits Solicit message
step 7. Verify retransmitted Solicit message contains same transaction
ID as first Solicit message
step 8. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 16.1: Use of Transaction IDs
The "transaction-id" field holds a value used by clients and servers
to synchronize server responses to client messages. A client SHOULD
generate a random number that cannot easily be guessed or predicted
to use as the transaction ID for each new message it sends. Note
that if a client generates easily predictable transaction
identifiers, it may become more vulnerable to certain kinds of
attacks from off-path intruders. A client MUST leave the transaction
ID unchanged in retransmissions of a message.
https://tools.ietf.org/html/rfc8415#section-16.1
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Creation and Transmission of Solicit Messages
If the client does not receive any valid Advertise messages before
the first RT has elapsed, it then applies the retransmission
mechanism described in Section 15. The client terminates the
retransmission process as soon as it receives any valid Advertise
message, and the client acts on the received Advertise message
without waiting for any additional Advertise messages.
https://tools.ietf.org/html/rfc8415#section-18.2.1
| Test |
Name |
Synopsis |
Verify client retransmits DHCPv6 Request messages for non-temporary address |
dhcpv6_51 |
Verify client retransmits DHCPv6 Request messages for non-temporary address |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_NA option (3)
step 5. Send valid Advertise message
step 6. Verify client sends Request message containing IA_NA option (3)
step 7. Do not respond to Request message
step 8. Verify client retransmists Request message
step 9. Verify retransmitted Request message contains same transaction
ID as first Request message
step 10. Send valid Advertise message and wait for transaction to
finish
Reference: IETF RFC 3315 Section 14 "Reliability of Client Initiated
Message Exchanges"
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in sections 17 and 18.
If a DHCP client fails to receive an expected response from a server,
the client must retransmit its message. This section describes the
retransmission strategy to be used by clients in client-initiated
message exchanges.
NOTE: This test will not work if Rapid-Commit is used!
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 16.1: Use of Transaction IDs
The "transaction-id" field holds a value used by clients and servers
to synchronize server responses to client messages. A client SHOULD
generate a random number that cannot easily be guessed or predicted
to use as the transaction ID for each new message it sends. Note
that if a client generates easily predictable transaction
identifiers, it may become more vulnerable to certain kinds of
attacks from off-path intruders. A client MUST leave the transaction
ID unchanged in retransmissions of a message.
https://tools.ietf.org/html/rfc8415#section-16.1
| Test |
Name |
Synopsis |
Verify DHCPv6 Solicit retransmission times for IA_NA address bindings |
dhcpv6_52 |
Verify DHCPv6 Solicit retransmission times for IA_NA address bindings |
step 1. Reboot the client and wait for it to send a DHCPv6 Solicit
step 2. Do not respond to Solicit messages from client
step 3. Verify that the client retransmits the Solicit message following the
retransmission algorithm
Note: This test takes over 2 hours to run.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify DHCPv6 Request retransmission times for IA_NA address bindings |
dhcpv6_53 |
Verify DHCPv6 Request retransmission times for IA_NA address bindings |
step 1. Wait for DHCPv6 client's current non-temporary address binding to
expire
step 2. Do not respond to Request messages from client
step 3. Verify that the client retransmits the Request message following the
retransmission algorithm
step 4. Verify that the client does not retransmit Request messages after
MRC (Maximum Retransmission Count) has been reached.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify DHCPv6 Renew retransmission times for IA_NA address bindings |
dhcpv6_54 |
Verify DHCPv6 Renew retransmission times for IA_NA address bindings |
step 1. Wait for DHCPv6 client to renew its current non-temporary address
binding
step 2. Reply to the DHCPv6 Renew message with updated IA_NA lifetimes. If
IA_PD is enabled, the lifetimes match the IA_NA lifetimes
step 3. Do not respond to subsequent Renew messages from client
step 4. Verify that the client retransmits the DHCPv6 Renew message
following the retransmission algorithm
step 5. Verify that the client does not retransmit Renew messages after
Max Retransmission Duration (MRD) has been reached
Note: This test takes over 1 hour to run.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify DHCPv6 Rebind retransmission times for IA_NA address bindings |
dhcpv6_55 |
Verify DHCPv6 Rebind retransmission times for IA_NA address bindings |
step 1. Wait for DHCPv6 client to renew its current non-temporary address
binding
step 2. Reply to the DHCPv6 Renew message with updated IA_NA lifetimes. If
IA_PD is enabled, the lifetimes match the IA_NA lifetimes
step 3. Do not respond to subsequent Renew or Rebind messages from client
step 4. Verify that the client retransmits Rebind messages following the
retransmission algorithm
step 5. Verify that the client does not retransmit Rebind messages after
Max Retransmission Duration (MRD) has been reached
Note: This test takes over 2 hours to run.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify client learns new non-temporary address when WAN DHCPv6 server renumbers |
dhcpv6_60 |
Verify client learns new non-temporary address when WAN DHCPv6 server renumbers |
step 1. Change the client's DHCPv6 binding to use the new
non-temporary IPv6 address address specified by the testvar
"ipv6WanIspNextIp"
step 2. Verify DHCPv6 client sends DHCPv6 Renew or Request
step 3. Verify Renew or Request contains IA_NA option (3) for same
non-temporary address
step 4. Send valid DHCPv6 Reply with new non-temporary address
step 5. Verify client updates with new non-temporary address
step 6. Ping client's new non-temporary address
step 7. Restore client's original non-temporary address by repeating
Steps 1 through 5 using original non-temporary address
step 8. Ping client's original non-temporary address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.8: Receipt of Reply Messages
If the Reply was received in response to a Solicit (with a Rapid
Commit option), Request, Renew or Rebind message, the client updates
the information it has recorded about IAs from the IA options
contained in the Reply message:
- Record T1 and T2 times.
- Add any new addresses in the IA option to the IA as recorded by
the client.
- Update lifetimes for any addresses in the IA option that the
client already has recorded in the IA.
- Discard any addresses from the IA, as recorded by the client, that
have a valid lifetime of 0 in the IA Address option.
- Leave unchanged any information about addresses the client has
recorded in the IA but that were not included in the IA from the
server.
https://tools.ietf.org/html/rfc3315#section-18.1.8
| Test |
Name |
Synopsis |
Verify client obtains IPv6 address when server uses unknown DHCPv6 options |
dhcpv6_100 |
Verify client obtains IPv6 address when server uses unknown DHCPv6 options |
step 1. Configure DHCPv6 server to use unknown DHCPv6 option type
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew or Rebind messages from client
step 4. Verify client sends Solicit message
step 5. Respond to first Solicit message with Advertise containing
unknown DHCPv6 option type
step 6. Verify client sends valid Request in response to Advertise
step 7. Disable unknown DHCPv6 server option
step 8. If client fails Step 6, cleanup and wait for client to
retransmit Solicit message
step 9. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1: Client Behavior
https://tools.ietf.org/html/rfc3315#section-18.1
| Test |
Name |
Synopsis |
Verify client ignores DHCPv6 messages with unknown options and invalid option length |
dhcpv6_101 |
Verify client ignores DHCPv6 messages with unknown options and invalid option length |
step 1. Configure DHCPv6 server to use unknown DHCPv6 option type
with invalid length
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew or Rebind messages from client
step 4. Verify client sends Solicit message
step 5. Respond to first Solicit message with Advertise containing
unknown DHCPv6 option type
step 6. Verify client does not send valid Request in response to
Advertise
step 7. Disable unknown DHCPv6 server option
step 8. Wait for client to retransmit Solicit message
step 9. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify client includes the Elapsed Time option with value 0 in first message |
dhcpv6_102 |
Verify client includes the Elapsed Time option with value 0 in first message |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_NA option (3)
step 5. Verify Solicit contains Elapsed Time option (8) with value of 0
step 6. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 22.9: Elapsed Time Option
A client MUST include an Elapsed Time option in messages to indicate
how long the client has been trying to complete a DHCP message
exchange. The elapsed time is measured from the time at which the
client sent the first message in the message exchange, and the
elapsed-time field is set to 0 in the first message in the message
exchange.
https://tools.ietf.org/html/rfc3315#section-22.9
| Test |
Name |
Synopsis |
Verify client increases value of Elapsed Time option when Solicit is retransmitted |
dhcpv6_103 |
Verify client increases value of Elapsed Time option when Solicit is retransmitted |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_NA option (3)
step 5. Verify Solicit contains Elapsed Time option (8) with value of 0
step 6. Do not respond to Solicit
step 7. Verify client retransmists Solicit message
step 8. Verify retransmitted Solicit message contains Elapsed Time option
(8) with a value greater than 0
step 9. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 22.9: Elapsed Time Option
A client MUST include an Elapsed Time option in messages to indicate
how long the client has been trying to complete a DHCP message
exchange. The elapsed time is measured from the time at which the
client sent the first message in the message exchange, and the
elapsed-time field is set to 0 in the first message in the message
exchange.
https://tools.ietf.org/html/rfc3315#section-22.9
| Test |
Name |
Synopsis |
Verify client handles Server Unicast Option |
dhcpv6_130 |
Verify client handles Server Unicast Option |
step 1. Configure DHCPv6 server to use Server Unicast Option (12)
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew or Rebind messages from client
step 4. Verify client sends Solicit message
step 5. Respond to first Solicit message with Advertise containing
Server Unicast Option (12)
step 6. Verify client sends valid Renew message
step 7. Verify Renew message in Step 6 is sent to the address in
the Server Unicast Option (12)
step 8. Disable Server Unicast option (12) created in Step 1
step 9. If client fails Step 6, cleanup and wait for client to
retransmit Solicit message
step 10. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 22.12: Server Unicast Option
https://tools.ietf.org/html/rfc3315#section-22.12
| Test |
Name |
Synopsis |
Verify client handles SOL_MAX_RT Option |
dhcpv6_140 |
Verify client handles SOL_MAX_RT Option |
step 1. Configure DHCPv6 server to use Max Solicit Timeout Option (82)
step 2. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 3. Do not respond to Renew, Rebind or Solicit messages from
client
step 4. Verify client sends Solicit message
step 5. Verify client uses the value of the Max
Solicit Timeout option returned by the DHCPv6 server to
limit the maximum delay for retransmissions of its
Solicit message
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 14: Reliability of Client Initiated Message Exchanges
https://tools.ietf.org/html/rfc3315#section-14
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 17.1.2: Transmission of Solicit Message
https://tools.ietf.org/html/rfc3315#section-17.1.2
IETF RFC 7083 "DHCPv6 SOL_MAX_RT Option" Section 6: Updates for SOL_MAX_RT and INF_MAX_RT Options to RFC 3315
https://tools.ietf.org/html/rfc7083#section-6
| Test |
Name |
Synopsis |
Verify DHCPv6 client includes vendor defined options |
dhcpv6_150 |
Verify DHCPv6 client includes vendor defined options |
step 1. Wait for DHCPv6 client to renew address
step 2. Search DHCPv6 Renew message from client for expected options
The testvars wanDhcpv6ClientOptionCode and wanDhcpv6ClientOptionData can be
used to configure a list of DHCP options that the client should include in
requests sent to the DHCP server.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify client supports DHCPv6 Rapid Commit option |
dhcpv6_160 |
Verify client supports DHCPv6 Rapid Commit option |
step 1. Wait for DHCPv6 client's current non-temporary address binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains the 'Rapid Commit' option
step 5. Send valid Reply message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 22.14: Rapid Commit Option
A client MAY include this option in a Solicit message if the client
is prepared to perform the Solicit-Reply message exchange described
in section 17.1.1.
A server MUST include this option in a Reply message sent in response
to a Solicit message when completing the Solicit-Reply message
exchange.
https://tools.ietf.org/html/rfc3315#section-22.14
dhcpv6-pd.tcl
DHCPv6 prefix delegation tests for WAN to LAN IPv6 configuration
| Test |
Name |
Synopsis |
Verify client requests the assignment of an IPv6 prefix |
dhcpv6_pd_1 |
Verify client requests the assignment of an IPv6 prefix |
step 1. Check existing DHCPv6 bindings on the WAN side of the CPE
step 2. Verify whether or not prefix binding exists
step 3. Verify Valid and Preferred lifetimes for binding
step 4. Verify that the binding has not expired
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
The requesting router uses a Request message to populate IA_PDs with
prefixes. The requesting router includes one or more IA_PD options
in the Request message. The delegating router then returns the
prefixes for the IA_PDs to the requesting router in IA_PD options in
a Reply message.
https://tools.ietf.org/html/rfc3633#section-12.1
| Test |
Name |
Synopsis |
Verify client renews prefix when current binding expires |
dhcpv6_pd_2 |
Verify client renews prefix when current binding expires |
step 1. Wait for DHCPv6 client's current prefix binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Verify Renew contains Server Identifier option (2) with correct
server DUID
step 4. Verify Renew contains IA_NA option (3) for same address
prefix
step 5. Send valid Reply to update binding
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 7: Overview of DHCP with Prefix Delegation
Before the valid lifetime on each delegated prefix expires, the
requesting router includes the prefix in an IA_PD option sent in a
Renew message to the delegating router. The delegating router
responds by returning the prefix with updated lifetimes to the
requesting router.
https://tools.ietf.org/html/rfc3633#section-7
| Test |
Name |
Synopsis |
Verify client sends router advertisements on LAN with delegated prefix |
dhcpv6_pd_10 |
Verify client sends router advertisements on LAN with delegated prefix |
step 1. Listen for IPv6 router advertisements from DUT on LAN
step 2. Verify that router advertisement contains Prefix Information
option (3) with valid prefix based on prefix assigned
by DHCPv6 server on WAN
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
Upon the receipt of a valid Reply message, for each IA_PD the
requesting router assigns a subnet from each of the delegated
prefixes to each of the links to which the associated interfaces are
attached, with the following exception: the requesting router MUST
NOT assign any delegated prefixes or subnets from the delegated
prefix(es) to the link through which it received the DHCP message
from the delegating router.
https://tools.ietf.org/html/rfc3633#section-12.1
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.3: LAN-Side Configuration
L-2: The IPv6 CE router MUST assign a separate /64 from its
delegated prefix(es) (and ULA prefix if configured to provide
ULA addressing) for each of its LAN interfaces.
https://tools.ietf.org/html/rfc7084#section-4.3
| Test |
Name |
Synopsis |
Verify client sends router advertisements on LAN with prefix lifetimes based on IA_PD lifetimes |
dhcpv6_pd_11 |
Verify client sends router advertisements on LAN with prefix lifetimes based on IA_PD lifetimes |
step 1. Listen for IPv6 router advertisements from DUT on LAN
step 2. Verify that router advertisement contains Prefix Information
option (3) with valid prefix based on prefix assigned
by DHCPv6 server on WAN
step 3. Verify Prefix Information option (3) contains a Valid lifetime
not greater than the valid lifetime provided by the DHCPv6
server in the IA_PD Prefix option
step 4. Verify Prefix Information option (3) contains a Preferred
lifetime not greater than the preferred lifetime provided by
the DHCPv6 server in the IA_PD Prefix option
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
If the requesting router assigns a delegated prefix to a link to
which the router is attached, and begins to send router
advertisements for the prefix on the link, the requesting router MUST
set the valid lifetime in those advertisements to be no later than
the valid lifetime specified in the IA_PD Prefix option. A
requesting router MAY use the preferred lifetime specified in the
IA_PD Prefix option.
https://tools.ietf.org/html/rfc3633#section-12.1
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client address is based on WAN side delegated prefix |
dhcpv6_pd_12 |
Verify LAN side DHCPv6 client address is based on WAN side delegated prefix |
step 1. Check existing DHCPv6 bindings on the LAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify that the non-temporary address prefix on the LAN
matches the prefix delegated on the WAN
NOTE: This test only applies to configurations where LAN clients
obtain IPv6 addresses via DHCPv6
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client lifetime is based on WAN side IA_PD prefix lifetimes |
dhcpv6_pd_13 |
Verify LAN side DHCPv6 client lifetime is based on WAN side IA_PD prefix lifetimes |
step 1. Listen for IPv6 router advertisements from DUT on LAN
step 2. Verify that router advertisement contains Prefix Information
option (3) with valid prefix based on prefix assigned
by DHCPv6 server on WAN
step 3. Verify Prefix Information option (3) contains a Valid lifetime
not greater than the valid lifetime provided by the DHCPv6
server in the IA_PD Prefix option
step 4. Verify Prefix Information option (3) contains a Preferred
lifetime not greater than the preferred lifetime provided by
the DHCPv6 server in the IA_PD Prefix option
| Test |
Name |
Synopsis |
Verify client router advertisements on LAN include expected subnet ID |
dhcpv6_pd_14 |
Verify client router advertisements on LAN include expected subnet ID |
step 1. Listen for IPv6 RA from DUT
step 2. Verify RA contains prefix based on public IPv4 WAN
step 3. Verify advertised prefix includes the expected subnet ID
Note: The expected subnet ID bits can be configured using the testvar
ipv6LanSubnetId. The ipv6LanSubnetId testvar is a variable length string
of hex characters. Examples:
testvar ipv6LanSubnetId ffff
testvar ipv6LanSubnetId 1
| Test |
Name |
Synopsis |
Verify DUT does not advertise itself as a default router when WAN link is down |
dhcpv6_pd_15 |
Verify DUT does not advertise itself as a default router when WAN link is down |
step 1. Bring down WAN link. For PPPoE WAN modes actively terminate the WAN
link with a PPP LCP Terminate message. For DHCPv6 WAN modes or WAN
modes where DHCPv6 prefix delegation is enabled, disable the DHCPv6
server and wait for the current IA_NA and/or IA_PD bindings to
expire
step 2. Listen for RAs from the DUT on the LAN for up to the [WAN RA
lifetime + 1 LAN RA interval] or the [LAN RA interval + 1 LAN RA
interval] (whichever is greater)
step 3. Verify that the DUT eventually stops advertising itself as a default
router by setting the Router Lifetime in LAN RAs to a value of 0
step 4. Restore all services on the WAN and wait for the WAN link to be
re-established by the DUT
step 5. Verify that the DUT starts advertising itself as a default router by
setting the Router Lifetime in LAN RAs to a value greater than 0
step 7. Wait for the duration of the dhcpv6PDLatency testvar and perform a
connectivity check to ensure that the WAN link is operational
References:
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.1: General Requirements
G-4: By default, an IPv6 CE router that has no default
router(s) on its WAN interface MUST NOT advertise
itself as an IPv6 default router on its LAN interfaces.
That is, the "Router Lifetime" is set to zero in all
Router Advertisement messages it originates [RFC4861].
https://tools.ietf.org/html/rfc7084#section-4.1
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.1: General Requirements
G-5: By default, if the IPv6 CE router is an advertising router and
loses its IPv6 default router(s) and/or detects loss of
connectivity on the WAN interface, it MUST explicitly
invalidate itself as an IPv6 default router on each of its
advertising interfaces by immediately transmitting one or more
Router Advertisement messages with the "Router Lifetime" field
set to zero [RFC4861].
https://tools.ietf.org/html/rfc7084#section-4.1
| Test |
Name |
Synopsis |
Verify client restarts when NoBinding failure occurs during IA_PD Renew |
dhcpv6_pd_20 |
Verify client restarts when NoBinding failure occurs during IA_PD Renew |
step 1. Wait for DHCPv6 client's current prefix binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Verify Renew contains IA_PD option (26) for same address
prefix
step 4. Send valid DHCPv6 Reply with NoBinding status code (3)
step 5. Verify DHCPv6 client sends Request message
step 6. Verify Request contains IA_PD option (26) for same address
prefix
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
https://tools.ietf.org/html/rfc3633#section-12.1
| Test |
Name |
Synopsis |
Verify client restarts when UnspecFail failure occurs during IA_PD Renew |
dhcpv6_pd_21 |
Verify client restarts when UnspecFail failure occurs during IA_PD Renew |
step 1. Wait for DHCPv6 client's current prefix binding
T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Verify Renew contains IA_PD option (26) for same address
prefix
step 4. Send valid DHCPv6 Reply with UnspecFail status code (1)
step 5. Verify DHCPv6 client recovers by retransmitting Renew or
sending Request
step 6. Verify Renew or Request contains IA_PD option (26) for same
prefix
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
https://tools.ietf.org/html/rfc3633#section-12.1
| Test |
Name |
Synopsis |
Verify client restarts DHCPv6 when Reply to Request contains IA lifetimes set to 0 |
dhcpv6_pd_22 |
Verify client restarts DHCPv6 when Reply to Request contains IA lifetimes set to 0 |
step 1. Allow the DHCPv6 client to restart DHCPv6 by waiting for the IA_PD
lifetime to expire without replying to any DHCPv6 messages
step 2. Send a valid Advertise message in response to the DHCPv6 client's
Solicit message
step 3. Verify the DHCPv6 client sends a Request message
step 4. Send a valid Reply message with all IA lifetimes set to 0
step 5. Verify the DHCPv6 client sends a DHCPv6 Solicit message
step 6. Verify the DHCPv6 client and server complete the DHCPv6 2 or 4 message
exchange
step 7. Verify the DHCPv6 client recovered by waiting for the client to transmit
a Renew at T1
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.10.1: Reply for Solicit (with Rapid Commit), Request, Renew, or Rebind
If the Reply message contains any IAs but the client finds no usable
addresses and/or delegated prefixes in any of these IAs, the client
may either try another server (perhaps restarting the DHCP server
discovery process) or use the Information-request message to obtain
other configuration information only.
https://tools.ietf.org/html/rfc8415#section-18.2.10.1
| Test |
Name |
Synopsis |
Verify client restarts DHCPv6 when Reply to Renew contains IA lifetimes set to 0 |
dhcpv6_pd_23 |
Verify client restarts DHCPv6 when Reply to Renew contains IA lifetimes set to 0 |
step 1. Wait for DHCPv6 client's current IA_PD binding T1 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Send a valid Reply message with all IA lifetimes set to 0
step 4. Verify the DHCPv6 client sends a DHCPv6 Solicit message
step 5. Verify the DHCPv6 client and server complete the DHCPv6 2 or 4 message
exchange
step 6. Verify the DHCPv6 client recovered by waiting for the client to transmit
a Renew at T1
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.10.1: Reply for Solicit (with Rapid Commit), Request, Renew, or Rebind
If the Reply message contains any IAs but the client finds no usable
addresses and/or delegated prefixes in any of these IAs, the client
may either try another server (perhaps restarting the DHCP server
discovery process) or use the Information-request message to obtain
other configuration information only.
https://tools.ietf.org/html/rfc8415#section-18.2.10.1
| Test |
Name |
Synopsis |
Verify client restarts DHCPv6 when Reply to Rebind contains IA lifetimes set to 0 |
dhcpv6_pd_24 |
Verify client restarts DHCPv6 when Reply to Rebind contains IA lifetimes set to 0 |
step 1. Wait for DHCPv6 client's current IA_PD binding T2 timer to expire
step 2. Verify DHCPv6 client sends DHCPv6 Rebind
step 3. Send a valid Reply message with all IA lifetimes set to 0
step 4. Verify the DHCPv6 client sends a DHCPv6 Solicit message
step 5. Verify the DHCPv6 client and server complete the DHCPv6 2 or 4 message
exchange
step 6. Verify the DHCPv6 client recovered by waiting for the client to transmit
a Renew at T1
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.10.1: Reply for Solicit (with Rapid Commit), Request, Renew, or Rebind
If the Reply message contains any IAs but the client finds no usable
addresses and/or delegated prefixes in any of these IAs, the client
may either try another server (perhaps restarting the DHCP server
discovery process) or use the Information-request message to obtain
other configuration information only.
https://tools.ietf.org/html/rfc8415#section-18.2.10.1
| Test |
Name |
Synopsis |
Verify client sends Rebind message if Renew for prefix fails |
dhcpv6_pd_30 |
Verify client sends Rebind message if Renew for prefix fails |
step 1. Wait for DHCPv6 client's current prefix binding
T1 to expire
step 2. Verify DHCPv6 client sends DHCPv6 Renew
step 3. Do not respond to Renew message
step 4. Verify DHCPv6 client sends Rebind message
step 5. Verify Rebind contains IA_PD option (26) for same address
prefix
step 6. Send valid Reply to update binding
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.4: Creation and Transmission of Rebind Messages
At time T2 for an IA (which will only be reached if the server to
which the Renew message was sent at time T1 has not responded), the
client initiates a Rebind/Reply message exchange with any available
server. The client includes an IA option with all addresses
currently assigned to the IA in its Rebind message.
https://tools.ietf.org/html/rfc3315#section-18.1.4
| Test |
Name |
Synopsis |
Verify client sends Solicit message if Renew and Rebind for prefix fails |
dhcpv6_pd_31 |
Verify client sends Solicit message if Renew and Rebind for prefix fails |
step 1. Wait for DHCPv6 client's current prefix binding
to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains IA_PD option (26)
step 5. Send valid Advertise message and wait for transaction to
finish
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.1.4: Creation and Transmission of Rebind Messages
The message exchange is terminated when the valid lifetimes of all
the addresses assigned to the IA expire (see section 10), at which
time the client has several alternative actions to choose from; for
example:
- The client may choose to use a Solicit message to locate a new
DHCP server and send a Request for the expired IA to the new
server.
- The client may have other addresses in other IAs, so the client
may choose to discard the expired IA and use the addresses in the
other IAs.
https://tools.ietf.org/html/rfc3315#section-18.1.4
| Test |
Name |
Synopsis |
Verify DHCPv6 Solicit retransmission times for IA_PD prefix bindings |
dhcpv6_pd_52 |
Verify DHCPv6 Solicit retransmission times for IA_PD prefix bindings |
step 1. Wait for DHCPv6 client's current prefix binding to
expire
step 2. Do not respond to Solicit messages from client
step 3. Verify that the client retransmits the Solicit message following the
retransmission algorithm
Note: This test takes over 2 hours to run.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify DHCPv6 Request retransmission times for IA_PD prefix bindings |
dhcpv6_pd_53 |
Verify DHCPv6 Request retransmission times for IA_PD prefix bindings |
step 1. Wait for DHCPv6 client's current prefix binding to
expire
step 2. Do not respond to Request messages from client
step 3. Verify that the client retransmits the Request message following the
retransmission algorithm
step 4. Verify that the client does not retransmit Request messages after
MRC (Maximum Retransmission Count) has been reached.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify DHCPv6 Renew retransmission times for IA_PD prefix bindings |
dhcpv6_pd_54 |
Verify DHCPv6 Renew retransmission times for IA_PD prefix bindings |
step 1. Wait for DHCPv6 client to renew its current prefix binding
step 2. Reply to the DHCPv6 Renew message with updated IA_PD lifetimes. If
IA_NA is enabled, the lifetimes match the IA_PD lifetimes
step 3. Do not respond to subsequent Renew messages from client
step 4. Verify that the client retransmits the DHCPv6 Renew message
following the retransmission algorithm
step 5. Verify that the client does not retransmit Renew messages after
Max Retransmission Duration (MRD) has been reached
Note: This test takes over 1 hour to run.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify DHCPv6 Rebind retransmission times for IA_PD prefix bindings |
dhcpv6_pd_55 |
Verify DHCPv6 Rebind retransmission times for IA_PD prefix bindings |
step 1. Wait for DHCPv6 client to renew its current prefix binding
step 2. Reply to the DHCPv6 Renew message with updated IA_PD lifetimes. If
IA_NA is enabled, the lifetimes match the IA_PD lifetimes
step 3. Do not respond to subsequent Renew or Rebind messages from client
step 4. Verify that the client retransmits Rebind messages following the
retransmission algorithm
step 5. Verify that the client does not retransmit Rebind messages after
Max Retransmission Duration (MRD) has been reached
Note: This test takes over 2 hours to run.
References:
IETF RFC 8415 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15: Reliability of Client Initiated Message Exchanges
DHCP clients are responsible for reliable delivery of messages in the
client-initiated message exchanges described in Section 18. If a
DHCP client fails to receive an expected response from a server, the
client must retransmit its message according to the retransmission
strategy described in this section.
https://tools.ietf.org/html/rfc8415#section-15
| Test |
Name |
Synopsis |
Verify client learns new IPv6 prefix when WAN DHCPv6 server renumbers |
dhcpv6_pd_60 |
Verify client learns new IPv6 prefix when WAN DHCPv6 server renumbers |
step 1. Change the client's DHCPv6 binding to use the new IPv6
prefix specified by the testvar "dhcpv6WanAssignNextPrefix"
step 2. Verify DHCPv6 client sends DHCPv6 Renew or Request
step 3. Verify Renew or Request contains IA_PD option (26) for
same prefix
step 4. Send valid DHCPv6 Reply with new prefix
step 5. Verify client updates router advertisements on LAN with new
prefix information
step 6. Send pings from LAN client to an IPv6 remote host on the
WAN to verify connectivity with new prefix
step 7. Restore client's original prefix by repeating Steps 1
through 5 using original IPv6 prefix
step 8. Send pings from LAN client to an IPv6 remote host on the
WAN to verify connectivity with original prefix
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
Upon the receipt of a valid Reply message, for each IA_PD the
requesting router assigns a subnet from each of the delegated
prefixes to each of the links to which the associated interfaces are
attached, with the following exception: the requesting router MUST
NOT assign any delegated prefixes or subnets from the delegated
prefix(es) to the link through which it received the DHCP message
from the delegating router.
https://tools.ietf.org/html/rfc3633#section-12.1
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 server switches to new IPv6 prefix when WAN DHCPv6 server renumbers |
dhcpv6_pd_61 |
Verify LAN side DHCPv6 server switches to new IPv6 prefix when WAN DHCPv6 server renumbers |
step 1. Change the client's DHCPv6 binding to use the new IPv6
prefix specified by the testvar "dhcpv6WanAssignNextPrefix"
step 2. Verify DHCPv6 client sends DHCPv6 Renew or Request
step 3. Verify Renew or Request contains IA_PD option (26) for
same prefix
step 4. Send valid DHCPv6 Reply with new prefix
step 5. Verify DHCPv6 client updates router advertisements on LAN with new
prefix information
step 6. Verify DHCPv6 client updates DHCPv6 server on the LAN with new
prefix
step 7. Send pings from LAN DHCPv6 client to an IPv6 remote host
on the WAN to verify connectivity with new prefix
step 8. Restore client's original prefix by repeating Steps 1
through 6 using original IPv6 prefix
step 9. Send pings from LAN DHCPv6 client to an IPv6 remote host
on the WAN to verify connectivity with original prefix
NOTE: This test only applies to configurations where LAN clients
obtain IPv6 addresses via DHCPv6
References:
IETF RFC 3633 "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" Section 12.1: Requesting router behavior
Upon the receipt of a valid Reply message, for each IA_PD the
requesting router assigns a subnet from each of the delegated
prefixes to each of the links to which the associated interfaces are
attached, with the following exception: the requesting router MUST
NOT assign any delegated prefixes or subnets from the delegated
prefix(es) to the link through which it received the DHCP message
from the delegating router.
https://tools.ietf.org/html/rfc3633#section-12.1
| Test |
Name |
Synopsis |
Verify DUT ages out prefix on LAN when WAN DHCPv6 server renumbers |
dhcpv6_pd_62 |
Verify DUT ages out prefix on LAN when WAN DHCPv6 server renumbers |
step 1. Change the DUT's WAN DHCPv6 client binding to use the new
IPv6 prefix specified by the testvar "dhcpv6WanAssignNextPrefix"
step 2. Listen for router advertisements on the LAN for
"dhcpv6IAValidLifetime" seconds and verify the following:
a. That the original prefix is consistently aged out according to
requirement L-13 of RFC 7084
b. That the valid lifetime of the aged out prefix decreases over
time (if not equal to 0)
c. That the new prefix is consistently advertised
step 3. Restart the LAN IPv6 client and verify that it obtains an
address within the new prefix
step 4. Send pings from the LAN client to an IPv6 remote host
on the WAN to verify connectivity with the new address
step 5. Repeat steps 1 through 4 with the original address and prefix
specified by the testvars "dhcpv6WanAssignIp" and
"dhcpv6WanAssignPrefix"
References:
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.3: LAN-Side Requirements
L-13: If the delegated prefix changes, i.e., the current prefix is
replaced with a new prefix without any overlapping time
period, then the IPv6 CE router MUST immediately advertise the
old prefix with a Preferred Lifetime of zero and a Valid
Lifetime of either a) zero or b) the lower of the current
Valid Lifetime and two hours (which must be decremented in
real time) in a Router Advertisement message as described in
Section 5.5.3, (e) of [RFC4862].
https://tools.ietf.org/html/rfc7084#section-4.3
| Test |
Name |
Synopsis |
Verify DUT performs Duplicate Address Detection on global LAN address |
dhcpv6_pd_63 |
Verify DUT performs Duplicate Address Detection on global LAN address |
step 1. Change the DUT's WAN DHCPv6 client binding to use the new
IPv6 prefix specified by the testvar
dhcpv6WanAssignNextPrefix
step 2. Verify DHCPv6 client sends DHCPv6 Renew or Request
step 3. Wait up to dhcpv6PDLatency + 10 seconds for a DAD-style
Neighbor Solicitation from the DUT on the LAN
step 4. Verify the following about the received Neighbor
Soliciation
a. That the target address of the Neighbor Solicitation is
the DUT's global IPv6 LAN address in the
dhcpv6WanAssignNextPrefix prefix
b. That the IPv6 source address is the unspecified address
c. That the IPv6 destination address is the solicited-node
multicast address of the DUT's global IPv6 LAN address
in the dhcpv6WanAssignNextPrefix prefix
step 5. Respond to the DUT's DAD-style Neighbor Solicitation by
sending an unsolicited Neighbor Advertisement to the
all-nodes multicast address ff02::1 on the LAN-WAN
step 6. Wait for 2 seconds
step 7. Send an ICMPv6 Echo Request message to the DUT's global
IPv6 LAN address in the dhcpv6WanAssignNextPrefix prefix
step 8. Verify that the DUT does not send an ICMPv6 Echo Response
message
step 9. Change the DUT's WAN DHCPv6 client binding to use the old
IPv6 prefix specified by the testvar dhcpv6WanAssignPrefix
step 10. Verify DHCPv6 client sends DHCPv6 Renew or Request
step 11. Send pings from the LAN client to to the DUT's global IPv6
LAN address in the dhcpv6WanAssignPrefix prefix to
verify connectivity with the new address
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.4: Duplicate Address Detection
https://tools.ietf.org/html/rfc4862#section-5.4
| Test |
Name |
Synopsis |
Verify client attempts to learn non-temporary address and prefix in a single DHCPv6 session |
dhcpv6_pd_100 |
Verify client attempts to learn non-temporary address and prefix in a single DHCPv6 session |
step 1. Wait for DHCPv6 client's current prefix binding to expire
step 2. Do not respond to Renew or Rebind messages from client
step 3. Verify client sends Solicit message
step 4. Verify Solicit contains both IA_NA option (3) and
IA_PD option (26)
step 5. Send valid Advertise message and wait for transaction to
finish
NOTE: IETF RFC 7084, which updates IETF RFC 6204, removed the
above requirement.
References:
IETF RFC 6204 "Basic Requirements for IPv6 Customer Edge Routers" Section 4.2: WAN-Side Configuration
W-5: DHCPv6 address assignment (IA_NA) and DHCPv6 prefix delegation
(IA_PD) SHOULD be done as a single DHCPv6 session.
https://tools.ietf.org/html/rfc6204#section-4.2
| Test |
Name |
Synopsis |
Verify packets to unreachable subnets in the delegated prefix are dropped |
dhcpv6_pd_110 |
Verify packets to unreachable subnets in the delegated prefix are dropped |
step 1. Build a destination IPv6 address by setting all subnet bits
step 2. This test assumes that this address is not configured on an
interface
step 3. Send a UDP echo to this destination from the LAN client
step 4. Verify the packet is not forwarded to the WAN
Reference: IETF RFC 7084 - Basic Requirements for IPv6 Customer Edge Routers, Requirement WPD-5:
NOTE: This test is only applicable if the delegated prefix length
is less than 64.
References:
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.2: WAN-Side Configuration
WPD-5: Any packet received by the CE router with a destination
address in the prefix(es) delegated to the CE router but not
in the set of prefixes assigned by the CE router to the LAN
must be dropped. In other words, the next hop for the
prefix(es) delegated to the CE router should be the null
destination. This is necessary to prevent forwarding loops
when some addresses covered by the aggregate are not
reachable [RFC4632].
(a) The IPv6 CE router SHOULD send an ICMPv6 Destination
Unreachable message in accordance with Section 3.1 of
[RFC4443] back to the source of the packet, if the
packet is to be dropped due to this rule.
https://tools.ietf.org/html/rfc7084#section-4.2
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client address includes SLA ID |
dhcpv6_pd_120 |
Verify LAN side DHCPv6 client address includes SLA ID |
step 1. Check existing DHCPv6 bindings on the LAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify that the non-temporary address on the LAN includes
the expected SLA ID
RFC 3056 defines a 16 bit "SLA ID" field for subnetting. Most
DUT's allow the SLA ID to be arbitrarily configured. This test
verifies that the DUT uses the expected SLA ID. The expected SLA
can be configured using the testvar "ipv6LanSubnetId" which must
be a hex string with four or less characters. Examples:
testvar ipv6LanSubnetId ffff
testvar ipv6LanSubnetId 1
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify Route Information option is advertised for delegated prefix |
dhcpv6_pd_130 |
Verify Route Information option is advertised for delegated prefix |
step 1. Listen for Router Advertisements on the LAN for up to one Router
Advertisement interval
step 2. Verify that the DUT includes a Route Information option for the
delegated prefix configured using the testvar
dhcpv6WanAssignPrefix
References:
IETF RFC 7084 "IPv6 CE Router Requirements" Section 4.3: LAN-Side Configuration
L-3: An IPv6 CE router MUST advertise itself as a router for the
delegated prefix(es) (and ULA prefix if configured to provide
ULA addressing) using the "Route Information Option" specified
in Section 2.3 of [RFC4191]. This advertisement is
independent of having or not having IPv6 connectivity on the
WAN interface.
https://tools.ietf.org/html/rfc7084#section-4.3
dhcpv6-s.tcl
DHCPv6 server tests for the LAN side of the router
| Test |
Name |
Synopsis |
Verify server assigns same address after client restart |
dhcpv6_server_1 |
Verify server assigns same address after client restart |
step 1. Restart DHCPv6 on LAN client without sending a Release to the server
step 2. Verify that the server assigns an address to the client
step 3. Verify that the address assigned by the server is the same as the
client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Receipt of Request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.1
| Test |
Name |
Synopsis |
Verify server returns address within configured pool |
dhcpv6_server_2 |
Verify server returns address within configured pool |
step 1. Send DHCPv6 Release to release DHCPv6 client address on LAN
step 2. Restart DHCPv6 client on LAN
step 3. Verify DHCPv6 client receives an address from within the configured
DHCPv6 pool
Note: The DHCPv6 pool is configured using the testvars ipv6DhcpClientStart
and ipv6DhcpClientEnd. These testvars must match the DHCPv6 pool settings on
the DUT.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server returns IP address with expected valid lifetime |
dhcpv6_server_3 |
Verify server returns IP address with expected valid lifetime |
step 1. Send DHCPv6 Release to release DHCPv6 client address on LAN
step 2. Restart DHCPv6 client on LAN
step 3. Verify DHCPv6 client receives an address with the expected
valid lifetime
Note: The testvar ipv6DhcpClientValidLifetime can be used to configure the
expected valid lifetime, in seconds, that is used by the DUT's DHCPv6 server
on the LAN.
This testvar can be set to a numeric value if the valid lifetime is fixed,
or it can be set to a value of "dynamic" if the valid lifetime varies based
on the delegated prefix (IA_PD) received on the WAN. If set to "dynamic"
this test will verify that the valid lifetime received on the LAN is less
than or equal to the IA_PD valid lifetime assigned by CDRouter's DHCPv6
server on the WAN (which is configured using the testvar dhcpv6IAValidLifetime).
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server assigns address to client using undefined client DUID values |
dhcpv6_server_5 |
Verify server assigns address to client using undefined client DUID values |
step 1. Release client's current DHCPv6 binding
step 2. Configure the client to use a client DUID with unknown format
step 3. Restart DHCPv6 on client
step 4. Verify the client obtains an address
step 5. Repeat Steps 1 through 4 for different unknown client DUID formats
step 6. Release the DHCPv6 binding
step 7. Verify that the server assigns an address to the client using the
client's original DUID format
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 9: DHCP Unique Identifier (DUID)
https://tools.ietf.org/html/rfc3315#section-9
| Test |
Name |
Synopsis |
Verify server ignores Solicits sent to unicast address |
dhcpv6_server_8 |
Verify server ignores Solicits sent to unicast address |
step 1. Release client's current DHCPv6 binding
step 2. Verify the DHCPv6 server reply contains a status code of 0 'Success'
step 3. Configure LAN client to send DHCPv6 Solicit messages to server's
unicast address
step 4. Restart DHCPv6 on LAN client
step 5. Verify that server does not provide an IPv6 address to the client.
step 6. Restart DHCPv6 on LAN client using All_DHCP_Relay_Agents_and_Servers
multicast address
step 7. Verify that the server assigns an address to the client
Unless otherwise specified in this document, or in a document that
describes how IPv6 is carried over a specific type of link (for link
types that do not support multicast), a client sends DHCP messages to
the All_DHCP_Relay_Agents_and_Servers.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 13: Transmission of Messages by a Client
https://tools.ietf.org/html/rfc3315#section-13
| Test |
Name |
Synopsis |
Verify server provides DNS and domain information to clients |
dhcpv6_server_9 |
Verify server provides DNS and domain information to clients |
step 1. Release client's current DHCPv6 binding
step 2. Restart DHCPv6 on client
step 3. Verify that LAN client receives DHCPv6 DNS Recursive Name Server
(23) option from server
step 4. Verify the DNS server addresses provided by the DHCPv6 server. If
the testvar ipv6DNStoLAN is set to "yes", the DNS server addresses
provided should match the addresses of the DNS servers configured on
the WAN. If the ipv6DNStoLAN testvar is set to "no", the LAN side
IPv6 address of the DUT should be provided as the DNS server.
step 5. Check if LAN client receives DHCPv6 Domain Search List (24) option
from server
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
IETF RFC 3646 "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3646
| Test |
Name |
Synopsis |
Verify server ignores requests with mismatched server DUID |
dhcpv6_server_10 |
Verify server ignores requests with mismatched server DUID |
Description
step 1. Modify client to use an unknown server DUID
step 2. Restart DHCPv6 on client by sending Renew to the server
step 3. Verify that server does not reply to Renew with unknown server DUID
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 15.6: Renew Message
https://tools.ietf.org/html/rfc3315#section-15.6
| Test |
Name |
Synopsis |
Verify server ignores unknown or invalid DHCPv6 packets |
dhcpv6_server_11 |
Verify server ignores unknown or invalid DHCPv6 packets |
step 1. Build DHCPv6 packet with msg-type field set to 0
step 2. Send packet built in Step 1 to server
step 3. Verify that server ignores invalid DHCPv6 packet generated in Step 2
step 4. Repeat Steps 1 through 3 using msg-types 1 through 255
step 5. Verify server is still functioning by running test dhcpv6_server_1
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server assigns address when IA_NA request from client does not contain an IPv6 address |
dhcpv6_server_12 |
Verify server assigns address when IA_NA request from client does not contain an IPv6 address |
step 1. Release client's current DHCPv6 binding
step 2. Configure client to omit address hint in DHCPv6 Request messages
step 3. Restart DHCPv6 on client
step 4. Verify client obtains an address
step 5. Release client's current DHCPv6 binding
step 6. Configure client to include address hint in DHCPv6 Request message
step 7. Verify client obtains an address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Receipt of Request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.1
| Test |
Name |
Synopsis |
Verify server assigns multiple addresses to client using multiple IA_NA identifiers |
dhcpv6_server_13 |
Verify server assigns multiple addresses to client using multiple IA_NA identifiers |
step 1. Configure the client to use a new IA_NA IAID
step 2. Restart DHCPv6 on client without sending a Release to the server
step 3. Verify that the server assigns a new address to the client
step 4. Restore client's original IA_NA IAID
step 5. Restart DHCPv6 on client without sending a Release to the server
step 6. Verify that the server assigns an address to the client
step 7. Verify that the address assigned by the server is the same as the
client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Receipt of Request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.1
| Test |
Name |
Synopsis |
Verify server handles fragmented IPv6 packets |
dhcpv6_server_14 |
Verify server handles fragmented IPv6 packets |
step 1. Configure client to use a large User Class (15) option to force
IPv6 fragmentation
step 2. Initiate Renew for client's current IPv6 address
step 3. Verify that server responds to Renew with valid Reply message
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2: Server Behavior
https://tools.ietf.org/html/rfc3315#section-18.2
| Test |
Name |
Synopsis |
Verify server ignores client request with invalid UDP checksum |
dhcpv6_server_15 |
Verify server ignores client request with invalid UDP checksum |
step 1. Configure the client to send invalid UDP checksums
step 2. Restart DHCPv6 on client without sending a Release to the server
step 3. Verify that the server does not respond to DHCPv6 requests with bad
UDP checksums
step 4. Configure the client to send valid UDP checksums
step 5. Restart DHCPv6 on the client without sending a Release to the server
step 6. Verify that the server assigns an address to the client
step 7. Verify that the address assigned by the server is the same as the
client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server composes DUID correctly |
dhcpv6_server_16 |
Verify server composes DUID correctly |
step 1. Initiate a DHCPv6 Renew for the client's current IPv6 address
step 2. Verify that the server sends a Reply
step 3. Inspect the composition of the server DUID in Reply to ensure
correctness
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 9: DHCP Unique Identifier (DUID)
https://tools.ietf.org/html/rfc3315#section-9
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address after DHCPv6 Request from client |
dhcpv6_server_20 |
Verify server assigns same IPv6 address after DHCPv6 Request from client |
step 1. Initiate DHCPv6 Request from the client
step 2. Verify that the server assigns the same address to the client
When the server receives a valid Request message, the server creates
the bindings for that client according to the server's policy and
configuration information and records the IAs and other information
requested by the client.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Receipt of Request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.1
| Test |
Name |
Synopsis |
Verify server sends UseMulticast status code when client sends a unicast Request |
dhcpv6_server_21 |
Verify server sends UseMulticast status code when client sends a unicast Request |
step 1. Initiate a DHCPv6 Request from the client using the server's unicast
address
step 2. Verify the that the server sends a Reply message with a status code
of 5 'UseMulticast'
When the server receives a Request message via unicast from a client
to which the server has not sent a unicast option, the server
discards the Request message and responds with a Reply message
containing a Status Code option with the value UseMulticast, a Server
Identifier option containing the server's DUID, the Client Identifier
option from the client message, and no other options.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Receipt of Request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.1
| Test |
Name |
Synopsis |
Verify server sends NotOnLink status code when client sends Request with invalid link address |
dhcpv6_server_22 |
Verify server sends NotOnLink status code when client sends Request with invalid link address |
step 1. Initiate a DHCPv6 Request from the client with an unknown
IAID containing an unknown address, which is not
considered "on link"
step 2. Verify that the server sends a Reply message with a status code of
4 'NotOnLink'
If the server finds that the prefix on one or more IP addresses in
any IA in the message from the client is not appropriate for the link
to which the client is connected, the server MUST return the IA to
the client with a Status Code option with the value NotOnLink.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.1: Receipt of Request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.1
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address after DHCPv6 Confirm from client |
dhcpv6_server_30 |
Verify server assigns same IPv6 address after DHCPv6 Confirm from client |
step 1. Initiate a DHCPv6 Confirm from the client
step 2. Verify that the server Reply contains a status code of 0 'success'
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.2: Receipt of Confirm Messages
https://tools.ietf.org/html/rfc3315#section-18.2.2
| Test |
Name |
Synopsis |
Verify server sends NotOnLink status code when client sends Confirm with invalid link address |
dhcpv6_server_31 |
Verify server sends NotOnLink status code when client sends Confirm with invalid link address |
step 1. Initiate a DHCPv6 Confirm from the client with an unknown
IAID containing an unknown address, which is not
considered "on link"
step 2. Verify that the server sends a Reply message with a status code of
4 'NotOnLink'
When the server receives a Confirm message, the server determines
whether the addresses in the Confirm message are appropriate for the
link to which the client is attached. If all of the addresses in the
Confirm message pass this test, the server returns a status of
Success. If any of the addresses do not pass this test, the server
returns a status of NotOnLink. If the server is unable to perform
this test (for example, the server does not have information about
prefixes on the link to which the client is connected), or there were
no addresses in any of the IAs sent by the client, the server MUST
NOT send a reply to the client.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.2: Receipt of Confirm Messages
https://tools.ietf.org/html/rfc3315#section-18.2.2
| Test |
Name |
Synopsis |
Verify server silently discards client Confirm messages that do not contain any addresses |
dhcpv6_server_32 |
Verify server silently discards client Confirm messages that do not contain any addresses |
step 1. Initiate a DHCPv6 Confirm from the client with an unknown IAID
containing no addresses
step 2. Verify that the server does not send a Reply message
When the server receives a Confirm message, the server determines
whether the addresses in the Confirm message are appropriate for the
link to which the client is attached. If all of the addresses in the
Confirm message pass this test, the server returns a status of
Success. If any of the addresses do not pass this test, the server
returns a status of NotOnLink. If the server is unable to perform
this test (for example, the server does not have information about
prefixes on the link to which the client is connected), or there were
no addresses in any of the IAs sent by the client, the server MUST
NOT send a reply to the client.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.2: Receipt of Confirm Messages
https://tools.ietf.org/html/rfc3315#section-18.2.2
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address after DHCPv6 Renew from client |
dhcpv6_server_40 |
Verify server assigns same IPv6 address after DHCPv6 Renew from client |
step 1. Initiate DHCPv6 Renew for the client's current IPv6 address
step 2. Verify that the server updates the client's current IPv6 address
binding
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.3: Receipt of Renew Messages
https://tools.ietf.org/html/rfc3315#section-18.2.3
| Test |
Name |
Synopsis |
Verify server sends UseMulticast status code when client sends unicast Renew |
dhcpv6_server_41 |
Verify server sends UseMulticast status code when client sends unicast Renew |
step 1. Initiate DHCPv6 Renew using the server's unicast address
step 2. Verify the that the server sends a Reply message with a status
code of 5 'UseMulticast'
When the server receives a Renew message via unicast from a client to
which the server has not sent a unicast option, the server discards
the Renew message and responds with a Reply message containing a
Status Code option with the value UseMulticast, a Server Identifier
option containing the server's DUID, the Client Identifier option
from the client message, and no other options.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.3: Receipt of Renew Messages
https://tools.ietf.org/html/rfc3315#section-18.2.3
| Test |
Name |
Synopsis |
Verify server sends NoBinding status code when client attempts to renew unknown IAID |
dhcpv6_server_42 |
Verify server sends NoBinding status code when client attempts to renew unknown IAID |
step 1. Initiate DHCPv6 Renew with an unknown IAID that should not have a
binding
step 2. Verify that the server sends a Reply message with a status code of
3 'NoBinding'
If the server cannot find a client entry for the IA the server
returns the IA containing no addresses with a Status Code option set
to NoBinding in the Reply message.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.3: Receipt of Renew Messages
https://tools.ietf.org/html/rfc3315#section-18.2.3
| Test |
Name |
Synopsis |
Verify server sends Reply with lifetimes of 0 when client attempts to renew unknown address |
dhcpv6_server_43 |
Verify server sends Reply with lifetimes of 0 when client attempts to renew unknown address |
step 1. Initiate a DHCPv6 Renew from client with a valid IAID containing
unknown address
step 2. Verify that the server sends Reply message with correct IAID
step 3. Verify Reply contains correct IA IPv6 address
step 4. Verify Reply contains IA Preferred lifetime of 0
step 5. Verify Reply contains IA Valid lifetime of 0
step 6. Restart DHPCv6 on client
step 7. Verify that the server assigns an address to the client
If the server finds that any of the addresses are not appropriate for
the link to which the client is attached, the server returns the
address to the client with lifetimes of 0.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.3: Receipt of Renew Messages
https://tools.ietf.org/html/rfc3315#section-18.2.3
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address after DHCPv6 Rebind from client |
dhcpv6_server_50 |
Verify server assigns same IPv6 address after DHCPv6 Rebind from client |
step 1. Initiate a DHCPv6 Rebind from the client
step 2. Verify that the server updates the client's current IPv6 address
binding
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.4: Receipt of Rebind Messages
https://tools.ietf.org/html/rfc3315#section-18.2.4
| Test |
Name |
Synopsis |
Verify server sends Reply with lifetimes of 0 when client attempts to rebind with unknown address |
dhcpv6_server_52 |
Verify server sends Reply with lifetimes of 0 when client attempts to rebind with unknown address |
step 1. Initiate a DHCPv6 Rebind with a valid IAID containing unknown
address
step 2. Verify that the server sends a Reply message with correct IAID
step 3. Verify Reply contains correct IA IPv6 address
step 4. Verify Reply contains IA Preferred lifetime of 0
step 5. Verify Reply contains IA Valid lifetime of 0
step 6. Restart DHPCv6 on client
step 7. Verify that the server assigns an address to the client
If the server finds that any of the addresses are not appropriate for
the link to which the client is attached, the server returns the
address to the client with lifetimes of 0.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.4: Receipt of Rebind Messages
https://tools.ietf.org/html/rfc3315#section-18.2.4
| Test |
Name |
Synopsis |
Verify server responds to an Information-request message from client |
dhcpv6_server_60 |
Verify server responds to an Information-request message from client |
step 1. Initiate a DHCPv6 Information-request from client
step 2. Verify response from server
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.5: Receipt of Information-request Messages
https://tools.ietf.org/html/rfc3315#section-18.2.5
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address after DHCPv6 Release from client |
dhcpv6_server_70 |
Verify server assigns same IPv6 address after DHCPv6 Release from client |
step 1. Initiate a DHCPv6 Release from the client
step 2. Verify that the server sends a Reply message with a status code of
0 'Success'
step 3. Restart DHCPv6 on client
step 4. Verify that the server assigns an address to the client
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.6: Receipt of Release Messages
https://tools.ietf.org/html/rfc3315#section-18.2.6
| Test |
Name |
Synopsis |
Verify server sends UseMulticast status code when clients sends unicast DHCPv6 Release |
dhcpv6_server_71 |
Verify server sends UseMulticast status code when clients sends unicast DHCPv6 Release |
step 1. Initiate a DHCPv6 Release from the client using the server's unicast
address
step 2. Verify the that the server sends a Reply message with a status code
of 5 'UseMulticast'
step 3. Restart DHCPv6 on client
step 4. Verify that the server assigns an address to the client
When the server receives a Release message via unicast from a client
to which the server has not sent a unicast option, the server
discards the Release message and responds with a Reply message
containing a Status Code option with value UseMulticast, a Server
Identifier option containing the server's DUID, the Client Identifier
option from the client message, and no other options.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.6: Receipt of Release Messages
https://tools.ietf.org/html/rfc3315#section-18.2.6
| Test |
Name |
Synopsis |
Verify server sends NoBinding status code when client attempts to release unknown IAID |
dhcpv6_server_72 |
Verify server sends NoBinding status code when client attempts to release unknown IAID |
step 1. Initiate DHCPv6 Release with an unknown IAID that should not have a
binding
step 2. Verify that the server sends a Reply message with a status code of
3 'NoBinding'
For each IA in the Release message for which the server has no binding information,
the serve adds an IA option using the IAID from the Release message, an includes a
Status Code option with the value NoBinding in the IA option. No other options are
included in the IA option.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.6: Receipt of Release Messages
https://tools.ietf.org/html/rfc3315#section-18.2.6
| Test |
Name |
Synopsis |
Verify server assigns IPv6 address after DHCPv6 Decline from client |
dhcpv6_server_80 |
Verify server assigns IPv6 address after DHCPv6 Decline from client |
step 1. Initiate a DHCPv6 Decline for the client's current IPv6 address
step 2. Verify that the server sends a Reply message with status code of 0
'Success'
step 3. Restart DHCPv6 on client with a sending a Release to the server
step 4. Verify that the server assigns an address to client
step 5. Verify that the address assigned by the server is not the same as
the client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.7: Receipt of Decline Messages
https://tools.ietf.org/html/rfc3315#section-18.2.7
| Test |
Name |
Synopsis |
Verify server sends UseMulticast status code when client sends unicast DHCPv6 Decline |
dhcpv6_server_81 |
Verify server sends UseMulticast status code when client sends unicast DHCPv6 Decline |
step 1. Initiate a DHCPv6 Decline from the client using the server's unicast
address
step 2. Verify the that the server sends a Reply message with a status code
of 5 'UseMulticast'
step 3. Restart DHCPv6 on LAN interface without sending a Release to the
server
step 4. Verify that the server assigns an address to the client
step 5. Verify that the address assigned by the server is the same as the
client's original address
When the server receives a Decline message via unicast from a client
to which the server has not sent a unicast option, the server
discards the Decline message and responds with a Reply message
containing a Status Code option with the value UseMulticast, a Server
Identifier option containing the server's DUID, the Client Identifier
option from the client message, and no other options.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.7: Receipt of Decline Messages
https://tools.ietf.org/html/rfc3315#section-18.2.7
| Test |
Name |
Synopsis |
Verify server sends NoBinding status code when client attempts to decline unknown IAID |
dhcpv6_server_82 |
Verify server sends NoBinding status code when client attempts to decline unknown IAID |
step 1. Initiate DHCPv6 Decline with an unknown IAID that should not have a
binding
step 2. Verify that the server sends a Reply message with a status code of 3
'NoBinding'
For each IA in the Decline message for which the server has no binding information,
the server adds an IA option using the IAID from the Release message and includes a
Status Code option with the value NoBinding in the IA option. No other options are
included in the IA option.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 18.2.7: Receipt of Decline Messages
https://tools.ietf.org/html/rfc3315#section-18.2.7
| Test |
Name |
Synopsis |
Verify server assigns IPv6 address when client uses unknown DHCPv6 options |
dhcpv6_server_100 |
Verify server assigns IPv6 address when client uses unknown DHCPv6 options |
step 1. Configure client to use unknown DHCPv6 option
step 2. Restart DHCPv6 on LAN client without sending a Release to the server
step 3. Verify that the server assigns an address to the client
step 4. Verify that the address assigned by the server is the same as the
client's original address
Note: To ensure compatibility with future client implemenations that may
support yet to be defined DHCPv6 options, servers should ignore any options
that are unknown.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server ignores client requests with invalid option length |
dhcpv6_server_101 |
Verify server ignores client requests with invalid option length |
step 1. Configure client to use invalid DHCPv6 option length
step 2. Restart DHCPv6 on LAN client without sending a Release to the server
step 3. Verify that the server does not assign an address to the client
step 4. Configure client to use valid DHCPv6 option length
step 5. Restart DHCPv6 on LAN client without sending a Release to the server
step 6. Verify that the server assigns an address to the client
step 7. Verify that the address assigned by the server is the same as the
client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server supports Rapid Commit option |
dhcpv6_server_102 |
Verify server supports Rapid Commit option |
step 1. Configure the client to request DHCPv6 option 14 'Rapid Commit'
step 2. Restart DHCPv6 on the client
step 3. Verify that DHCPv6 server responds with Reply message containing the
'Rapid Commit' option
step 4. Verify that the server assigns an address to the client
step 5. Verify that the address assigned by the server is the same as the
client's original address
A client MAY include this option in a Solicit message if the client
is prepared to perform the Solicit-Reply message exchange described
in section 17.1.1.
A server MUST include this option in a Reply message sent in response
to a Solicit message when completing the Solicit-Reply message
exchange.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 22.14: Rapid Commit Option
https://tools.ietf.org/html/rfc3315#section-22.14
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address when client requests both IA_NA and IA_PD |
dhcpv6_server_110 |
Verify server assigns same IPv6 address when client requests both IA_NA and IA_PD |
step 1. Configure client to request both IA_NA and IA_PD options
step 2. Restart DHCPv6 on LAN without sending DHCPv6 Release to the server
step 3. Verify that the server assigns an address to the client
step 4. Verify that the address assigned by the server is the same as the
client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server assigns same IPv6 address when client requests both IA_NA and IA_TA |
dhcpv6_server_111 |
Verify server assigns same IPv6 address when client requests both IA_NA and IA_TA |
step 1. Configure client to request both IA_NA and IA_TA options
step 2. Restart DHCPv6 on LAN without sending DHCPv6 Release to the server
step 3. Verify that the server assigns an address to the client
step 4. Verify that the address assigned by the server is the same as the
client's original address
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
| Test |
Name |
Synopsis |
Verify server responds to Relay-Forward requests sent to the All_DHCP_Servers multicast address |
dhcpv6_server_120 |
Verify server responds to Relay-Forward requests sent to the All_DHCP_Servers multicast address |
step 1. Configure a relay agent on the LAN to send to DHCPv6 messages to the
All_DHCP_Servers multicast address
step 2. Restart DHCPv6 on the client without sending a Release to the server
step 3. Verify that the server assigns an address to the client
The relay agent MAY be configured to use a list of destination
addresses, which MAY include unicast addresses, the All_DHCP_Servers
multicast address, or other addresses selected by the network
administrator.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 20: Relay Agent Behavior
https://tools.ietf.org/html/rfc3315#section-20
| Test |
Name |
Synopsis |
Verify server responds to Relay-Forward requests sent to server unicast address |
dhcpv6_server_121 |
Verify server responds to Relay-Forward requests sent to server unicast address |
step 1. Configure a relay agent on the LAN to send DHCPv6 messages to the
server's global unicast address
step 2. Restart DHCPv6 on the client without sending a Release to the server
step 3. Verify that the server assigns an address to the client
The relay agent MAY be configured to use a list of destination
addresses, which MAY include unicast addresses, the All_DHCP_Servers
multicast address, or other addresses selected by the network
administrator.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 20: Relay Agent Behavior
https://tools.ietf.org/html/rfc3315#section-20
| Test |
Name |
Synopsis |
Verify server includes Interface-Id option in Relay-Reply if included by relay agent |
dhcpv6_server_122 |
Verify server includes Interface-Id option in Relay-Reply if included by relay agent |
step 1. Configure a relay agent on the LAN to send DHCPv6 messages to the
server's global unicast address
step 2. Configure a relay agent to include the Interface-Id (18) option in
Relay-Forward messages
step 3. Restart DHCPv6 on the client without sending a Release to the server
step 4. Verify that the server sends a Relay-Reply message to the relay
agent
step 5. Verify that the Relay-Reply message includes the original
Interface-Id (18) option value included by the relay agent
step 6. Wait for DHCPv6 transaction to complete
Reference: IETF RFC 3315 Section 22.18 "Interface-Id Option"
The server MUST copy the Interface-Id option from the Relay-Forward
message into the Relay-Reply message the server sends to the relay
agent in response to the Relay-Forward message. This option MUST NOT
appear in any message except a Relay-Forward or Relay-Reply message.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" Section 22.18: Interface-Id Option
https://tools.ietf.org/html/rfc3315#section-22.18
pppoe-c-v6.tcl
PPPoE client tests with IPv6 on the WAN side of the router
| Test |
Name |
Synopsis |
PPPoE client restarts PPPoE Discovery when PPP LCP Echo-Requests fail |
ipv6_pppoe_client_1 |
PPPoE client restarts PPPoE Discovery when PPP LCP Echo-Requests fail |
step 1. Turn off PPP LCP Echo-Reply on PPPoE server
step 2. PPP client should send an LCP Echo-Request
step 3. PPP client will not receive an LCP Echo-Reply
step 4. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
(wait up to 5 minutes for LCP to failover)
step 5. Verify PPPoE client brings new PPPoE session up
NOTE: Most PPPoE clients will terminate the existing PPPoE session after
several LCP Echo-Requests have failed. However, some routers will
simply initiate a new PPPoE session without sending a PADT. This
test case does not FAIL the test if the existing PPPoE session is not
terminated before starting a new PPPoE session. However, a warning
will be issued.
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
NOTE: By default, CDRouter will still respond to ICMP Echo
Requests during this test. This allows the test to verify failure
occurs because of PPP and not the ICMP Echo Replies. However, you
can configure CDRouter to also ignore ICMP Echo Requests during
this test by setting the testvar pppFailUsesICMP to yes:
testvar pppFailUsesICMP yes
| Test |
Name |
Synopsis |
PPPoE client restarts PPPoE Discovery when PPP LCP terminates PPP link |
ipv6_pppoe_client_10 |
PPPoE client restarts PPPoE Discovery when PPP LCP terminates PPP link |
step 1. Check the current PPPoE session is established
step 2. Terminate the current PPP session using LCP Terminate
step 3. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
step 4. Verify PPPoE client brings new PPPoE session up
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
| Test |
Name |
Synopsis |
PPPoE PPP client replies to LCP Echo-Requests |
ipv6_pppoe_client_50 |
PPPoE PPP client replies to LCP Echo-Requests |
step 1. Send 5 LCP Echo-Requests
step 2. Verify LCP Echo-Replies are received
step 3. Verify LCP Echo-Request data is echoed back in response
| Test |
Name |
Synopsis |
PPPoE PPP client maintains LCP Magic Number during session |
ipv6_pppoe_client_60 |
PPPoE PPP client maintains LCP Magic Number during session |
step 1. Terminate the current PPP session using LCP Terminate
step 2. Check for Magic Number in LCP Configure Request
step 3. Wait for LCP Echo Request and verify Magic Number is the same
step 4. Send LCP Echo Request
step 5. Verify Magic Number in LCP Echo Response is the same
NOTE: CDRouter does not fail this test if the PPPoE PPP client
does not send an LCP Echo Request. Some clients do not
use LCP Echo Requests automtically.
References:
IETF RFC 1548 "The Point-to-Point Protocol (PPP)" Section 5.8: Echo-Request and Echo-Reply
https://tools.ietf.org/html/rfc1548#section-5.8
| Test |
Name |
Synopsis |
IPv6CP Configure-Requests include Interface Identifier option |
ipv6_pppoe_client_70 |
IPv6CP Configure-Requests include Interface Identifier option |
step 1. Terminate the current PPP session using LCP Terminate
step 2. Check for Interface Identifier in IPv6CP Configure Request
step 3. Verify PPPoE link is reestablished
References:
IETF RFC 5072 "IP Version 6 over PPP" Section 5: Stateless Autoconfiguration and Link-Local Addresses
The interface identifier of IPv6 unicast addresses [5] of a PPP
interface SHOULD be negotiated in the IPV6CP phase of the PPP
connection setup (see Section 4.1).
https://tools.ietf.org/html/rfc5072#section-5
| Test |
Name |
Synopsis |
PPPoE/PPP restarts if PPP authentication fails |
ipv6_pppoe_client_200 |
PPPoE/PPP restarts if PPP authentication fails |
step 1. Terminate the current PPP session using LCP Terminate
step 2. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
step 3. Verify PPPoE client brings new PPPoE session up
step 4. Reject any PAP or CHAP authentication attempts
step 5. Wait 60 seconds, continuing to reject PPP authentication
step 6. Accept PPP authentication after 60 seconds
step 7. Send pings from LAN side to WAN side to force link to reestablish
step 8. Verify PPP link is reestablished in 300 seconds (pppRestartTimeout)
NOTE: This test supports PAP, CHAP, and MSCHAP authentication.
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
| Test |
Name |
Synopsis |
PPPoE/PPP can recover if LCP renegotiation is attempted |
ipv6_pppoe_client_210 |
PPPoE/PPP can recover if LCP renegotiation is attempted |
step 1. Send LCP Configure-Request to PPP peer
step 2. Verify peer resends LCP configuration
step 3. Verify the configuration is the same
step 4. If the PPPoE link is terminated, issue ping to reestablish link
step 5. Verify ping succeeds from LAN to WAN
NOTE: Renegotiating LCP can cause some PPP implementations to terminate
the PPP link or the PPPoE link. This test does not fail the DUT if this
happens, but it does issue a warning if the PPPoE session is restarted.
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
| Test |
Name |
Synopsis |
PPPoE/PPP can recover if LCP Echo-Request contains bad length |
ipv6_pppoe_client_230 |
PPPoE/PPP can recover if LCP Echo-Request contains bad length |
step 1. Send out LCP Echo-Request with length 4096, but no data
step 2. Peer may respond or drop LCP Echo-Request
step 3. Verify PPP is still functioning using ICMP Echo
NOTE: This test checks that the device under test behaves gracefully
when it receives PPP options with a bad length. Some devices may
still respond to the LCP Echo-Request, but it is not considered a failure if
the device does not respond.
| Test |
Name |
Synopsis |
PPPoE client recovers if PPPoE server drops PADR from PPPoE client |
ipv6_pppoe_client_300 |
PPPoE client recovers if PPPoE server drops PADR from PPPoE client |
step 1. Terminate the current PPP session using LCP Terminate
step 2. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
step 3. Do not respond to the PADR packet from client
step 4. Continue to ignore any PPPoE packets from the client until
the client sends a new PADI packet
step 5. Restore PPPoE server to normal operation
step 6. Verify PPPoE client session recovers
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
References:
IETF RFC 2516 "A Method for Transmitting PPP Over Ethernet (PPPoE)" Section 8: Other Considerations
If the Host is waiting to receive a PADS packet, a similar timeout
mechanism SHOULD be used, with the Host re-sending the PADR. After
a specified number of retries, the Host SHOULD then resend a PADI
packet.
https://tools.ietf.org/html/rfc2516#section-8
| Test |
Name |
Synopsis |
PPPoE client returns AC-Cookie in PADR when server sends AC-Cookie in PADO |
ipv6_pppoe_client_310 |
PPPoE client returns AC-Cookie in PADR when server sends AC-Cookie in PADO |
step 1. Configure PPPoE server to use AC-Cookie Tag in PADO responses
step 2. Terminate the current PPP session using LCP Terminate
step 3. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
step 4. Send AC-Cookie Tag in PADO
step 5. Verify PADR from client contains AC-Cookie with the same cookie data
References:
IETF RFC 2516 "A Method for Transmitting PPP Over Ethernet (PPPoE)" Section A: AC-Cookie
If a Host receives this TAG, it MUST return the TAG
unmodified in the following PADR.
https://tools.ietf.org/html/rfc2516
| Test |
Name |
Synopsis |
PPPoE client maintains Relay-Session-Id during PPPoE session establishment |
ipv6_pppoe_client_320 |
PPPoE client maintains Relay-Session-Id during PPPoE session establishment |
step 1. Configure PPPoE server to use Relay-Session-Id in PADO responses
step 2. Terminate the current PPP session using LCP Terminate
step 3. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
step 4. If the PADI already contains a Relay-Session-Id from an actual
PPPoE Relay server, configure the PPPoE server to use the same
tag value
step 5. Send Relay-Session-Id Tag in PADO
step 6. Verify PADR from client contains Relay-Session-Id tag with the same cookie data
NOTE: Normally, CDRouter does not expect a PPPoE relay server to be present
between the PPPoE client and CDRouter. However, this test does check for
an existing Relay-Session-Id in the PADI and will use this tag value
for the test instead of generating a unique value. This allows the test
to work with an existing PPPoE relay server on the WAN.
References:
IETF RFC 2516 "A Method for Transmitting PPP Over Ethernet (PPPoE)" Section A: Relay-Session-Id
If either the Host or Access Concentrator receives this TAG they
MUST include it unmodified in any discovery packet they send as a response.
https://tools.ietf.org/html/rfc2516
| Test |
Name |
Synopsis |
PPPoE client reconnects to server after 15 minute WAN disconnect |
ipv6_pppoe_client_330 |
PPPoE client reconnects to server after 15 minute WAN disconnect |
step 1. Do not respond to any traffic from the WAN
step 2. Wait 15 minutes, then reenable the WAN connection with CDRouter
step 3. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
(wait up to 5 minutes for LCP to failover)
step 4. Verify PPPoE client reconnects with the PPPoE server
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
| Test |
Name |
Synopsis |
PPPoE client reconnects to server after 30 minute WAN disconnect |
ipv6_pppoe_client_331 |
PPPoE client reconnects to server after 30 minute WAN disconnect |
step 1. Do not respond to any traffic from the WAN
step 2. Wait 15 minutes, then reenable the WAN connection with CDRouter
step 3. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
(wait up to 5 minutes for LCP to failover)
step 4. Verify PPPoE client reconnects with the PPPoE server
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
| Test |
Name |
Synopsis |
PPPoE client reconnects to server after 60 minute WAN disconnect |
ipv6_pppoe_client_332 |
PPPoE client reconnects to server after 60 minute WAN disconnect |
step 1. Do not respond to any traffic from the WAN
step 2. Wait 15 minutes, then reenable the WAN connection with CDRouter
step 3. Verify WAN PPPoE client sends PADI to restart PPPoE Discovery
(wait up to 5 minutes for LCP to failover)
step 4. Verify PPPoE client reconnects with the PPPoE server
NOTE: The amount of time the test waits to recover the PPP based
link can be configured by adjusting the testvar pppRestartTimeout.
This variable contains the number of milliseconds to wait for
PPP based protocols to recover. The default is 300000 (300 seconds).
slaac-wan.tcl
Autoconf / SLAAC client tests for the WAN side of the router
| Test |
Name |
Synopsis |
Verify DUT configures a new address using SLAAC when a new prefix is advertised on the WAN |
ipv6_slaac_wan_1 |
Verify DUT configures a new address using SLAAC when a new prefix is advertised on the WAN |
step 1. Send a Router Advertisement on the WAN that advertises a new
global prefix
step 2. Verify that the DUT sends a DAD-style Neighbor Solicitation on the
WAN
step 3. Verify that the target address in the Neighbor Solicitation is
based on the new prefix
step 4. Wait 10 seconds for the DUT to configure the new target address
step 5. Send 10 pings to verify that the DUT has configured the new target
address
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify DUT sends DAD-style Neighbor Solicitations when configuring an address |
ipv6_slaac_wan_10 |
Verify DUT sends DAD-style Neighbor Solicitations when configuring an address |
step 1. Send a Router Advertisement on the WAN that advertises a new
global prefix
step 2. Verify that the DUT sends a DAD-style Neighbor Solicitation on the
WAN
step 3. Verify that the target address in the Neighbor Solicitation is
based on the new prefix
step 4. Verify that the source address of the Neighbor Solicitation is the
unspecified address
step 5. Verify that the destination address of the Neighbor Solicitation is
a solicited-node multicast address based on the target address in
step 3
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify DUT does not configure an address when a DAD collision occurs |
ipv6_slaac_wan_11 |
Verify DUT does not configure an address when a DAD collision occurs |
step 1. Send a Router Advertisement on the WAN that advertises a new prefix
step 2. Verify that the DUT sends a DAD-style Neighbor Solicitation on the
WAN
step 3. Force a DAD collision by sending a Neighbor Advertisement for the
target address used by the DUT in step 2
step 4. Wait 10 seconds
step 5. Verify that the DUT does not configure the target address by
sending a Neighbor Solicitation
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify DUT responds to Neighbor Solicitations for new configured address on WAN |
ipv6_slaac_wan_12 |
Verify DUT responds to Neighbor Solicitations for new configured address on WAN |
step 1. Send a Router Advertisement on the WAN that advertises a new
global prefix
step 2. Verify that the DUT sends a DAD-style Neighbor Solicitation on the
WAN
step 3. Verify that the target address in the Neighbor Solicitation is
based on the new prefix
step 4. Wait 10 seconds
step 5. Run test ipv6_ndp_wan_11 to verify that the DUT has configured
and responds to Neighbor Solicitations for the newly configured
target address
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify DUT responds to DAD-style Neighbor Solicitations for new configured address on WAN |
ipv6_slaac_wan_13 |
Verify DUT responds to DAD-style Neighbor Solicitations for new configured address on WAN |
step 1. Send a Router Advertisement on the WAN that advertises a new
global prefix
step 2. Verify that the DUT sends a DAD-style Neighbor Solicitation on the
WAN
step 3. Verify that the target address in the Neighbor Solicitation is
based on the new prefix
step 4. Wait 10 seconds
step 5. Run test ipv6_ndp_wan_16 to verify that the DUT has configured
and responds to DAD-style Neighbor Solicitations for the newly
configured target address
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify DUT does not configure an address when the A-bit is not set |
ipv6_slaac_wan_20 |
Verify DUT does not configure an address when the A-bit is not set |
step 1. Send a Router Advertisement on the WAN that advertises a new
global prefix with the A-bit not set
step 2. Verify that the DUT does not send a DAD-style Neighbor Solicitation
on the WAN for the prefix advertised in step 1
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.5.3: Router Advertisement Processing
For each Prefix-Information option in the Router Advertisement:
a) If the Autonomous flag is not set, silently ignore the Prefix
Information option.
https://tools.ietf.org/html/rfc4862#section-5.5.3
| Test |
Name |
Synopsis |
Verify DUT does not configure an address when the advertised prefix is a link-local prefix |
ipv6_slaac_wan_21 |
Verify DUT does not configure an address when the advertised prefix is a link-local prefix |
step 1. Send a Router Advertisement on the WAN that advertises a
link-local prefix
step 2. Verify that the DUT does not send a DAD-style Neighbor Solicitation
on the WAN for the prefix advertised in step 1
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.5.3: Router Advertisement Processing
For each Prefix-Information option in the Router Advertisement:
b) If the prefix is the link-local prefix, silently ignore the
Prefix Information option.
https://tools.ietf.org/html/rfc4862#section-5.5.3
| Test |
Name |
Synopsis |
Verify DUT does not configure an address when the valid lifetime is 0 |
ipv6_slaac_wan_22 |
Verify DUT does not configure an address when the valid lifetime is 0 |
step 1. Send a Router Advertisement on the WAN that advertises a new
global prefix with a valid-lifetime of 0
step 2. Verify that the DUT does not send a DAD-style Neighbor Solicitation
on the WAN for the prefix advertised in step 1
References:
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration" Section 5.5.3: Router Advertisement Processing
For each Prefix-Information option in the Router Advertisement:
c) If the preferred lifetime is greater than the valid lifetime,
silently ignore the Prefix Information option. A node MAY wish to
log a system management error in this case.
https://tools.ietf.org/html/rfc4862#section-5.5.3
6to4.tcl
6to4 tunnel tests for connecting IPv6 hosts over IPv4 networks
| Test |
Name |
Synopsis |
Verify IPv6 Router Advertisements include 6to4 prefix based on IPv4 WAN |
ipv6_6to4_1 |
Verify IPv6 Router Advertisements include 6to4 prefix based on IPv4 WAN |
step 1. Listen for IPv6 RA from DUT
step 2. Verify RA contains 6to4 prefix based on public IPv4 WAN
step 3. Verify 6to4 prefix contains a valid lifetime
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify DUT assigns itself a global address on the LAN side 6to4 network |
ipv6_6to4_2 |
Verify DUT assigns itself a global address on the LAN side 6to4 network |
step 1. Determine the DUT's LAN side IPv6 global address
step 2. Send ICMPv6 Echo Request to the DUT's global IPv6 address
step 3. Verify ICMPv6 Echo Response is received from the global IPv6 address
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify IPv6 Router Advertisements include SLA ID |
ipv6_6to4_3 |
Verify IPv6 Router Advertisements include SLA ID |
step 1. Listen for IPv6 RA from DUT
step 2. Verify RA contains 6to4 prefix based on public IPv4 WAN
step 3. Verify advertised 6to4 prefix includes the expected SLA ID
RFC 3056 defines a 16 bit "SLA ID" field for subnetting. Most DUT's allow
the SLA ID to be arbitrarily configured. This test verifies that the DUT
advertises the expected SLA ID. The expected SLA can be configured using
the testvar "ipv6LanSubnetId" which must be a hex string with four or less
characters. Examples:
testvar ipv6LanSubnetId ffff
testvar ipv6LanSubnetId 1
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify packets to 6to4 addresses are tunneled directly to IPv4 address |
ipv6_6to4_10 |
Verify packets to 6to4 addresses are tunneled directly to IPv4 address |
step 1. Forward IPv6 UDP to IPv6 address on 6to4 network that maps to
remoteHost IPv4
step 2. Verify remoteHost IPv4 on the WAN received tunneled IPv6 packet
step 3. Verify return IPv6 UDP traffic is forwarded back from remoteHost IPv4
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 5.1: Simple scenario - all sites work the same
https://tools.ietf.org/html/rfc3056#section-5.1
| Test |
Name |
Synopsis |
Verify packets to non 6to4 addresses are tunneled to 6to4 relay server |
ipv6_6to4_11 |
Verify packets to non 6to4 addresses are tunneled to 6to4 relay server |
step 1. Forward IPv6 UDP to remoteHostv6 address on non-6to4 network
step 2. Verify 6to4 relay server on the WAN received tunneled IPv6 packet
step 3. Verify return IPv6 UDP traffic is forwarded back from relay server
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 5.2: Mixed scenario with relay to native IPv6
https://tools.ietf.org/html/rfc3056#section-5.2
| Test |
Name |
Synopsis |
Verify IPv4 src address of tunneled 6to4 packets matches WAN IPv4 address |
ipv6_6to4_12 |
Verify IPv4 src address of tunneled 6to4 packets matches WAN IPv4 address |
step 1. Forward IPv6 UDP to remoteHostv6 address on non-6to4 network
step 2. Verify 6to4 relay server on the WAN received tunneled IPv6 packet
step 3. Verify IPv4 src address of tunneled IPv6 traffic matches WAN
IPv4 address
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 5.2: Mixed scenario with relay to native IPv6
https://tools.ietf.org/html/rfc3056#section-5.2
| Test |
Name |
Synopsis |
Verify encapsulating IPv4 header for 6to4 has the DF flag set correctly |
ipv6_6to4_13 |
Verify encapsulating IPv4 header for 6to4 has the DF flag set correctly |
step 1. Forward IPv6 UDP to remoteHostv6 address
step 2. Verify 6to4 relay server on the WAN received tunneled IPv6 packet
step 3. Verify 'do not fragment' flag is set correctly on IPv4
header based on the value of ipv6TunnelMtuType
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 4: Maximum Transmission Unit
https://tools.ietf.org/html/rfc3056#section-4
IETF RFC 4213 "Basic Transition Mechanisms for IPv6 Hosts and Routers" Section 3.2: Tunnel MTU and Fragmentation
https://tools.ietf.org/html/rfc4213#section-3.2
| Test |
Name |
Synopsis |
Verify DUT handles incoming 6to4 fragmented packets |
ipv6_6to4_14 |
Verify DUT handles incoming 6to4 fragmented packets |
step 1. Configure 6to4 Relay server to use an IPv4 MTU of 252
step 2. Forward IPv6 UDP to remoteHostv6 address with 1000 bytes of UDP data
step 3. Verify 6to4 relay server on the WAN received tunneled IPv6 packet
step 4. Send same UDP data back through 6to4 relay server
step 5. 6to4 relay server will fragment the IPv4 packet
step 6. Verify UDP data is sent to original IPv6 LAN client
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 4: Maximum Transmission Unit
https://tools.ietf.org/html/rfc3056#section-4
| Test |
Name |
Synopsis |
Verify IPv6 Router Advertisements announce new 6to4 prefix when IPv4 WAN changes |
ipv6_6to4_100 |
Verify IPv6 Router Advertisements announce new 6to4 prefix when IPv4 WAN changes |
step 1. Bring down WAN link
step 2. Bring up WAN link with new external IP address
step 3. Listen for IPv6 RA from DUT
step 4. Verify RA contains 6to4 prefix based on new public WAN IP
step 5. Verify 6to4 prefix contains a valid lifetime
step 6. Bring down WAN link
step 7. Bring up WAN link with new original IP address
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify DUT updates global IPv6 address after IPv4 WAN change |
ipv6_6to4_101 |
Verify DUT updates global IPv6 address after IPv4 WAN change |
step 1. Bring down WAN link
step 2. Bring up WAN link with new external IPv4 address
step 3. Listen for IPv6 RA from DUT
step 4. Verify RA contains 6to4 prefix based on new public WAN IPv4
step 5. Verify 6to4 prefix contains a valid lifetime
step 6. Ping DUT's new IPv6 global address
step 7. Verify IPv6 ping response
step 8. Bring down WAN link
step 9. Bring up WAN link with new original IPv4 address
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify DUT forwards tunneled IPv6 traffic after IPv4 WAN change |
ipv6_6to4_102 |
Verify DUT forwards tunneled IPv6 traffic after IPv4 WAN change |
step 1. Bring down WAN link
step 2. Bring up WAN link with new external IPv4 address
step 3. Listen for IPv6 RA from DUT
step 4. Verify RA contains 6to4 prefix based on new public WAN IPv4
step 5. Verify 6to4 prefix contains a valid lifetime
step 6. Forward IPv6 traffic from LAN to remoteHostv6
step 7. Verify traffic is forwarded and src IPv4 of tunneled packets matched new IPv4 address
step 8. Bring down WAN link
step 9. Bring up WAN link with new original IPv4 address
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify IPv6 router advertisements age out 6to4 prefix when IPv4 WAN link is down |
ipv6_6to4_103 |
Verify IPv6 router advertisements age out 6to4 prefix when IPv4 WAN link is down |
step 1. Bring down WAN link
step 2. Listen for IPv6 RA from DUT
step 3. Verify either the RA does not contain previous 6to4 prefix
or the advertised 6to4 prefix preferred lifetime is now 0
step 4. Bring up WAN link
step 5. Listen for IPv6 RA from DUT
step 6. Verify the RA contains the expected 6to4 prefix
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds"
https://tools.ietf.org/html/rfc3056
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client address contains a 6to4 prefix based on IPv4 WAN |
ipv6_6to4_150 |
Verify LAN side DHCPv6 client address contains a 6to4 prefix based on IPv4 WAN |
step 1. Check existing DHCPv6 bindings on the LAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify that the non-temporary address on the LAN contains
a 6to4 prefix based on public IPv4 WAN
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client address contains a 6to4 prefix which includes SLA ID |
ipv6_6to4_160 |
Verify LAN side DHCPv6 client address contains a 6to4 prefix which includes SLA ID |
step 1. Check existing DHCPv6 bindings on the LAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify that the non-temporary address on the LAN contains
a 6to4 prefix which includes the expected SLA ID
RFC 3056 defines a 16 bit "SLA ID" field for subnetting. Most
DUT's allow the SLA ID to be arbitrarily configured. This test
verifies that the DUT uses the expected SLA ID. The expected SLA
can be configured using the testvar "ipv6LanSubnetId" which must
be a hex string with four or less characters. Examples:
testvar ipv6LanSubnetId ffff
testvar ipv6LanSubnetId 1
References:
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
6rd.tcl
6rd tunnel tests for connecting IPv6 hosts over IPv4 networks
| Test |
Name |
Synopsis |
Verify IPv6 Router Advertisements include 6rd prefix based on IPv4 WAN |
ipv6_6rd_1 |
Verify IPv6 Router Advertisements include 6rd prefix based on IPv4 WAN |
step 1. Listen for IPv6 RA from DUT
step 2. Verify RA contains 6rd prefix based on public IPv4 WAN
step 3. Verify 6rd prefix contains a valid lifetime
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify DUT assigns itself a global address on the LAN side 6rd network |
ipv6_6rd_2 |
Verify DUT assigns itself a global address on the LAN side 6rd network |
step 1. Determine the DUT's LAN side IPv6 global address based
step 2. Send ICMPv6 Echo Request to the DUT's global IPv6 address
step 3. Verify ICMPv6 Echo Response is received from the global IPv6 address
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify IPv6 Router Advertisements include subnet ID |
ipv6_6rd_3 |
Verify IPv6 Router Advertisements include subnet ID |
step 1. Listen for IPv6 RA from DUT
step 2. Verify RA contains 6rd prefix based on public IPv4 WAN
step 3. Verify advertised 6rd prefix includes the expected subnet ID
Note: The expected subnet ID bits can be configured using the testvar
ipv6LanSubnetId. The ipv6LanSubnetId testvar is a variable length string
of hex characters. Examples:
testvar ipv6LanSubnetId ffff
testvar ipv6LanSubnetId 1
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify packets to 6rd addresses are tunneled directly to IPv4 address |
ipv6_6rd_10 |
Verify packets to 6rd addresses are tunneled directly to IPv4 address |
step 1. Forward IPv6 UDP to IPv6 address on 6rd network that maps to
new WAN side IPv4 gateway based on testvar wanIspNextIp
step 2. Verify new gateway on the WAN receives tunneled IPv6 packet
step 3. Verify return IPv6 UDP traffic is forwarded back from new IPv4 gateway
IPv6 communication between customer sites of a same ISP is direct
across the ISP IPv4 infrastructure: when a CPE sees that the IPv6
destination address of an outgoing packet starts with its own 6rd
relay ISPv6 prefix, it takes the 32 bits that follow this prefix as
IPv4 destination of the encapsulating packet.
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify packets to non 6rd addresses are tunneled to 6rd relay server |
ipv6_6rd_11 |
Verify packets to non 6rd addresses are tunneled to 6rd relay server |
step 1. Forward IPv6 UDP to remoteHostv6 address on non-6rd network
step 2. Verify 6rd relay server on the WAN received tunneled IPv6 packet
step 3. Verify return IPv6 UDP traffic is forwarded back from relay server
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify IPv4 src address of tunneled 6rd packets matches WAN IPv4 address |
ipv6_6rd_12 |
Verify IPv4 src address of tunneled 6rd packets matches WAN IPv4 address |
step 1. Forward IPv6 UDP to remoteHostv6 address on non-6rd network
step 2. Verify 6rd relay server on the WAN received tunneled IPv6 packet
step 3. Verify IPv4 src address of tunneled IPv6 traffic matches WAN
IPv4 address
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify encapsulating IPv4 header for 6rd has the DF flag set correctly |
ipv6_6rd_13 |
Verify encapsulating IPv4 header for 6rd has the DF flag set correctly |
step 1. Forward IPv6 UDP to remoteHostv6 address
step 2. Verify 6rd relay server on the WAN received tunneled IPv6 packet
step 3. Verify 'do not fragment' flag is set correctly on IPv4
header based on the value of ipv6TunnelMtuType
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 4: Maximum Transmission Unit
https://tools.ietf.org/html/rfc3056#section-4
IETF RFC 4213 "Basic Transition Mechanisms for IPv6 Hosts and Routers" Section 3.2: Tunnel MTU and Fragmentation
https://tools.ietf.org/html/rfc4213#section-3.2
| Test |
Name |
Synopsis |
Verify DUT handles incoming 6rd fragmented packets |
ipv6_6rd_14 |
Verify DUT handles incoming 6rd fragmented packets |
step 1. Configure 6rd Relay server to use an IPv4 MTU of 252
step 2. Forward IPv6 UDP to remoteHostv6 address with 1000 bytes of UDP data
step 3. Verify 6rd relay server on the WAN received tunneled IPv6 packet
step 4. Send same UDP data back through 6rd relay server
step 5. 6rd relay server will fragment the IPv4 packet
step 6. Verify UDP data is sent to original IPv6 LAN client
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify IPv6 Router Advertisements announce new 6rd prefix when IPv4 WAN changes |
ipv6_6rd_100 |
Verify IPv6 Router Advertisements announce new 6rd prefix when IPv4 WAN changes |
step 1. Bring down WAN link
step 2. Bring up WAN link with new external IP address
step 3. Listen for IPv6 RA from DUT
step 4. Verify RA contains 6rd prefix based on new public WAN IP
step 5. Verify 6rd prefix contains a valid lifetime
step 6. Bring down WAN link
step 7. Bring up WAN link with new original IP address
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify DUT updates global IPv6 address after IPv4 WAN change |
ipv6_6rd_101 |
Verify DUT updates global IPv6 address after IPv4 WAN change |
step 1. Bring down WAN link
step 2. Bring up WAN link with new external IPv4 address
step 3. Listen for IPv6 RA from DUT
step 4. Verify RA contains 6rd prefix based on new public WAN IPv4
step 5. Verify 6rd prefix contains a valid lifetime
step 6. Ping DUT's new IPv6 global address
step 7. Verify IPv6 ping response
step 8. Bring down WAN link
step 9. Bring up WAN link with new original IPv4 address
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify DUT forwards tunneled IPv6 traffic after IPv4 WAN change |
ipv6_6rd_102 |
Verify DUT forwards tunneled IPv6 traffic after IPv4 WAN change |
step 1. Bring down WAN link
step 2. Bring up WAN link with new external IPv4 address
step 3. Listen for IPv6 RA from DUT
step 4. Verify RA contains 6rd prefix based on new public WAN IPv4
step 5. Verify 6rd prefix contains a valid lifetime
step 6. Forward IPv6 traffic from LAN to remoteHostv6
step 7. Verify traffic is forwarded and src IPv4 of tunneled packets matched new IPv4 address
step 8. Bring down WAN link
step 9. Bring up WAN link with new original IPv4 address
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify IPv6 router advertisements age out 6rd prefix when IPv4 WAN link is down |
ipv6_6rd_103 |
Verify IPv6 router advertisements age out 6rd prefix when IPv4 WAN link is down |
step 1. Bring down WAN link
step 2. Listen for IPv6 RA from DUT
step 3. Verify either the RA does not contain previous 6rd prefix
or the advertised 6rd prefix preferred lifetime is now 0
step 4. Bring up WAN link
step 5. Listen for IPv6 RA from DUT
step 6. Verify the RA contains the expected 6rd prefix
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client address contains a 6rd prefix based on IPv4 WAN |
ipv6_6rd_150 |
Verify LAN side DHCPv6 client address contains a 6rd prefix based on IPv4 WAN |
step 1. Check existing DHCPv6 bindings on the LAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify that the non-temporary address on the LAN contains
a 6rd prefix based on public IPv4 WAN
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
| Test |
Name |
Synopsis |
Verify LAN side DHCPv6 client address contains a 6rd prefix which includes SLA ID |
ipv6_6rd_160 |
Verify LAN side DHCPv6 client address contains a 6rd prefix which includes SLA ID |
step 1. Check existing DHCPv6 bindings on the LAN side of the CPE
step 2. Verify whether or not a non-temporary address binding exists
step 3. Verify that the non-temporary address on the LAN contains
a 6rd prefix which includes the expected SLA ID
RFC 3056 defines a 16 bit "SLA ID" field for subnetting. Most
DUT's allow the SLA ID to be arbitrarily configured. This test
verifies that the DUT uses the expected SLA ID. The expected SLA
can be configured using the testvar "ipv6LanSubnetId" which must
be a hex string with four or less characters. Examples:
testvar ipv6LanSubnetId ffff
testvar ipv6LanSubnetId 1
References:
IETF RFC 5969 "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"
https://tools.ietf.org/html/rfc5969
IETF RFC 3056 "Connection of IPv6 Domains via IPv4 Clouds" Section 2: IPv6 Prefix Allocation
https://tools.ietf.org/html/rfc3056#section-2
icmp-v6.tcl
ICMPv6 tests for baseline ICMPv6 not including Neighbor Discovery
| Test |
Name |
Synopsis |
Verify ICMPv6 Echo Requests work through DUT |
icmpv6_1 |
Verify ICMPv6 Echo Requests work through DUT |
step 1. Initiate an outbound ICMPv6 Echo Request to a WAN IPv6 destination
step 2. Verify ICMPv6 Echo Reply is received
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify ICMPv6 Echo Requests from multiple LAN clients work through DUT |
icmpv6_2 |
Verify ICMPv6 Echo Requests from multiple LAN clients work through DUT |
step 1. Configure additional lan host
step 2. Initiate an outbound ICMPv6 Echo Request to a WAN destination from host 1
step 3. Verify ICMPv6 Echo Reply is received
step 4. Initiate an outbound ICMPv6 Echo Request to a WAN destination from host 2
step 5. Verify ICMPv6 Echo Reply is received
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Requests to its global IPv6 address from LAN |
icmpv6_3 |
Verify DUT responds to ICMPv6 Echo Requests to its global IPv6 address from LAN |
step 1. Initiate an outbound ICMPv6 Echo Request to the DUT's global IPv6 address
step 2. Verify ICMPv6 Echo Reply is received
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Requests to its link-local address |
icmpv6_4 |
Verify DUT responds to ICMPv6 Echo Requests to its link-local address |
step 1. Initiate an outbound ICMPv6 Echo Request to the router's LAN side link-local address
step 2. Verify ICMPv6 Echo Reply is received
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify ICMPv6 Echo Requests to DUT's global IPv6 address behave as expected |
icmpv6_5 |
Verify ICMPv6 Echo Requests to DUT’s global IPv6 address behave as expected |
step 1. Determine expected DUT global address
step 2. Initiate an outbound ICMPv6 Echo Request to the DUT's global address from the LAN
step 3. Verify response is received
step 4. Initiate an inbound ICMPv6 Echo Request to the DUT's global address from the WAN
step 5. Verify the device behaves as expected.
NOTE: the testvar ipv6WanPingRespond is used to determine if pinging the
WAN-side of the DUT is expected to work or not. It defaults to "no"
which signifies that the device will not respond to IPv6 pings on its
WAN interface.
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Requests sent to the All-Routers multicast group |
icmpv6_6 |
Verify DUT responds to ICMPv6 Echo Requests sent to the All-Routers multicast group |
step 1. Initiate an outbound ICMPv6 Ping to ff02::2 from the link-local IPv6 address
step 2. Verify ICMPv6 Echo Reply is received
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Requests to the All-Routers group from a global prefix |
icmpv6_7 |
Verify DUT responds to ICMPv6 Echo Requests to the All-Routers group from a global prefix |
step 1. Initiate an outbound ICMPv6 Ping to ff02::2 from the global-prefix
step 2. Verify ICMPv6 Echo Reply is received
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Requests sent to the All-Nodes group from a link-local address |
icmpv6_8 |
Verify DUT responds to ICMPv6 Echo Requests sent to the All-Nodes group from a link-local address |
step 1. Send an ICMPv6 Echo Request from the LAN to the All-Nodes Multicast group (ff02::1)
step 2. Wait for an ICMPv6 Echo Response
step 3. Verify the Echo Response is from the DUT
step 4. Continue waiting until the DUT responds, or timeout
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Requests to the All-Nodes group from a global IPv6 address |
icmpv6_9 |
Verify DUT responds to ICMPv6 Echo Requests to the All-Nodes group from a global IPv6 address |
step 1. Send an ICMPv6 Echo Request from the LAN to the All-Nodes Multicast group (ff02::1)
step 2. Wait for an ICMPv6 Echo Response
step 3. Verify the Echo Response is from the DUT
step 4. Continue waiting until the DUT responds, or timeout
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify ICMPv6 Time Exceeded packet is sent when incoming Hop Limit is 0 or 1 on LAN |
icmpv6_10 |
Verify ICMPv6 Time Exceeded packet is sent when incoming Hop Limit is 0 or 1 on LAN |
step 1. Set the IPv6 Hop Limit of outbound packets on the LAN to 0
step 2. Forward an IPv6 packet from a LAN client to the IPv6 WAN remote host
step 3. Verify that the DUT does not forward the IPv6 packet to the IPv6 WAN
remote host
step 4. Verify that the DUT sends an ICMPv6 Time Exceeded packet to the LAN
client
step 5. Verify the ICMPv6 Time Exceeded packet contains the IPv6 header of
the original packet
step 6. Repeat steps 1 through 4 using an IPv6 Hop Limit of 1
Note: This test is similar to icmpv6_32. The primary difference is that
icmpv6_32 verifies that the DUT sends an ICMPv6 Time Exceeded when it
receives a packet with a Hop Limit of 0 or 1 on the WAN side while this test
verifies that the DUT sends an ICMPv6 Time Exceeded when it receives a
packet with a Hop Limit of 0 or 1 on the LAN side.
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification" Section 3.3: Time Exceeded Message
If a router receives a packet with a Hop Limit of zero, or if a
router decrements a packet's Hop Limit to zero, it MUST discard the
packet and originate an ICMPv6 Time Exceeded message with Code 0 to
the source of the packet. This indicates either a routing loop or
too small an initial Hop Limit value.
https://tools.ietf.org/html/rfc4443#section-3.3
| Test |
Name |
Synopsis |
Verify DUT forwards inbound ICMPv6 Time Exceeded |
icmpv6_11 |
Verify DUT forwards inbound ICMPv6 Time Exceeded |
step 1. Forward a UDP packet from a LAN client to the WAN
step 2. Verify packet is received on WAN side
step 3. Send ICMPv6 Time Exceeded packet with original UDP packet as data
step 4. Verify ICMPv6 Time Exceeded packet is received by LAN host
step 5. Verify the contents of the original IP packet included
in the ICMPv6 Time Exceeded packet
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT forwards inbound ICMPv6 Destination Unreachable |
icmpv6_12 |
Verify DUT forwards inbound ICMPv6 Destination Unreachable |
step 1. Forward a UDP packet from a LAN client to the WAN
step 2. Verify packet is received on WAN side
step 3. Send ICMPv6 Destination Unreachable packet with original UDP packet as data
step 4. Verify ICMPv6 Destination Unreachable is received by LAN host
step 5. Verify the contents of the original IPv6 packet included
in the ICMPv6 Destination Unreachable packet
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT forwards inbound ICMPv6 Packet Too Big messages |
icmpv6_13 |
Verify DUT forwards inbound ICMPv6 Packet Too Big messages |
step 1. Forward a UDP packet from a LAN client to the WAN
step 2. Verify packet is received on WAN side
step 3. Send ICMPv6 Packet Too Big packet with MTU size 1280
step 4. Verify ICMPv6 Packet Too Big is received by LAN host
step 5. Verify the received MTU in Packet Too Big message is unchanged
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT forwards inbound ICMPv6 Parameter Problem |
icmpv6_14 |
Verify DUT forwards inbound ICMPv6 Parameter Problem |
step 1. Forward a UDP packet from a LAN client to the WAN
step 2. Verify packet is received on WAN side
step 3. Send ICMPv6 Parameter Problem packet with pointer value of 40
step 4. Verify ICMPv6 Parameter Problem is received by LAN host
step 5. Verify the pointer value is unchanged
step 6. Verify the contents of the include IPv6 packet in the ICMPv6 packet
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"
https://tools.ietf.org/html/rfc4443
| Test |
Name |
Synopsis |
Verify DUT supports Path MTU Discovery over WAN interface |
icmpv6_20 |
Verify DUT supports Path MTU Discovery over WAN interface |
step 1. Send 1500 byte UDP packet
step 2. Check for an ICMPv6 Packet Too Big packet with code = 0
step 3. Repeat process 2 more times until an ICMPv6 Packet Too Big
is received, or all 3 packets are sent
step 4. If an ICMPv6 Packet Too Big packet was sent, verify that
the code value is 0 and verify the MTU value in the ICMP header
step 5. Reduce the UDP packet size by 1 byte and repeat the process
until no ICMPv6 Packet Too Big packet is sent
step 6. When a packet size is found that does not generate an
ICMPv6 Packet Too Big message,verify packets can be
forwarded using this packet size
step 7. Verify the final MTU size is the same as the MTU size
reported in the ICMPv6 Packet Too Big packet
NOTE: This test starts with an initial MTU of 1500. If the WAN interface
already supports this MTU (DHCP), then this test will pass without
exercising the real part of Path MTU Discovery.
NOTE: Some devices rate limit the number of ICMP packets that may be
sent. This test will send 3 UDP packets over a 15 second window
in order to generate an ICMP Packet Too Big packet. If the
router under test uses rate limiting on ICMP packets, it must allow
at least one ICMP packet every 10 seconds.
References:
IETF RFC 1981 "Path MTU Discovery for IP version 6"
https://tools.ietf.org/html/rfc1981
| Test |
Name |
Synopsis |
Verify Path MTU value is consistent with Router Advertisement MTU value |
icmpv6_30 |
Verify Path MTU value is consistent with Router Advertisement MTU value |
step 1. Send a Router Solicitation from LAN side
step 2. Verify a Router Advertisement with an MTU option is
received on LAN side
step 3. Send 1500 byte UDP packet
step 4. Check for an ICMPv6 Packet Too Big packet
step 5. Repeat process 2 more times until an ICMPv6 Packet Too Big
is received, or all 3 packets are sent
step 6. If an ICMPv6 Packet Too Big packet was sent, verify that
the MTU value is less than or equal to the MTU option
contained in the Router Advertisement.
step 7. Reduce the UDP packet size by 1 byte and repeat the process
until no ICMPv6 Packet Too Big packet is sent
step 8. Verify the final MTU size is less than or equal to the MTU
option contained in the Router Advertisement.
NOTE: This test starts with an initial MTU of 1500. If the WAN interface
already supports this MTU (DHCP), then this test will pass without
exercising the real part of Path MTU Discovery.
NOTE: Some devices rate limit the number of ICMP packets that may be
sent. This test will send 3 UDP packets over a 15 second window
in order to generate an ICMP Packet Too Big packet. If the
router under test uses rate limiting on ICMP packets, it must allow
at least one ICMP packet every 10 seconds.
References:
IETF RFC 1981 "Path MTU Discovery for IP version 6"
https://tools.ietf.org/html/rfc1981
| Test |
Name |
Synopsis |
Verify Packet Too Big messages as IPv6 WAN MTU changes |
icmpv6_31 |
Verify Packet Too Big messages as IPv6 WAN MTU changes |
step 1. Send an ICMPv6 Router Advertisement on the WAN containing the
current WAN IPv6 MTU.
step 2. Send a UDP packet equal to the current WAN IPv6 MTU from a LAN
client to a WAN server.
step 3. Verify an ICMPv6 Packet Too Big message is not sent.
step 4. Repeat steps 2-3 two more times.
step 5. Send a UDP packet greater than the current WAN IPv6 MTU from a LAN
client to a WAN server; if the LAN MTU is too small to permit this
packet to be sent, a warning will be generated.
step 6. Verify an ICMPv6 Packet Too Big message is sent and includes the
current WAN IPv6 MTU.
step 7. Repeat steps 5-6 two more times.
step 8. Repeat steps 1-7, decrementing the current WAN IPv6 MTU by 20 on
each iteration until the WAN IPv6 MTU falls below the minimum IPv6
link MTU of 1280.
NOTE: Some devices rate limit the number of ICMP packets that may be
sent. This test will send 3 UDP packets over a 15 second window
in order to generate an ICMP Packet Too Big packet. If the
router under test uses rate limiting on ICMP packets, it must allow
at least one ICMP packet every 10 seconds.
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification" Section 3.2: Packet Too Big Message
https://tools.ietf.org/html/rfc4443#section-3.2
IETF RFC 4861 "Neighbor Discovery for IP version 6 (IPv6)" Section 6.3.4: Processing Received Router Advertisements
https://tools.ietf.org/html/rfc4861#section-6.3.4
| Test |
Name |
Synopsis |
Verify ICMPv6 Time Exceeded packet is sent when incoming Hop Limit is 0 or 1 on WAN |
icmpv6_32 |
Verify ICMPv6 Time Exceeded packet is sent when incoming Hop Limit is 0 or 1 on WAN |
step 1. Set the IPv6 Hop Limit on the IPv6 WAN remote host to 0
step 2. Forward an IPv6 packet from a LAN client to the IPv6 WAN remote host
step 3. Send response from the IPv6 WAN remote host to the LAN client with
an IPv6 Hop Limit of 0
step 4. Verify that the DUT sends an ICMPv6 Time Exceeded packet to the IPv6
WAN remote host
step 5. Verify the ICMPv6 Time Exceeded packet contains the IPv6 header of
the original packet
step 6. Repeat steps 1 through 5 using an IPv6 Hop Limit of 1
Note: This test is similar to icmpv6_10. The primary difference is that
icmpv6_10 verifies that the DUT sends an ICMPv6 Time Exceeded when it
receives a packet with a Hop Limit of 0 or 1 on the LAN side while this test
verifies that the DUT sends an ICMPv6 Time Exceeded when it receives a
packet with a Hop Limit of 0 or 1 on the WAN side.
References:
IETF RFC 4443 "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification" Section 3.3: Time Exceeded Message
If a router receives a packet with a Hop Limit of zero, or if a
router decrements a packet's Hop Limit to zero, it MUST discard the
packet and originate an ICMPv6 Time Exceeded message with Code 0 to
the source of the packet. This indicates either a routing loop or
too small an initial Hop Limit value.
https://tools.ietf.org/html/rfc4443#section-3.3
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Request with Hop Limit of 0 on the LAN |
icmpv6_33 |
Verify DUT responds to ICMPv6 Echo Request with Hop Limit of 0 on the LAN |
step 1. Determine expected DUT global address
step 2. Initiate an inbound ICMPv6 Echo Request to the DUT's global address
from the LAN with Hop Limit of 0
step 3. Verify the device responds to the ICMPv6 Echo Request
References:
IETF RFC 8200 "Internet Protocol, Version 6 (IPv6) Specification" Section 3: IPv6 Header Format
When forwarding, the packet is discarded if Hop Limit was zero
when received or is decremented to zero. A node that is the
destination of a packet should not discard a packet with Hop Limit
equal to zero; it should process the packet normally.
https://tools.ietf.org/html/rfc8200#section-3
| Test |
Name |
Synopsis |
Verify DUT responds to ICMPv6 Echo Request with Hop Limit of 0 on the WAN |
icmpv6_34 |
Verify DUT responds to ICMPv6 Echo Request with Hop Limit of 0 on the WAN |
step 1. Determine expected DUT global address
step 2. Initiate an inbound ICMPv6 Echo Request to the DUT's global address
from the WAN with Hop Limit of 0
step 3. Verify the device behaves as expected
Note: the testvar ipv6WanPingRespond is used to determine if pinging the WAN
side of the DUT is expected to work or not. It defaults to "no" which
signifies that the device will not respond to IPv6 pings on its WAN
interface.
References:
IETF RFC 8200 "Internet Protocol, Version 6 (IPv6) Specification" Section 3: IPv6 Header Format
When forwarding, the packet is discarded if Hop Limit was zero
when received or is decremented to zero. A node that is the
destination of a packet should not discard a packet with Hop Limit
equal to zero; it should process the packet normally.
https://tools.ietf.org/html/rfc8200#section-3
firewall-v6.tcl
IPv6 Firewall tests including port scans
| Test |
Name |
Synopsis |
Inbound TCP connections to public side HTTP port are blocked |
ipv6_firewall_1 |
Inbound TCP connections to public side HTTP port are blocked |
step 1. Initiate a WAN TCP connection to the DUT's global IPv6 address management port
step 2. Verify the connection is not established
NOTE: The value of the DUT's IPv6 address management port is taken
from the default insecure management port defined as the
first port in the value of testvar dutMgmtPort. Please read
the documentation for dutMgmtPort for more information about
the default insecure management port concept and its usage.
| Test |
Name |
Synopsis |
Inbound TCP connections to LAN hosts are blocked |
ipv6_firewall_2 |
Inbound TCP connections to LAN hosts are blocked |
step 1. Initiate a WAN TCP connection to a LAN client address
step 2. Verify that the TCP connection is not established and that the DUT
drops the initial TCP Syn packet
| Test |
Name |
Synopsis |
TCP port scan the LAN Client from WAN to verify the DUT does not forward unsolicited packets |
ipv6_firewall_100 |
TCP port scan the LAN Client from WAN to verify the DUT does not forward unsolicited packets |
step 1. Send TCP SYN packets from WAN to each port of the LAN Client in the port scan range
step 2. Verify that each packet is not forwarded to the LAN IPv6 Client,
unless the port is configured as open.
NOTE: The speed of the scan can be adjusted using the 'portScanDelay'
testvar. By default, it is set to 1. The value indicates the number of
milliseconds to wait in between the sending of each packet:
testvar portScanDelay 100
NOTE: The list of closed and open ports can be configured using the
'ipv6FirewallTcpClosedPorts' and 'ipv6FirewallTcpOpenPorts' testvars:
testvar ipv6FirewallTcpClosedPorts "2323"
testvar ipv6FirewallTcpOpenPorts "22 443"
| Test |
Name |
Synopsis |
UDP port scan the LAN Client from WAN to verify the DUT does not forward unsolicited packets |
ipv6_firewall_101 |
UDP port scan the LAN Client from WAN to verify the DUT does not forward unsolicited packets |
step 1. Send UDP packets from WAN to each port of the LAN Client in the port scan range
step 2. Verify that each packet is not forwarded to the LAN IPv6 Client,
unless the port is configured as open.
NOTE: The speed of the scan can be adjusted using the 'portScanDelay'
testvar. By default, it is set to 1. The value indicates the number of
milliseconds to wait in between the sending of each packet:
testvar portScanDelay 100
NOTE: The list of closed and open ports can be configured using the
'ipv6FirewallTcpClosedPorts' and 'ipv6FirewallTcpOpenPorts' testvars:
testvar ipv6FirewallUdpClosedPorts "2323"
testvar ipv6FirewallUdpOpenPorts "22 443"
| Test |
Name |
Synopsis |
TCP fragmentation port scan test to verify the DUT does not forward unsolicited packets |
ipv6_firewall_110 |
TCP fragmentation port scan test to verify the DUT does not forward unsolicited packets |
step 1. Set the IPv6 fragmentation size to 56 bytes
step 2. Send TCP SYN packets from WAN to each port in the port scan range
of the LAN Client
step 3. Verify packets are not forwarded to LAN Client
step 4. Verify the router does not accept the TCP connection or
send a RST for the TCP connection unless the port has
been configured as an open or closed port
step 5. Do not flag ports that have port forwarding configured
NOTE: The speed of the scan can be adjusted using the 'portScanDelay'
testvar. By default, it is set to 1. The value indicates the number of
milliseconds to wait in between the sending of each packet:
testvar portScanDelay 100
NOTE: The list of closed and open ports can be configured using the
'firewallTcpClosedPorts' and 'firewallTclOpenPorts' testvars:
testvar ipv6FirewallTcpClosedPorts "2323"
testvar ipv6FirewallTcpOpenPorts "22 443"
| Test |
Name |
Synopsis |
Verify firewall blocks/accepts piggyback TCP SYN connections from WAN |
ipv6_firewall_301 |
Verify firewall blocks/accepts piggyback TCP SYN connections from WAN |
step 1. Send a TCP SYN from LAN host to IP address on WAN
step 2. Send a TCP SYN from the WAN host to the original LAN host
using the same TCP source port
step 3. If the router blocks simultaneous TCP SYNs
(testvar 'natSimultaneousTcp' is set to no), verify the TCP
SYN from the WAN is dropped
OR
If the router supports simultaneous TCP SYNs
(testvar 'natSimultaneousTcp' is set to yes), verify the TCP
SYN from the WAN is forwarded to the LAN
step 4. Repeat step 1 using new TCP port numbers
step 5. Send a TCP SYN from the WAN host to the original LAN host
using a new TCP source port
step 6. Verify the TCP SYN from the WAN is dropped
NOTE: This test verifies that the firewall only allows TCP packets
for established TCP sessions. If simultaneous TCP open is supported through
the firewall, this test will verify that TCP SYN packets from the WAN are
forwarded to the LAN. If simultaneous TCP open through the firewall is
not supported, the test will verify that no TCP SYN packets are allowed
from the WAN to the LAN for sessions that have been initiated from the LAN.
NOTE: The testvar natSimultaneousTcp originates from IPv4 concepts. However,
this testvar is used to indicate if this same behavior exists for IPv6.
| Test |
Name |
Synopsis |
Verify outbound packets with forbidden source addresses are not forwarded onto the WAN |
ipv6_firewall_505 |
Verify outbound packets with forbidden source addresses are not forwarded onto the WAN |
step 1. Configure a variety of invalid source addresses for traffic
step 2. Send traffic with these addresses to the WAN
step 3. Verify packets are not forwarded
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.1: Stateless Filters
REC-1: Packets bearing multicast source addresses in their outer IPv6
headers MUST NOT be forwarded or transmitted on any interface.
REC-2: Packets bearing multicast destination addresses in their outer
IPv6 headers of equal or narrower scope (see "IPv6 Scoped Address
Architecture" [RFC4007]) than the configured scope boundary level of
the gateway MUST NOT be forwarded in any direction. The DEFAULT
scope boundary level SHOULD be organization-local scope, and it
SHOULD be configurable by the network administrator.
https://tools.ietf.org/html/rfc6092#section-3.1
| Test |
Name |
Synopsis |
Verify inbound packets with forbidden source addresses are not forwarded onto the LAN |
ipv6_firewall_506 |
Verify inbound packets with forbidden source addresses are not forwarded onto the LAN |
Step 1. Create a new vnode on the RemoteHostv6
Step 2. Send UDP traffic to the LAN with forbidden sources from vnode
Step 3. Verify traffic is not forwarded onto the LAN
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.1: Stateless Filters
REC-1: Packets bearing multicast source addresses in their outer IPv6
headers MUST NOT be forwarded or transmitted on any interface.
REC-2: Packets bearing multicast destination addresses in their outer
IPv6 headers of equal or narrower scope (see "IPv6 Scoped Address
Architecture" [RFC4007]) than the configured scope boundary level of
the gateway MUST NOT be forwarded in any direction. The DEFAULT
scope boundary level SHOULD be organization-local scope, and it
SHOULD be configurable by the network administrator.
https://tools.ietf.org/html/rfc6092#section-3.1
| Test |
Name |
Synopsis |
Verify outbound packets are not forwarded if the source address is not a prefix of the interior network |
ipv6_firewall_508 |
Verify outbound packets are not forwarded if the source address is not a prefix of the interior network |
step 1. Create a new LAN client
step 2. Assign a different global prefix to the LAN
step 3. Send traffic to the WAN from the martian source address
step 4. Verify traffic is not forwarded
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.1: Stateless Filters
REC-5: Outbound packets MUST NOT be forwarded if the source address
in their outer IPv6 header does not have a unicast prefix configured
for use by globally reachable nodes on the interior network.
https://tools.ietf.org/html/rfc6092#section-3.1
| Test |
Name |
Synopsis |
Verify inbound packets are not forwarded if the source address is assigned for use on the interior network |
ipv6_firewall_509 |
Verify inbound packets are not forwarded if the source address is assigned for use on the interior network |
step 1. Create a new stack on the remoteHost
step 2. Assign the stack the same global prefix as is used on the LAN
step 3. Send traffic to the LAN from the remote stack
step 4. Verify traffic is NOT forwarded to the LAN
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.1: Stateless Filters
REC-6: Inbound packets MUST NOT be forwarded if the source address in
their outer IPv6 header has a global unicast prefix assigned for use
by globally reachable nodes on the interior network.
https://tools.ietf.org/html/rfc6092#section-3.1
| Test |
Name |
Synopsis |
Verify outbound packets with link local source addresses are not forwarded to the WAN |
ipv6_firewall_510 |
Verify outbound packets with link local source addresses are not forwarded to the WAN |
step 1. Send traffic from the LAN to the WAN with a link-local source address
step 2. Verify traffic is not forwarded to the WAN
| Test |
Name |
Synopsis |
Verify inbound packets with link local source addresses are not forwarded to the LAN |
ipv6_firewall_511 |
Verify inbound packets with link local source addresses are not forwarded to the LAN |
step 1. Initiate a new UDP session with the device to allow inbound traffic
step 2. Configure a new stack on the WAN with a link-local prefix as the source
step 3. Send traffic from this new stack to the LAN
step 4. Verify traffic is not forwarded to the LAN
| Test |
Name |
Synopsis |
Verify inbound IPv6 DNS queries on the WAN are not processed by DNS proxy |
ipv6_firewall_512 |
Verify inbound IPv6 DNS queries on the WAN are not processed by DNS proxy |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the DUT's
global IPv6 address
step 2. Verify that the query is received by either the primary or backup
DNS server on the WAN
step 3. Verify that the DNS response is received by the LAN client
step 4. Initiate an AAAA IPv6 DNS query from a remote host on the WAN to the
DUT's global IPv6 address
step 5. Verify that a DNS response is not received by the remote host on the
WAN that initiated the original request
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.1: Stateless Filters
REC-8: By DEFAULT, inbound DNS queries received on exterior
interfaces MUST NOT be processed by any integrated DNS resolving
server.
https://tools.ietf.org/html/rfc6092#section-3.1
| Test |
Name |
Synopsis |
Verify inbound DHCPv6 discovery packets on the WAN are not processed by DHCPv6 server |
ipv6_firewall_513 |
Verify inbound DHCPv6 discovery packets on the WAN are not processed by DHCPv6 server |
step 1. Start new DHCPv6 client on WAN interface
step 2. Verify new client does not obtain an IPv6 address via DHCPv6 from
the DUT
step 3. Send three pings from LAN to WAN to verify that the DUT is still
operating properly
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.1: Stateless Filters
REC-9: Inbound DHCPv6 discovery packets [RFC3315] received on
exterior interfaces MUST NOT be processed by any integrated DHCPv6
server or relay agent.
https://tools.ietf.org/html/rfc6092#section-3.1
| Test |
Name |
Synopsis |
Verify ICMPv6 Destination Unreachable message from WAN does not destroy UDP firewall state |
ipv6_firewall_540 |
Verify ICMPv6 Destination Unreachable message from WAN does not destroy UDP firewall state |
step 1. Send IPv6 UDP packet from LAN to WAN
step 2. Verify UDP packet is received on the WAN and return an ICMPv6 Destination Unreachable message
step 3. Verify ICMPv6 Destination Unreachable message is received on the LAN
step 4. Send UDP response from WAN to LAN
step 5. Verify UDP response is received on LAN since IPv6 firewall state is still present
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.2.3: UDP Filters
REC-18: If a gateway forwards a UDP flow, it MUST also forward ICMPv6
"Destination Unreachable" and "Packet Too Big" messages containing
UDP headers that match the flow state record.
REC-19: Receipt of any sort of ICMPv6 message MUST NOT terminate the
state record for a UDP flow.
https://tools.ietf.org/html/rfc6092#section-3.2.3
| Test |
Name |
Synopsis |
Verify ICMPv6 Destination Unreachable message from WAN does not destroy TCP firewall state |
ipv6_firewall_541 |
Verify ICMPv6 Destination Unreachable message from WAN does not destroy TCP firewall state |
step 1. Establish TCP connection from LAN to WAN
step 2. Send an ICMPv6 Destination Unreachable message from the WAN for the connection
step 3. Verify ICMPv6 Destination Unreachable message is received on the LAN
step 4. Send TCP data segment from WAN to LAN for the session
step 5. Verify TCP data segment is received on LAN since IPv6 firewall state is still present
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.3.1: TCP Filters
REC-36: If a gateway forwards a TCP flow, it MUST also forward ICMPv6
"Destination Unreachable" and "Packet Too Big" messages containing
TCP headers that match the flow state record.
REC-37: Receipt of any sort of ICMPv6 message MUST NOT terminate the
state record for a TCP flow.
https://tools.ietf.org/html/rfc6092#section-3.3.1
| Test |
Name |
Synopsis |
Verify ICMPv6 Packet Too Big message from WAN does not destroy UDP firewall state |
ipv6_firewall_542 |
Verify ICMPv6 Packet Too Big message from WAN does not destroy UDP firewall state |
step 1. Send IPv6 UDP packet from LAN to WAN
step 2. Verify UDP packet is received on the WAN and return an ICMPv6 Packet Too Big message
step 3. Verify ICMPv6 Too Big message is received on the LAN
step 4. Send UDP response from WAN to LAN
step 5. Verify UDP response is received on LAN since IPv6 firewall state is still present
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.2.3: UDP Filters
REC-18: If a gateway forwards a UDP flow, it MUST also forward ICMPv6
"Destination Unreachable" and "Packet Too Big" messages containing
UDP headers that match the flow state record.
REC-19: Receipt of any sort of ICMPv6 message MUST NOT terminate the
state record for a UDP flow.
https://tools.ietf.org/html/rfc6092#section-3.2.3
| Test |
Name |
Synopsis |
Verify ICMPv6 Packet Too Big message from WAN does not destroy TCP firewall state |
ipv6_firewall_543 |
Verify ICMPv6 Packet Too Big message from WAN does not destroy TCP firewall state |
step 1. Establish TCP connection from LAN to WAN
step 2. Send an ICMPv6 Packet Too Big message from the WAN for the connection
step 3. Verify ICMPv6 Packet Too Big message is received on the LAN
step 4. Send TCP data segment from WAN to LAN for the session
step 5. Verify TCP data segment is received on LAN since IPv6 firewall state is still present
References:
IETF RFC 6092 "Simple Security in IPv6 Gateway CPE" Section 3.3.1: TCP Filters
REC-36: If a gateway forwards a TCP flow, it MUST also forward ICMPv6
"Destination Unreachable" and "Packet Too Big" messages containing
TCP headers that match the flow state record.
REC-37: Receipt of any sort of ICMPv6 message MUST NOT terminate the
state record for a TCP flow.
https://tools.ietf.org/html/rfc6092#section-3.3.1
firewall-out-v6.tcl
IPv6 Firewall tests for limiting outbound access to services
| Test |
Name |
Synopsis |
Verify CPE does not forward outbound TCP packets to ports that have been administratively blocked |
ipv6_firewall_outbound_1 |
Verify CPE does not forward outbound TCP packets to ports that have been administratively blocked |
step 1. Configure the DUT to block outbound access from the LAN to specific
TCP ports
step 2. Send a TCP SYN packet from the LAN to each blocked port
step 3. Verify the DUT does not forward TCP packets to any of the blocked
ports
The ipv6FirewallOutBlockedTcpPorts testvar is used to determine the list of
TCP ports that the DUT has been configured to block access to.
| Test |
Name |
Synopsis |
Verify CPE does not forward outbound UDP packets to ports that have been administratively blocked |
ipv6_firewall_outbound_2 |
Verify CPE does not forward outbound UDP packets to ports that have been administratively blocked |
step 1. Configure the DUT to block outbound access from the LAN to specific
UDP ports
step 2. Send a UDP packet from the LAN to each blocked port
step 3. Verify the DUT does not forward UDP packets to any of the blocked
ports
The ipv6FirewallOutBlockedUdpPorts testvar is used to determine the list of
UDP ports that the DUT has been configured to block access to.
| Test |
Name |
Synopsis |
Verify CPE does not forward outbound IP packets for protocols that have been administratively blocked |
ipv6_firewall_outbound_3 |
Verify CPE does not forward outbound IP packets for protocols that have been administratively blocked |
step 1. Configure the DUT to block outbound access from the LAN to specific
IP Protocol types
step 2. Send an IP packet from the LAN to the WAN for each blocked IP
protocol
step 3. Verify the DUT does not forward any of the blocked IP protocols
The ipv6FirewallOutBlockedIpProtos testvar is used to determine the list of
IP Protocol types that the DUT has been configured to block access to.
apps-v6.tcl
Application tests for IPv6
| Test |
Name |
Synopsis |
Verify IPv6 HTTP session through the router |
ipv6_app_100 |
Verify IPv6 HTTP session through the router |
step 1. Initiate an outbound TCP connection to HTTP server over IPv6
step 2. Verify the TCP connection is established
step 3. Verify the IPv6 source address on the WAN side is the LAN client's address
step 4. Send HTTP GET request to server
step 5. Verify HTTP response is received
step 6. Close TCP connection from LAN side
| Test |
Name |
Synopsis |
Verify IPv6 HTTPS session through the router |
ipv6_app_110 |
Verify IPv6 HTTPS session through the router |
step 1. Initiate an outbound TCP connection to HTTPS server over IPv6
step 2. Verify the TCP connection is established
step 3. Verify the IPv6 source address on the WAN side is the LAN client's address
step 4. Verify the TLS session is established
step 5. Send HTTPS GET request to server
step 6. Verify HTTPS response is received
step 7. Close TCP connection from LAN side
| Test |
Name |
Synopsis |
Verify IPv6 DNS query through the router |
ipv6_app_112 |
Verify IPv6 DNS query through the router |
step 1. Enable a DNS server on the IPv6 remoteHost
step 2. Initiate an AAAA IPv6 DNS query to the IPv6 remoteHost
step 3. Verify the query is received by the correct DNS server
(depends on the value of dnsCaptive) on the WAN side
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6 DNS
type AAAA lookups.
NOTE: If the testvar dnsCaptive is set to yes, the test will expect
DNS queries to be sent to the original WAN side DNS servers and
not the 3rd party DNS server.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify IPv6 FTP session through the router |
ipv6_app_114 |
Verify IPv6 FTP session through the router |
step 1. Initiate an outbound TCP connection to FTP server port
step 2. Verify the connection is established
step 3. Send the FTP EPRT command using all upper case letters
step 4. Verify router translates EPRT command using router's address
step 5. Initiate inbound TCP connection for FTP data connection
step 6. Verify inbound TCP connection is established
step 7. Close both connections
References:
IETF RFC 2428 "FTP Extensions for IPv6 and NATs"
https://tools.ietf.org/html/rfc2428
| Test |
Name |
Synopsis |
Verify IPv6 SMTP session through the router |
ipv6_app_120 |
Verify IPv6 SMTP session through the router |
step 1. Initiate an outbound TCP connection to SMTP server
step 2. Send email message using SMTP server
step 3. Verify SMTP server correctly receives email message
step 4. Close SMTP session from LAN side
References:
IETF RFC 821 "SIMPLE MAIL TRANSFER PROTOCOL"
https://tools.ietf.org/html/rfc821
| Test |
Name |
Synopsis |
Verify IPv6 POP3 session through the router |
ipv6_app_122 |
Verify IPv6 POP3 session through the router |
step 1. Initiate an outbound TCP connection to POP3 server
step 2. Retreive email messages using POP3 protocol
step 3. Verify POP3 server correctly returns email messages
step 4. Close POP3 session from LAN side
References:
IETF RFC 1939 "Post Office Protocol - Version 3"
https://tools.ietf.org/html/rfc1939
| Test |
Name |
Synopsis |
Verify IPv6 TFTP session through the router |
ipv6_app_124 |
Verify IPv6 TFTP session through the router |
step 1. Startup a TFTP server on the WAN
step 2. Initiate an outbound TFTP connection to TFTP server from LAN
step 3. Send TFTP GET to receive file via TFTP
step 4. Verify TFTP server correctly returns file via TFTP
step 5. Close TFTP session from LAN side
References:
IETF RFC 1350 "THE TFTP PROTOCOL (REVISION 2)"
https://tools.ietf.org/html/rfc1350
| Test |
Name |
Synopsis |
Verify IPv6 NTP session through the router |
ipv6_app_126 |
Verify IPv6 NTP session through the router |
step 1. Initiate an outbound NTP connection to NTP server
step 2. Verify NTP request is sent to the WAN
step 3. Verify NTP response is sent to LAN client
| Test |
Name |
Synopsis |
Verify IPv6 STUN session through the router |
ipv6_app_130 |
Verify IPv6 STUN session through the router |
step 1. Initiate an outbound STUN Binding Request to remoteHost
step 2. Verify STUN Binding Response is received
step 3. Verify the STUN MAPPED-ADDRESS matches the expected global IPv6
address of the STUN client
References:
IETF RFC 3489 "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)"
https://tools.ietf.org/html/rfc3489
| Test |
Name |
Synopsis |
Verify IPv6 authenticated STUN session through the router |
ipv6_app_131 |
Verify IPv6 authenticated STUN session through the router |
step 1. Configure STUN server and client to use authentication
step 2. Initiate an outbound STUN Binding Request to remoteHost
step 3. STUN server should sent back a 401 Binding Error Response
step 4. STUN client retransmits Binding Request using message-integrity attribute
step 5. Verify STUN Binding Response is received
step 6. Verify the STUN MAPPED-ADDRESS matches the expected global IPv6
address of the STUN client
References:
IETF RFC 3489 "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)"
https://tools.ietf.org/html/rfc3489
| Test |
Name |
Synopsis |
Verify IPv6 L2GRE session through the router |
ipv6_app_140 |
Verify IPv6 L2GRE session through the router |
step 1. Enable L2GRE endpoint on the LAN client
step 2. Create a new IPv6 address on the WAN for the other L2GRE endpoint
step 3. Initiate an ICMPv6 ping from LAN to WAN using L2GRE tunnel
step 4. Verify the ICMPv6 is successful
References:
IETF RFC 2784 "Generic Routing Encapsulation (GRE)"
https://tools.ietf.org/html/rfc2784
| Test |
Name |
Synopsis |
Verify a Multipath TCP connection can be opened (IPv6) |
ipv6_mptcp_1 |
Verify a Multipath TCP connection can be opened (IPv6) |
step 1. Initiate MPTCP connection from LAN client to WAN server
step 2. Verify MPTCP connection is established
step 3. Verify MPTCP connection attributes on LAN client and
WAN server match
step 4. Close MPTCP connection
References:
IETF RFC 8684 "TCP Extensions for Multipath Operation with Multiple Addresses"
https://tools.ietf.org/html/rfc8684
| Test |
Name |
Synopsis |
Verify a Multipath TCP connection with two subflows can be opened (IPv6) |
ipv6_mptcp_2 |
Verify a Multipath TCP connection with two subflows can be opened (IPv6) |
step 1. Initiate MPTCP connection from LAN client to WAN server
step 2. Verify MPTCP connection is established
step 3. Verify MPTCP connection attributes on LAN client and
WAN server match
step 4. Transmit data on MPTCP connection from LAN client
step 5. Verify data is received by WAN server
step 6. Initiate new MPTCP subflow on MPTCP connection from
step 1
step 7. Verify new MPTCP subflow is established
step 8. Verify MPTCP subflow attributes on LAN client and WAN
server match
step 9. Transmit data on MPTCP connection from LAN client
step 10. Verify data is received by WAN server
step 11. Close MPTCP connection
References:
IETF RFC 8684 "TCP Extensions for Multipath Operation with Multiple Addresses"
https://tools.ietf.org/html/rfc8684
forward-v6.tcl
IPv6 forwarding tests with different packet sizes and directions
| Test |
Name |
Synopsis |
Verify IPv6 Hop Limit is decremented for forwarded packets |
ipv6_forward_1 |
Verify IPv6 Hop Limit is decremented for forwarded packets |
step 1. Forward an IPv6 packet from a LAN client to the WAN
step 2. Verify the Hop Limit of the packet is decremented by 1
NOTE: Decremented by 1 by each node that forwards the packet.
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 3: IPv6 Header Format
https://tools.ietf.org/html/rfc2460#section-3
| Test |
Name |
Synopsis |
Verify IPv6 packet is not forwarded when IPv6 Hop Limit is 1 or 0 |
ipv6_forward_2 |
Verify IPv6 packet is not forwarded when IPv6 Hop Limit is 1 or 0 |
step 1. Set the IPv6 Hop Limit of outbound packets to 1
step 2. Forward an IPv6 packet from a LAN client to the WAN
step 3. Verify the packet is not forwarded
step 4. Repeat the test with a Hop Limit of 0
NOTE: The packet is discarded if Hop Limit is decremented to zero.
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 3: IPv6 Header Format
https://tools.ietf.org/html/rfc2460#section-3
| Test |
Name |
Synopsis |
Verify IPv6 packet can be forwarded back through incoming LAN interface |
ipv6_forward_3 |
Verify IPv6 packet can be forwarded back through incoming LAN interface |
step 1. Forward an IP packet from a LAN client to another LAN client
step 2. Forward packet using router's MAC address
step 3. Verify packet is forwarded back out the LAN interface
NOTE: The router may send an ICMP Redirect back to the originator.
| Test |
Name |
Synopsis |
Forward IPv6 UDP packets with various packet lengths (LAN to WAN) |
ipv6_forward_10 |
Forward IPv6 UDP packets with various packet lengths (LAN to WAN) |
step 1. Initiate an outbound UDP connection with UDP data length of 4
step 2. Verify packets are received on the WAN interface
step 3. Continue forwarding until the maximum unfragmented packet length is reached
NOTE: Some routers will stop forwarding IP traffic while they renew their
WAN side IPv4/IPv6 address. This can cause this test to fail.
NOTE: Some routers allow static configuration of the MTU size. This may
default to 1492 even for routers running DHCP on the WAN side.
NOTE: This test will stop if the number of max failures is reached. This
value may be configured using testvar forwardingMaxFailures. Setting this
value to 0 will test each packet size regardless of the result.
testvar forwardingMaxFailures 20
| Test |
Name |
Synopsis |
Forward IPv6 UDP packets with various packet lengths (WAN to LAN) |
ipv6_forward_11 |
Forward IPv6 UDP packets with various packet lengths (WAN to LAN) |
step 1. Initiate an outbound UDP connection with UDP data length of 4
step 2. Verify packet is received on the WAN interface
step 3. Forward a return packet from the WAN to the LAN
step 4. Verify packets are received on the LAN interface
step 5. Continue forwarding until the maximum unfragmented packet length is reached
NOTE: Some routers will stop forwarding IP traffic while they renew their
WAN side IPv6/IPv6 address. This can cause this test to fail.
NOTE: Some routers allow static configuration of the MTU size. This may
default to 1492 even for routers running DHCP on the WAN side.
NOTE: This test will stop if the number of max failures is reached. This
value may be configured using testvar forwardingMaxFailures. Setting this
value to 0 will test each packet size regardless of the result.
testvar forwardingMaxFailures 20
jumbo-v6.tcl
Jumbo MTU IPv6 forwarding tests with different packet sizes and directions
| Test |
Name |
Synopsis |
Verify IPv6 Hop Limit is decremented for forwarded jumbo MTU packets |
ipv6_jumbo_1 |
Verify IPv6 Hop Limit is decremented for forwarded jumbo MTU packets |
step 1. Forward an IPv6 packet from a LAN client to the WAN that utilizes
the maximum supported jumbo mtu of both interfaces
step 2. Verify the Hop Limit of the packet is decremented by 1
NOTE: Decremented by 1 by each node that forwards the packet.
NOTE: The maximum jumbo packet size is configured using the testvar
jumboMtu.
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 3: Header Format
https://tools.ietf.org/html/rfc2460#section-3
| Test |
Name |
Synopsis |
Verify jumbo MTU IPv6 packet is not forwarded when IPv6 Hop Limit is 1 or 0 |
ipv6_jumbo_2 |
Verify jumbo MTU IPv6 packet is not forwarded when IPv6 Hop Limit is 1 or 0 |
step 1. Set the IPv6 Hop Limit of outbound packets to 1
step 2. Forward an IPv6 packet from a LAN client to the WAN that utilizes
the maximum supported jumbo mtu of both interfaces
step 3. Verify the packet is not forwarded
step 4. Repeat the test with a Hop Limit of 0
NOTE: The packet is discarded if Hop Limit is decremented to zero.
NOTE: The maximum jumbo packet size is configured using the testvar
jumboMtu.
References:
IETF RFC 2460 "Internet Protocol, Version 6 (IPv6) Specification" Section 3: IPv6 Header Format
https://tools.ietf.org/html/rfc2460#section-3
| Test |
Name |
Synopsis |
Verify jumbo MTU IPv6 packet can be forwarded back through incoming LAN interface |
ipv6_jumbo_3 |
Verify jumbo MTU IPv6 packet can be forwarded back through incoming LAN interface |
step 1. Forward an IP packet from a LAN client to another LAN client that
utilizes the maximum supported jumbo mtu of both interfaces
step 2. Forward packet using router's MAC address
step 3. Verify packet is forwarded back out the LAN interface
NOTE: The router may send an ICMP Redirect back to the originator.
NOTE: The maximum jumbo packet size is configured using the testvar
jumboMtu.
| Test |
Name |
Synopsis |
Forward jumbo MTU IPv6 UDP packets with various packet lengths (LAN to WAN) |
ipv6_jumbo_10 |
Forward jumbo MTU IPv6 UDP packets with various packet lengths (LAN to WAN) |
step 1. Initiate an outbound UDP connection with UDP packet that
utilizes the maximum supported standard mtu of both interfaces
step 2. Verify packets are received on the WAN interface
step 3. Continue forwarding until the maximum unfragmented packet length is
reached, i.e. maximum supported jumbo mtu of both interfaces
NOTE: Some routers will stop forwarding IP traffic while they renew their
WAN side IPv4/IPv6 address. This can cause this test to fail.
NOTE: The maximum jumbo packet size is configured using the testvar
jumboMtu.
NOTE: This test will stop if the number of max failures is reached. This
value may be configured using testvar forwardingMaxFailures. Setting this
value to 0 will test each packet size regardless of the result.
testvar forwardingMaxFailures 20
| Test |
Name |
Synopsis |
Forward jumbo MTU IPv6 UDP packets with various packet lengths (WAN to LAN) |
ipv6_jumbo_11 |
Forward jumbo MTU IPv6 UDP packets with various packet lengths (WAN to LAN) |
step 1. Initiate an outbound UDP connection with UDP packet that utilizes
the maximum supported standard mtu of both interfaces
step 2. Verify packet is received on the WAN interface
step 3. Forward a return packet from the WAN to the LAN that utilizes the
maximum supported standard mtu of both interfaces
step 4. Verify packets are received on the LAN interface
step 5. Continue forwarding until the maximum unfragmented packet length is
reached, i.e maximum supported jumbo mtu of both interfaces
NOTE: Some routers will stop forwarding IP traffic while they renew their
WAN side IPv6/IPv6 address. This can cause this test to fail.
NOTE: The maximum jumbo packet size is configured using the testvar
jumboMtu.
NOTE: This test will stop if the number of max failures is reached. This
value may be configured using testvar forwardingMaxFailures. Setting this
value to 0 will test each packet size regardless of the result.
testvar forwardingMaxFailures 20
scaling-v6.tcl
Scaling tests for maximum number of IPv6 clients and connections (TCP, HTTP, etc)
| Test |
Name |
Synopsis |
Verify all IPv6 clients obtain an IPv6 address via autoconf or DHCPv6 and are operational |
ipv6_scale_1 |
Verify all IPv6 clients obtain an IPv6 address via autoconf or DHCPv6 and are operational |
step 1. Determine the size of the LAN IPv6 address pool
step 2. Create a new client for each available address within the pool
step 3. Verify the client obtains an IPv6 address via autoconfiguration or DHCPv6
step 4. Verify there are no address conflicts
step 5. Verify each client can establish an outbound HTTP connection
step 6. Verify each client can send/receive data over the connection
step 7. Close each TCP connection
NOTE: The DHCPv6 address pool size is set in your configuration file using
the 'ipv6DhcpClientStart' and 'ipv6DhcpClientEnd' testvars. One of the addresses
remains in use through the test run for a host on the LAN side. This test
will attempt to create clients for the pool size - 1. If you are using
multiple LAN interfaces, the number of DHCPv6 clients from each interface
will also be subtracted from the DHCPv6 pool size.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify all IPv6 clients with multiple TCP connections |
ipv6_scale_2 |
Verify all IPv6 clients with multiple TCP connections |
step 1. Determine the size of the IPv6 LAN address pool.
step 2. Create a client for each available IPv6 address for a
total of <num_hosts> clients.
step 3. Verify each client obtains an IPv6 address via autoconf or
DHCPv6.
step 4. Verify there are no address conflicts.
step 5. Determine <num_conns>, the number of TCP connections to
create across all <num_hosts> clients, from the testvar
scaleTcpConns.
step 6. Determine <conns_per_host>, the number of TCP connections
to create for each client by evenly dividing all
<num_conns> connections across all <num_hosts> clients.
step 7. Determine <num_web_servers>, the number of WAN HTTP
servers to create, by selecting the smaller of
<conns_per_host>, the size of the free network range and
a maximum limit of 25 servers.
step 8. Verify all <num_hosts> clients can establish
<conns_per_host> outbound HTTP connections made to
<num_web_servers> WAN HTTP servers on port 80 for a total
of <num_conns> connections; each new connection is made to
a different WAN HTTP server in a round-robin fashion.
step 9. Verify each client can send/receive data over each connection.
step 10. Close each TCP connection.
NOTE: If the deprecated testvar scaleTcpConnsPerHost is not set to
"auto", the value of the scaleTcpConns testvar is ignored and the
this test behaves similarly to how it did prior to CDRouter 13.12
before scaleTcpConns was introduced. Namely, <conns_per_host> is
set to the smaller of scaleTcpConnsPerHost and the size of the
free network range, <num_web_servers> is set to <conns_per_host>,
and <num_conns> is set to <conns_per_host> multiplied by
<num_hosts>. This backwards compatibility functionality will be
removed in a future release. Users should migrate to the
scaleTcpConns testvar as soon as possible by setting
scaleTcpConnsPerHost to the special value "auto" and then setting
scaleTcpConns to the maximum number of TCP connections which
should be created across all clients during the scaling tests.
NOTE: The DHCPv6 address pool size is set in your configuration file using
the 'ipv6DhcpClientStart' and 'ipv6DhcpClientEnd' testvars. One of the addresses
remains in use through the test run for a host on the LAN side. This test
will attempt to create clients for the pool size - 1. If you are using
multiple LAN interfaces, the number of DHCPv6 clients from each interface
will also be subtracted from the DHCPv6 pool size.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
| Test |
Name |
Synopsis |
Verify all IPv6 clients with single UDP connection |
ipv6_scale_3 |
Verify all IPv6 clients with single UDP connection |
step 1. Determine the size of the IPv6 LAN address pool
step 2. Determine the maximum number of UDP connections to create for
each DHCP client
step 3. Create a DHCP client for each available address within the pool
step 4. Verify each client obtains an IP address within the range
step 5. Verify there are no address conflicts
step 6. Verify each client can establish one outbound UDP connection
step 7. Verify each client can send/receive data over each connection
step 8. Release all new DHCP client leases
NOTE: The DHCPv6 address pool size is set in your configuration file using
the 'ipv6DhcpClientStart' and 'ipv6DhcpClientEnd' testvars. One of the addresses
remains in use through the test run for a host on the LAN side. This test
will attempt to create clients for the pool size - 1. If you are using
multiple LAN interfaces, the number of DHCPv6 clients from each interface
will also be subtracted from the DHCPv6 pool size.
References:
IETF RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
https://tools.ietf.org/html/rfc3315
IETF RFC 4862 "IPv6 Stateless Address Autoconfiguration"
https://tools.ietf.org/html/rfc4862
dslite.tcl
DS-Lite tests for tunneling IPv4 over IPv6
| Test |
Name |
Synopsis |
Verify NAT is not enabled on DS-Lite B4 interface |
dslite_1 |
Verify NAT is not enabled on DS-Lite B4 interface |
step 1. Initiate an outbound TCP connection to HTTP server
step 2. Verify the connection is established
step 3. Send HTTP GET request to server
step 4. Verify HTTP response is received
step 5. Verify the IPv4 source address on the WAN side is original LAN address
step 6. Close TCP connection from LAN side
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 4.2: CPE
A DS-Lite CPE SHOULD NOT operate a NAT function between an internal
interface and a B4 interface, as the NAT function will be performed
by the AFTR in the service provider's network. This will avoid
accidentally operating in a double-NAT environment.
https://tools.ietf.org/html/rfc6333#section-4.2
| Test |
Name |
Synopsis |
Verify B4 Element announces itself as the IPv4 default gateway using DHCPv4 |
dslite_10 |
Verify B4 Element announces itself as the IPv4 default gateway using DHCPv4 |
step 1. Send a DHCPREQUEST for the current IP address
step 2. Verify DHCP server sends DHCPACK
step 3. Verify the gateway address is the router's LAN IPv4 address
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 4.2: CPE
A DS-Lite CPE SHOULD NOT operate a NAT function between an internal
interface and a B4 interface, as the NAT function will be performed
by the AFTR in the service provider's network. This will avoid
accidentally operating in a double-NAT environment.
However, it SHOULD operate its own DHCP(v4) server handing out
[RFC1918] address space (e.g. 192.168.0.0/16) to hosts in the home.
It SHOULD advertise itself as the default IPv4 router to those home
hosts. It SHOULD also advertise itself as a DNS server in the DHCP
Option 6 (DNS Server). Additionally, it SHOULD operate a DNS proxy
to accept DNS IPv4 requests from home hosts and send them using IPv6
to the service provider DNS servers, as described in Section 5.5.
https://tools.ietf.org/html/rfc6333#section-4.2
| Test |
Name |
Synopsis |
Verify B4 Element announces itself as the IPv4 DNS server using DHCPv4 |
dslite_11 |
Verify B4 Element announces itself as the IPv4 DNS server using DHCPv4 |
step 1. Send a DHCPREQUEST for the current IP address
step 2. Verify DHCP server sends DHCPACK
step 3. Verify the DNS server address is the router's LAN IPv4 address
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 4.2: CPE
A DS-Lite CPE SHOULD NOT operate a NAT function between an internal
interface and a B4 interface, as the NAT function will be performed
by the AFTR in the service provider's network. This will avoid
accidentally operating in a double-NAT environment.
However, it SHOULD operate its own DHCP(v4) server handing out
[RFC1918] address space (e.g. 192.168.0.0/16) to hosts in the home.
It SHOULD advertise itself as the default IPv4 router to those home
hosts. It SHOULD also advertise itself as a DNS server in the DHCP
Option 6 (DNS Server). Additionally, it SHOULD operate a DNS proxy
to accept DNS IPv4 requests from home hosts and send them using IPv6
to the service provider DNS servers, as described in Section 5.5.
https://tools.ietf.org/html/rfc6333#section-4.2
| Test |
Name |
Synopsis |
Verify DS-Lite packet fragmentation occurs at IPv6 layer and not the IPv4 layer |
dslite_20 |
Verify DS-Lite packet fragmentation occurs at IPv6 layer and not the IPv4 layer |
step 1. Forward an IPv4 packet from a LAN client to the WAN with packet size 1496
step 2. Verify the packet is received on the WAN
step 3. Verify the packet results in IPv6 fragments and no IPv4 fragments
References:
IETF RFC 2473 "Generic Packet Tunneling in IPv6 Specification" Section 7.2: IPv4 Tunnel Packet Fragmentation
(b) if in the original packet header the Don't Fragment - DF -
bit flag is CLEAR, the tunnel entry-point node encapsulates
the original packet, and subsequently fragments the
resulting IPv6 tunnel packet into IPv6 fragments that do
not exceed the Path MTU to the tunnel exit-point.
https://tools.ietf.org/html/rfc2473#section-7.2
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 5.3: Fragmentation and Reassembly
Using an encapsulation (IPv4-in-IPv6 or anything else) to carry IPv4
traffic over IPv6 will reduce the effective MTU of the datagram.
Unfortunately, path MTU discovery [RFC1191] is not a reliable method
to deal with this problem.
A solution to deal with this problem is for the service provider to
increase the MTU size of all the links between the B4 element and the
AFTR elements by at least 40 bytes to accommodate both the IPv6
encapsulation header and the IPv4 datagram without fragmenting the
IPv6 packet.
However, as not all service providers will be able to increase their
link MTU, the B4 element MUST perform fragmentation and reassembly if
the outgoing link MTU cannot accommodate the extra IPv6 header. The
original IPv4 packet is not oversized. The packet is oversized after
the IPv6 encapsulation. The inner IPv4 packet MUST NOT be
fragmented. Fragmentation MUST happen after the encapsulation of the
IPv6 packet. Reassembly MUST happen before the decapsulation of the
IPv4 packet. A detailed procedure has been specified in [RFC2473]
Section 7.2.
https://tools.ietf.org/html/rfc6333#section-5.3
| Test |
Name |
Synopsis |
Verify IPv4 ICMP Unreachable is generated if DF=1 and packet would fragment |
dslite_21 |
Verify IPv4 ICMP Unreachable is generated if DF=1 and packet would fragment |
step 1. Forward an IPv4 packet from a LAN client to the WAN with packet size 1496
step 2. Verify an ICMP unreachable with code 4 is received on the LAN
References:
IETF RFC 2473 "Generic Packet Tunneling in IPv6 Specification" Section 7.2: IPv4 Tunnel Packet Fragmentation
(b) if in the original packet header the Don't Fragment - DF -
bit flag is CLEAR, the tunnel entry-point node encapsulates
the original packet, and subsequently fragments the
resulting IPv6 tunnel packet into IPv6 fragments that do
not exceed the Path MTU to the tunnel exit-point.
https://tools.ietf.org/html/rfc2473#section-7.2
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 5.3: Fragmentation and Reassembly
Using an encapsulation (IPv4-in-IPv6 or anything else) to carry IPv4
traffic over IPv6 will reduce the effective MTU of the datagram.
Unfortunately, path MTU discovery [RFC1191] is not a reliable method
to deal with this problem.
A solution to deal with this problem is for the service provider to
increase the MTU size of all the links between the B4 element and the
AFTR elements by at least 40 bytes to accommodate both the IPv6
encapsulation header and the IPv4 datagram without fragmenting the
IPv6 packet.
However, as not all service providers will be able to increase their
link MTU, the B4 element MUST perform fragmentation and reassembly if
the outgoing link MTU cannot accommodate the extra IPv6 header. The
original IPv4 packet is not oversized. The packet is oversized after
the IPv6 encapsulation. The inner IPv4 packet MUST NOT be
fragmented. Fragmentation MUST happen after the encapsulation of the
IPv6 packet. Reassembly MUST happen before the decapsulation of the
IPv4 packet. A detailed procedure has been specified in [RFC2473]
Section 7.2.
https://tools.ietf.org/html/rfc6333#section-5.3
| Test |
Name |
Synopsis |
Verify IPv4 packet is dropped if DF=1 and packet would fragment |
dslite_22 |
Verify IPv4 packet is dropped if DF=1 and packet would fragment |
step 1. Forward an IPv4 packet from a LAN client to the WAN with packet size 1496
step 2. Verify packet is not forwarded to the WAN
References:
IETF RFC 2473 "Generic Packet Tunneling in IPv6 Specification" Section 7.2: IPv4 Tunnel Packet Fragmentation
(b) if in the original packet header the Don't Fragment - DF -
bit flag is CLEAR, the tunnel entry-point node encapsulates
the original packet, and subsequently fragments the
resulting IPv6 tunnel packet into IPv6 fragments that do
not exceed the Path MTU to the tunnel exit-point.
https://tools.ietf.org/html/rfc2473#section-7.2
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 5.3: Fragmentation and Reassembly
Using an encapsulation (IPv4-in-IPv6 or anything else) to carry IPv4
traffic over IPv6 will reduce the effective MTU of the datagram.
Unfortunately, path MTU discovery [RFC1191] is not a reliable method
to deal with this problem.
A solution to deal with this problem is for the service provider to
increase the MTU size of all the links between the B4 element and the
AFTR elements by at least 40 bytes to accommodate both the IPv6
encapsulation header and the IPv4 datagram without fragmenting the
IPv6 packet.
However, as not all service providers will be able to increase their
link MTU, the B4 element MUST perform fragmentation and reassembly if
the outgoing link MTU cannot accommodate the extra IPv6 header. The
original IPv4 packet is not oversized. The packet is oversized after
the IPv6 encapsulation. The inner IPv4 packet MUST NOT be
fragmented. Fragmentation MUST happen after the encapsulation of the
IPv6 packet. Reassembly MUST happen before the decapsulation of the
IPv4 packet. A detailed procedure has been specified in [RFC2473]
Section 7.2.
https://tools.ietf.org/html/rfc6333#section-5.3
| Test |
Name |
Synopsis |
Verify DNS queries sent to router over IPv4 are forwarded to IPv6 DNS server |
dslite_30 |
Verify DNS queries sent to router over IPv4 are forwarded to IPv6 DNS server |
step 1. Initiate a DNS query to the router's LAN ip address
step 2. Verify the query is received by real DNS server on the WAN side
step 3. The query may be received by the primary or backup DNS server
step 4. Verify the DNS query is using IPv6 and not IPv4
step 5. Send a return response back to LAN
step 6. Verify the response is received by the LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 5.5: DNS
A B4 element is only configured from the service provider with IPv6.
As such, it can only learn the address of a DNS recursive server
through DHCPv6 (or other similar method over IPv6). As DHCPv6 only
defines an option to get the IPv6 address of such a DNS recursive
server, the B4 element cannot easily discover the IPv4 address of
such a recursive DNS server, and as such will have to perform all DNS
resolution over IPv6.
https://tools.ietf.org/html/rfc6333#section-5.5
| Test |
Name |
Synopsis |
Verify LAN clients can reach the IPv4 address of DS-Lite AFTR |
dslite_40 |
Verify LAN clients can reach the IPv4 address of DS-Lite AFTR |
step 1. Initiate an outbound ICMP Echo Request to the IPv4 address of the WAN (AFTR)
step 2. Verify ICMP Echo Reply (ping response) is received
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 6.5: Well-Known IPv4 Address
The AFTR SHOULD use the well-known IPv4 address 192.0.0.1 reserved by
IANA to configure the IPv4-in-IPv6 tunnel. That address can then be
used to report ICMP problems and will appear in traceroute outputs.
The following testvars are used to configure the AFTR and B4 addresses:
AFTR: testvar wanIspIp 192.0.0.1
B4: testvar wanIspAssignIp 192.0.0.2
https://tools.ietf.org/html/rfc6333#section-6.5
| Test |
Name |
Synopsis |
Verify LAN clients can reach the IPv4 address of DS-Lite B4 |
dslite_41 |
Verify LAN clients can reach the IPv4 address of DS-Lite B4 |
step 1. Initiate an outbound ICMP Echo Request to the IPv4 address of the CPE WAN (B4)
step 2. Verify ICMP Echo Reply (ping response) is received
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 5.7: Well-Known IPv4 Address
Any locally unique IPv4 address could be configured on the IPv4-in-
IPv6 tunnel to represent the B4 element. Configuring such an address
is often necessary when the B4 element is sourcing IPv4 datagrams
directly over the tunnel. In order to avoid conflicts with any other
address, IANA has defined a well-known range, 192.0.0.0/29.
192.0.0.0 is the reserved subnet address. 192.0.0.1 is reserved for
the AFTR element, and 192.0.0.2 is reserved for the B4 element. If a
service provider has a special configuration that prevents the B4
element from using 192.0.0.2, the B4 element MAY use any other
addresses within the 192.0.0.0/29 range.
Note: A range of addresses has been reserved for this purpose. The
intent is to accommodate nodes implementing multiple B4 elements.
The following testvars are used to configure the AFTR and B4 addresses:
AFTR: testvar wanIspIp 192.0.0.1
B4: testvar wanIspAssignIp 192.0.0.2
https://tools.ietf.org/html/rfc6333#section-5.7
| Test |
Name |
Synopsis |
Verify IPv4 TOS is copied to IPv6 Traffic Class |
dslite_42 |
Verify IPv4 TOS is copied to IPv6 Traffic Class |
step 1. Forward an IPv4 packet from a LAN client to the WAN with a specific TOS
step 2. Verify the packet is received on the WAN (AFTR)
step 3. Verify that the IPv4 TOS and IPv6 Traffic Class are set to
the IPv4 TOS from step 1
step 4. Forward an IPv4 packet from the WAN to a LAN client with a specific TOS
step 5. Verify the packet is received by the LAN client
step 6. Verify that the IPv4 TOS are set to the IPv4 TOS from step 4
step 7. Repeat steps 1 to 7 with several different IPv4 TOS values
References:
IETF RFC 6333 "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" Section 7.1: Tunneling
Tunneling MUST be done in accordance to [RFC2473] and [RFC4213].
Traffic classes ([RFC2474]) from the IPv4 headers MUST be carried
over to the IPv6 headers and vice versa.
https://tools.ietf.org/html/rfc6333#section-7.1
dns-v6.tcl
IPv6 DNS proxy and DNS failover related tests
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
ipv6_dns_10 |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup for the same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
ipv6_dns_11 |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Verify the returned TTL from the DNS proxy is 0
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_40 |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6 DNS
type AAAA lookups.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
ipv6_dns_41 |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send an empty return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6
DNS type AAAA lookups.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
ipv6_dns_45 |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit not set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverNonAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverNonAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
ipv6_dns_46 |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
| Test |
Name |
Synopsis |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
ipv6_dns_50 |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
| Test |
Name |
Synopsis |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_51 |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse AAAA IPv6 DNS query from the LAN client
to the configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
ipv6_dns_60 |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
step 1. Create a new primary and backup DNS server
step 2. Terminate the WAN link and bring back up
step 3. Issue DNS query from the LAN client to the DUT's LAN IP
address
step 4. Verify LAN client receives response from new DNS servers
step 5. If DNS query fails, make additional attempts to allow
possible failover
step 6. Terminate the WAN link and bring back up with original DNS
servers
NOTE: This test is only run when the WAN mode is dynamic.
NOTE: The amount of time to wait before checking that DNS has
been updated after the WAN link is restored can be configured
using the testvar 'dnsFailoverDelay'. The default is 10 seconds.
NOTE: In IPv4 and IPv6 dual stack scenarios, the DUT may switch
over to IPv6 DNS server addresses which have not changed. These
servers are also unresponsive during the test and the DUT should
fail over to the new IPv4 DNS servers. The number of DNS queries
attempted may be configured using the testvar 'dnsFailoverAttempts'.
| Test |
Name |
Synopsis |
Verify IPv6 DNS lookups with multiple IPv4 responses |
ipv6_dns_70 |
Verify IPv6 DNS lookups with multiple IPv4 responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 3. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy recovers after DNS server outage |
ipv6_dns_100 |
Verify IPv6 DNS proxy recovers after DNS server outage |
step 1. Verify initial DNS lookup is working
step 2. Disable all DNS servers
step 3. Initiate 3 DNS lookups for new domains which should fail
from the LAN client to the DUT's LAN IP address
step 4. Enable all DNS servers
step 5. Verify DNS lookups start working again
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries including the EDNS0 option |
ipv6_dns_110 |
Verify IPv6 DNS queries including the EDNS0 option |
step 1. Initiate a DNS lookup containing EDNS0 option for a new
unique hostname from the LAN client to the configured DNS
server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup containing EDNS0 option for the
same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers; inclusion of EDNS0 option should not affect
ability to successfully resolve hostnames
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify large DNS responses using EDNS0 option |
ipv6_dns_120 |
Verify large DNS responses using EDNS0 option |
step 1. Configure a DNS entry with 200 IPv4 matching records that
requires a UDP response slightly less than 4096
step 2. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 3. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 4. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify maximum UDP payload value in EDNS0 option |
ipv6_dns_121 |
Verify maximum UDP payload value in EDNS0 option |
step 1. Initiate a DNS lookup for a unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 2. Verify DNS response contains EDNS0 option
step 3. Configure a DNS entry with enough matching IPv4 records that
requires a UDP response slightly less than the EDNS0 UDP
buffer size seen in step 2
step 4. Initiate a DNS lookup for the same hostname from LAN client
using EDNS0 option announcing a UDP buffer size of 4096
step 5. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 6. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for TXT records |
ipv6_dns_130 |
Verify IPv6 DNS queries for TXT records |
step 1. Initiate a DNS TXT query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return TXT response back to LAN
step 5. Verify the response is received by LAN client
Reference: RFC 1035 Domain names - implementation and specification
| Test |
Name |
Synopsis |
Verify DNS queries for CNAME records |
ipv6_dns_132 |
Verify DNS queries for CNAME records |
step 1. Initiate a DNS CNAME query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return CNAME response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and A records |
ipv6_dns_133 |
Verify DNS queries for responses returning both CNAME and A records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and A records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and A records
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and AAAA records |
ipv6_dns_134 |
Verify DNS queries for responses returning both CNAME and AAAA records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and AAAA records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and AAAA records
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SPF records |
ipv6_dns_140 |
Verify IPv6 DNS queries for SPF records |
step 1. Initiate a DNS SPF query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SPF response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 4408 "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"
https://tools.ietf.org/html/rfc4408
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SRV records |
ipv6_dns_141 |
Verify IPv6 DNS queries for SRV records |
step 1. Initiate a DNS SRV query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SRV response back to LAN
step 5. Verify the response is received by LAN client
step 6. Verify the response priority, weight, port and target fields
References:
IETF RFC 2782 "A DNS RR for specifying the location of services (DNS SRV)"
https://tools.ietf.org/html/rfc2782
| Test |
Name |
Synopsis |
Verify DNS proxy behavior for DNS server status requests |
ipv6_dns_150 |
Verify DNS proxy behavior for DNS server status requests |
step 1. Send a DNS server status request from the LAN client to the
configured DNS server
step 2. Verify that the DNS proxy either forwards the server status request
to the real DNS server or drops it based on the proxy's expected
behavior
NOTE: Scanning tools including Nmap utilize DNS server status requests when
probing a host. Some DNS proxy implementations will drop DNS server status
requests for security reasons. The testvar dnsForwardServerStatus should be
set to a value of **no** if this is the expected behavior of the DUT's DNS
proxy. For DNS proxy implementations that forward server status request
messages upstream, the testvar dnsForwardServerStatus should be set to a
value of **yes**.
References:
IETF RFC 5625 "DNS Proxy Implementation Guidelines" Section 3: Transparency Principle
https://tools.ietf.org/html/rfc5625#section-3
The DNS Status OPCODE Section 6: Security Considerations
http://www.eric-a-hall.com/specs/draft-hall-status-opcode-00-1.txt6
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
ipv6_dns_200 |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a DNSKEY response back to LAN
step 4. Verify the response is received by LAN client and all fields
are correct
step 5. Repeat steps 1-5 for RRSIG, DS, and NSEC queries
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 4034 "Resource Records for the DNS Security Extensions"
https://tools.ietf.org/html/rfc4034
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
ipv6_dns_201 |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a large RRSIG response (greater than 1220 bytes) back
to LAN
step 4. Verify full response is received by LAN client and all
fields are correct
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 4035 "Protocol Modifications for the DNS Security Extensions" Section 4.1: EDNS Support
https://tools.ietf.org/html/rfc4035#section-4.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy honors TTL values when caching responses |
ipv6_dns_300 |
Verify IPv6 DNS proxy honors TTL values when caching responses |
step 1. Initiate a DNS lookup for a hostname from the LAN client to
the DUT's LAN IP address
step 2. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
step 3. Change the address on the WAN DNS server for the new
hostname
step 4. Wait half the TTL value of the response
step 5. Perform a DNS lookup on the same hostname from the LAN
step 6. If supportsDnsCaching is yes, verify DUT's DNS proxy returns
cached response from step 2 and does not forward the query
to the WAN DNS server. If supportsDnsCaching is no, verify
DUT's DNS proxy forwards the query to the WAN DNS server
step 7. Wait long enough for the TTL value of the response from
step 2 to have elapsed
step 8. Perform a DNS lookup on the same hostname from the LAN
step 9. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 4.1.3: Resource Record Format
https://tools.ietf.org/html/rfc1035#section-4.1.3
| Test |
Name |
Synopsis |
Verify maximum number of cached DNS responses |
ipv6_dns_301 |
Verify maximum number of cached DNS responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the DUT's LAN IP address
step 2. Verify that the DUT's DNS proxy forwards the query to the
WAN DNS server
step 3. Send a valid response to the DUT on the WAN and verify that
DUT's DNS proxy forwards this response to the LAN client
step 4. Repeat steps 1 through 3 (dnsCacheSize + 10) times
step 5. Repeat steps 1 through 4 but look up the hostnames in
reverse order
step 6. Verify that the last 10 hostname lookups are not cached by
the DUT's DNS proxy
NOTE: The testvar dnsCacheSize should be configured to match the
size of the DUT's DNS cache.
| Test |
Name |
Synopsis |
Verify parallel DNS queries |
ipv6_dns_400 |
Verify parallel DNS queries |
step 1. Initiate a DNS A record lookup for a new unique hostname
from the LAN client to the configured DNS server.
step 2. Initiate a DNS AAAA record lookup from the LAN client for
the same hostname used in step 1 to the configured DNS
server on the same socket as used in step 1.
step 3. Verify that DNS responses are received for both DNS
queries.
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
ipv6_dns_410 |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
step 1. Initiate a DNS lookup for a new unique type A DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
ipv6_dns_411 |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
step 1. Initiate a DNS lookup for a new unique type AAAA DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
ipv6_dns_420 |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Create a new bit 0x20 version of the DNS hostname
step 3. Initiate a DNS lookup from the LAN client using the bit 0x20 DNS label
step 4. Verify the LAN client receives a valid DNS response
step 5. Repeat this process for 100 variations of the bit 0x20 DNS label
References:
IETF Internet-Draft draft-vixie-dnsext-dns0x20-00 "Use of Bit 0x20 in DNS Labels to Improve Transaction Identity"
https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
| Test |
Name |
Synopsis |
Verify DNS proxy enforces DNS strict privacy usage profile |
ipv6_dns_500 |
Verify DNS proxy enforces DNS strict privacy usage profile |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Initiate a DNS lookup for the new unique hostname from the LAN
client to the DUT's DNS proxy
step 3. Verify the LAN client receives a valid DNS response
step 4. Verify a new DNS request is sent to the primary or backup
DNS servers using DNS over TLS
NOTE: The list of secure transports (i.e. TLS, HTTPS (DoH) or
both) which the DUT is expected to use when sending DNS queries
can be configured via the testvar
dnsUsageProfileStrictPrivacyTransports.
References:
IETF RFC 8310 "Usage Profiles for DNS over (D)TLS" Section 5: Usage Profiles
https://tools.ietf.org/html/rfc8310#section-5
dns-https-v6.tcl
IPv6 DNS over HTTPS (DoH) proxy and DNS failover related tests
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
ipv6_dns_https_10 |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup for the same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
ipv6_dns_https_11 |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Verify the returned TTL from the DNS proxy is 0
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_https_40 |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6 DNS
type AAAA lookups.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
ipv6_dns_https_41 |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send an empty return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6
DNS type AAAA lookups.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
ipv6_dns_https_45 |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit not set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverNonAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverNonAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
ipv6_dns_https_46 |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
ipv6_dns_https_50 |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_https_51 |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse AAAA IPv6 DNS query from the LAN client
to the configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
ipv6_dns_https_60 |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
step 1. Create a new primary and backup DNS server
step 2. Terminate the WAN link and bring back up
step 3. Issue DNS query from the LAN client to the DUT's LAN IP
address
step 4. Verify LAN client receives response from new DNS servers
step 5. If DNS query fails, make additional attempts to allow
possible failover
step 6. Terminate the WAN link and bring back up with original DNS
servers
NOTE: This test is only run when the WAN mode is dynamic.
NOTE: The amount of time to wait before checking that DNS has
been updated after the WAN link is restored can be configured
using the testvar 'dnsFailoverDelay'. The default is 10 seconds.
NOTE: In IPv4 and IPv6 dual stack scenarios, the DUT may switch
over to IPv6 DNS server addresses which have not changed. These
servers are also unresponsive during the test and the DUT should
fail over to the new IPv4 DNS servers. The number of DNS queries
attempted may be configured using the testvar 'dnsFailoverAttempts'.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify IPv6 DNS lookups with multiple IPv4 responses |
ipv6_dns_https_70 |
Verify IPv6 DNS lookups with multiple IPv4 responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 3. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy recovers after DNS server outage |
ipv6_dns_https_100 |
Verify IPv6 DNS proxy recovers after DNS server outage |
step 1. Verify initial DNS lookup is working
step 2. Disable all DNS servers
step 3. Initiate 3 DNS lookups for new domains which should fail
from the LAN client to the DUT's LAN IP address
step 4. Enable all DNS servers
step 5. Verify DNS lookups start working again
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries including the EDNS0 option |
ipv6_dns_https_110 |
Verify IPv6 DNS queries including the EDNS0 option |
step 1. Initiate a DNS lookup containing EDNS0 option for a new
unique hostname from the LAN client to the configured DNS
server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup containing EDNS0 option for the
same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers; inclusion of EDNS0 option should not affect
ability to successfully resolve hostnames
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify large DNS responses using EDNS0 option |
ipv6_dns_https_120 |
Verify large DNS responses using EDNS0 option |
step 1. Configure a DNS entry with 200 IPv4 matching records that
requires a UDP response slightly less than 4096
step 2. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 3. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 4. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify maximum UDP payload value in EDNS0 option |
ipv6_dns_https_121 |
Verify maximum UDP payload value in EDNS0 option |
step 1. Initiate a DNS lookup for a unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 2. Verify DNS response contains EDNS0 option
step 3. Configure a DNS entry with enough matching IPv4 records that
requires a UDP response slightly less than the EDNS0 UDP
buffer size seen in step 2
step 4. Initiate a DNS lookup for the same hostname from LAN client
using EDNS0 option announcing a UDP buffer size of 4096
step 5. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 6. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for TXT records |
ipv6_dns_https_130 |
Verify IPv6 DNS queries for TXT records |
step 1. Initiate a DNS TXT query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return TXT response back to LAN
step 5. Verify the response is received by LAN client
Reference: RFC 1035 Domain names - implementation and specification
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify DNS queries for CNAME records |
ipv6_dns_https_132 |
Verify DNS queries for CNAME records |
step 1. Initiate a DNS CNAME query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return CNAME response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and A records |
ipv6_dns_https_133 |
Verify DNS queries for responses returning both CNAME and A records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and A records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and A records
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and AAAA records |
ipv6_dns_https_134 |
Verify DNS queries for responses returning both CNAME and AAAA records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and AAAA records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and AAAA records
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SPF records |
ipv6_dns_https_140 |
Verify IPv6 DNS queries for SPF records |
step 1. Initiate a DNS SPF query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SPF response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 4408 "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"
https://tools.ietf.org/html/rfc4408
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SRV records |
ipv6_dns_https_141 |
Verify IPv6 DNS queries for SRV records |
step 1. Initiate a DNS SRV query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SRV response back to LAN
step 5. Verify the response is received by LAN client
step 6. Verify the response priority, weight, port and target fields
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 2782 "A DNS RR for specifying the location of services (DNS SRV)"
https://tools.ietf.org/html/rfc2782
| Test |
Name |
Synopsis |
Verify DNS proxy behavior for DNS server status requests |
ipv6_dns_https_150 |
Verify DNS proxy behavior for DNS server status requests |
step 1. Send a DNS server status request from the LAN client to the
configured DNS server
step 2. Verify that the DNS proxy either forwards the server status request
to the real DNS server or drops it based on the proxy's expected
behavior
NOTE: Scanning tools including Nmap utilize DNS server status requests when
probing a host. Some DNS proxy implementations will drop DNS server status
requests for security reasons. The testvar dnsForwardServerStatus should be
set to a value of **no** if this is the expected behavior of the DUT's DNS
proxy. For DNS proxy implementations that forward server status request
messages upstream, the testvar dnsForwardServerStatus should be set to av
alue of **yes**.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 5625 "DNS Proxy Implementation Guidelines" Section 3: Transparency Principle
https://tools.ietf.org/html/rfc5625#section-3
The DNS Status OPCODE Section 6: Security Considerations
http://www.eric-a-hall.com/specs/draft-hall-status-opcode-00-1.txt6
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
ipv6_dns_https_200 |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a DNSKEY response back to LAN
step 4. Verify the response is received by LAN client and all fields
are correct
step 5. Repeat steps 1-5 for RRSIG, DS, and NSEC queries
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 4034 "Resource Records for the DNS Security Extensions"
https://tools.ietf.org/html/rfc4034
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
ipv6_dns_https_201 |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a large RRSIG response (greater than 1220 bytes) back
to LAN
step 4. Verify full response is received by LAN client and all
fields are correct
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 4035 "Protocol Modifications for the DNS Security Extensions" Section 4.1: EDNS Support
https://tools.ietf.org/html/rfc4035#section-4.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy honors TTL values when caching responses |
ipv6_dns_https_300 |
Verify IPv6 DNS proxy honors TTL values when caching responses |
step 1. Initiate a DNS lookup for a hostname from the LAN client to
the DUT's LAN IP address
step 2. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
step 3. Change the address on the WAN DNS server for the new
hostname
step 4. Wait half the TTL value of the response
step 5. Perform a DNS lookup on the same hostname from the LAN
step 6. If supportsDnsCaching is yes, verify DUT's DNS proxy returns
cached response from step 2 and does not forward the query
to the WAN DNS server. If supportsDnsCaching is no, verify
DUT's DNS proxy forwards the query to the WAN DNS server
step 7. Wait long enough for the TTL value of the response from
step 2 to have elapsed
step 8. Perform a DNS lookup on the same hostname from the LAN
step 9. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 4.1.3: Resource Record Format
https://tools.ietf.org/html/rfc1035#section-4.1.3
| Test |
Name |
Synopsis |
Verify maximum number of cached DNS responses |
ipv6_dns_https_301 |
Verify maximum number of cached DNS responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the DUT's LAN IP address
step 2. Verify that the DUT's DNS proxy forwards the query to the
WAN DNS server
step 3. Send a valid response to the DUT on the WAN and verify that
DUT's DNS proxy forwards this response to the LAN client
step 4. Repeat steps 1 through 3 (dnsCacheSize + 10) times
step 5. Repeat steps 1 through 4 but look up the hostnames in
reverse order
step 6. Verify that the last 10 hostname lookups are not cached by
the DUT's DNS proxy
NOTE: The testvar dnsCacheSize should be configured to match the
size of the DUT's DNS cache.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify parallel DNS queries |
ipv6_dns_https_400 |
Verify parallel DNS queries |
step 1. Initiate a DNS A record lookup for a new unique hostname
from the LAN client to the configured DNS server.
step 2. Initiate a DNS AAAA record lookup from the LAN client for
the same hostname used in step 1 to the configured DNS
server on the same socket as used in step 1.
step 3. Verify that DNS responses are received for both DNS
queries.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
ipv6_dns_https_410 |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
step 1. Initiate a DNS lookup for a new unique type A DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
ipv6_dns_https_411 |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
step 1. Initiate a DNS lookup for a new unique type AAAA DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
ipv6_dns_https_420 |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Create a new bit 0x20 version of the DNS hostname
step 3. Initiate a DNS lookup from the LAN client using the bit 0x20 DNS label
step 4. Verify the LAN client receives a valid DNS response
step 5. Repeat this process for 100 variations of the bit 0x20 DNS label
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF Internet-Draft draft-vixie-dnsext-dns0x20-00 "Use of Bit 0x20 in DNS Labels to Improve Transaction Identity"
https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
| Test |
Name |
Synopsis |
Verify DNS proxy enforces DNS strict privacy usage profile |
ipv6_dns_https_500 |
Verify DNS proxy enforces DNS strict privacy usage profile |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Initiate a DNS lookup for the new unique hostname from the LAN
client to the DUT's DNS proxy
step 3. Verify the LAN client receives a valid DNS response
step 4. Verify a new DNS request is sent to the primary or backup
DNS servers using DNS over TLS
NOTE: The list of secure transports (i.e. TLS, HTTPS (DoH) or
both) which the DUT is expected to use when sending DNS queries
can be configured via the testvar
dnsUsageProfileStrictPrivacyTransports.
References:
IETF RFC 8484 "DNS Queries over HTTPS (DoH)"
https://tools.ietf.org/html/rfc8484
IETF RFC 8310 "Usage Profiles for DNS over (D)TLS" Section 5: Usage Profiles
https://tools.ietf.org/html/rfc8310#section-5
dns-tcp-v6.tcl
IPv6 DNS over TCP proxy and DNS failover related tests
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
ipv6_dns_tcp_10 |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup for the same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
ipv6_dns_tcp_11 |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Verify the returned TTL from the DNS proxy is 0
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_tcp_40 |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6 DNS
type AAAA lookups.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
ipv6_dns_tcp_41 |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send an empty return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6
DNS type AAAA lookups.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
ipv6_dns_tcp_45 |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit not set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverNonAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverNonAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
ipv6_dns_tcp_46 |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
| Test |
Name |
Synopsis |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
ipv6_dns_tcp_50 |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
| Test |
Name |
Synopsis |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_tcp_51 |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse AAAA IPv6 DNS query from the LAN client
to the configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
ipv6_dns_tcp_60 |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
step 1. Create a new primary and backup DNS server
step 2. Terminate the WAN link and bring back up
step 3. Issue DNS query from the LAN client to the DUT's LAN IP
address
step 4. Verify LAN client receives response from new DNS servers
step 5. If DNS query fails, make additional attempts to allow
possible failover
step 6. Terminate the WAN link and bring back up with original DNS
servers
NOTE: This test is only run when the WAN mode is dynamic.
NOTE: The amount of time to wait before checking that DNS has
been updated after the WAN link is restored can be configured
using the testvar 'dnsFailoverDelay'. The default is 10 seconds.
NOTE: In IPv4 and IPv6 dual stack scenarios, the DUT may switch
over to IPv6 DNS server addresses which have not changed. These
servers are also unresponsive during the test and the DUT should
fail over to the new IPv4 DNS servers. The number of DNS queries
attempted may be configured using the testvar 'dnsFailoverAttempts'.
| Test |
Name |
Synopsis |
Verify IPv6 DNS lookups with multiple IPv4 responses |
ipv6_dns_tcp_70 |
Verify IPv6 DNS lookups with multiple IPv4 responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 3. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy recovers after DNS server outage |
ipv6_dns_tcp_100 |
Verify IPv6 DNS proxy recovers after DNS server outage |
step 1. Verify initial DNS lookup is working
step 2. Disable all DNS servers
step 3. Initiate 3 DNS lookups for new domains which should fail
from the LAN client to the DUT's LAN IP address
step 4. Enable all DNS servers
step 5. Verify DNS lookups start working again
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries including the EDNS0 option |
ipv6_dns_tcp_110 |
Verify IPv6 DNS queries including the EDNS0 option |
step 1. Initiate a DNS lookup containing EDNS0 option for a new
unique hostname from the LAN client to the configured DNS
server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup containing EDNS0 option for the
same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers; inclusion of EDNS0 option should not affect
ability to successfully resolve hostnames
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify large DNS responses using EDNS0 option |
ipv6_dns_tcp_120 |
Verify large DNS responses using EDNS0 option |
step 1. Configure a DNS entry with 200 IPv4 matching records that
requires a UDP response slightly less than 4096
step 2. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 3. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 4. Verify LAN client learns all IPv4 answers from DNS lookup
Reference: RFC 6891 Extension Mechanisms for DNS (EDNS0)
| Test |
Name |
Synopsis |
Verify maximum UDP payload value in EDNS0 option |
ipv6_dns_tcp_121 |
Verify maximum UDP payload value in EDNS0 option |
step 1. Initiate a DNS lookup for a unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 2. Verify DNS response contains EDNS0 option
step 3. Configure a DNS entry with enough matching IPv4 records that
requires a UDP response slightly less than the EDNS0 UDP
buffer size seen in step 2
step 4. Initiate a DNS lookup for the same hostname from LAN client
using EDNS0 option announcing a UDP buffer size of 4096
step 5. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 6. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for TXT records |
ipv6_dns_tcp_130 |
Verify IPv6 DNS queries for TXT records |
step 1. Initiate a DNS TXT query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return TXT response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify DNS queries for CNAME records |
ipv6_dns_tcp_132 |
Verify DNS queries for CNAME records |
step 1. Initiate a DNS CNAME query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return CNAME response back to LAN
step 5. Verify the response is received by LAN client
Reference: RFC 1035 Domain names - implementation and specification
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and A records |
ipv6_dns_tcp_133 |
Verify DNS queries for responses returning both CNAME and A records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and A records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and A records
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and AAAA records |
ipv6_dns_tcp_134 |
Verify DNS queries for responses returning both CNAME and AAAA records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and AAAA records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and AAAA records
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SPF records |
ipv6_dns_tcp_140 |
Verify IPv6 DNS queries for SPF records |
step 1. Initiate a DNS SPF query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SPF response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 4408 "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"
https://tools.ietf.org/html/rfc4408
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SRV records |
ipv6_dns_tcp_141 |
Verify IPv6 DNS queries for SRV records |
step 1. Initiate a DNS SRV query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SRV response back to LAN
step 5. Verify the response is received by LAN client
step 6. Verify the response priority, weight, port and target fields
References:
IETF RFC 2782 "A DNS RR for specifying the location of services (DNS SRV)"
https://tools.ietf.org/html/rfc2782
| Test |
Name |
Synopsis |
Verify DNS proxy behavior for DNS server status requests |
ipv6_dns_tcp_150 |
Verify DNS proxy behavior for DNS server status requests |
step 1. Send a DNS server status request from the LAN client to the
configured DNS server
step 2. Verify that the DNS proxy either forwards the server status request
to the real DNS server or drops it based on the proxy's expected
behavior
NOTE: Scanning tools including Nmap utilize DNS server status requests when
probing a host. Some DNS proxy implementations will drop DNS server status
requests for security reasons. The testvar dnsForwardServerStatus should be
set to a value of **no** if this is the expected behavior of the DUT's DNS
proxy. For DNS proxy implementations that forward server status request
messages upstream, the testvar dnsForwardServerStatus should be set to a
value of **yes**.
References:
IETF RFC 5625 "DNS Proxy Implementation Guidelines" Section 3: Transparency Principle
https://tools.ietf.org/html/rfc5625#section-3
The DNS Status OPCODE Section 6: Security Considerations
http://www.eric-a-hall.com/specs/draft-hall-status-opcode-00-1.txt6
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
ipv6_dns_tcp_200 |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a DNSKEY response back to LAN
step 4. Verify the response is received by LAN client and all fields
are correct
step 5. Repeat steps 1-5 for RRSIG, DS, and NSEC queries
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 4034 "Resource Records for the DNS Security Extensions"
https://tools.ietf.org/html/rfc4034
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
ipv6_dns_tcp_201 |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a large RRSIG response (greater than 1220 bytes) back
to LAN
step 4. Verify full response is received by LAN client and all
fields are correct
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 4035 "Protocol Modifications for the DNS Security Extensions" Section 4.1: EDNS Support
https://tools.ietf.org/html/rfc4035#section-4.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy honors TTL values when caching responses |
ipv6_dns_tcp_300 |
Verify IPv6 DNS proxy honors TTL values when caching responses |
step 1. Initiate a DNS lookup for a hostname from the LAN client to
the DUT's LAN IP address
step 2. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
step 3. Change the address on the WAN DNS server for the new
hostname
step 4. Wait half the TTL value of the response
step 5. Perform a DNS lookup on the same hostname from the LAN
step 6. If supportsDnsCaching is yes, verify DUT's DNS proxy returns
cached response from step 2 and does not forward the query
to the WAN DNS server. If supportsDnsCaching is no, verify
DUT's DNS proxy forwards the query to the WAN DNS server
step 7. Wait long enough for the TTL value of the response from
step 2 to have elapsed
step 8. Perform a DNS lookup on the same hostname from the LAN
step 9. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 4.1.3: Resource Record Format
https://tools.ietf.org/html/rfc1035#section-4.1.3
| Test |
Name |
Synopsis |
Verify maximum number of cached DNS responses |
ipv6_dns_tcp_301 |
Verify maximum number of cached DNS responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the DUT's LAN IP address
step 2. Verify that the DUT's DNS proxy forwards the query to the
WAN DNS server
step 3. Send a valid response to the DUT on the WAN and verify that
DUT's DNS proxy forwards this response to the LAN client
step 4. Repeat steps 1 through 3 (dnsCacheSize + 10) times
step 5. Repeat steps 1 through 4 but look up the hostnames in
reverse order
step 6. Verify that the last 10 hostname lookups are not cached by
the DUT's DNS proxy
NOTE: The testvar dnsCacheSize should be configured to match the
size of the DUT's DNS cache.
| Test |
Name |
Synopsis |
Verify parallel DNS queries |
ipv6_dns_tcp_400 |
Verify parallel DNS queries |
step 1. Initiate a DNS A record lookup for a new unique hostname
from the LAN client to the configured DNS server.
step 2. Initiate a DNS AAAA record lookup from the LAN client for
the same hostname used in step 1 to the configured DNS
server on the same socket as used in step 1.
step 3. Verify that DNS responses are received for both DNS
queries.
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
ipv6_dns_tcp_410 |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
step 1. Initiate a DNS lookup for a new unique type A DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
ipv6_dns_tcp_411 |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
step 1. Initiate a DNS lookup for a new unique type AAAA DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
ipv6_dns_tcp_420 |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Create a new bit 0x20 version of the DNS hostname
step 3. Initiate a DNS lookup from the LAN client using the bit 0x20 DNS label
step 4. Verify the LAN client receives a valid DNS response
step 5. Repeat this process for 100 variations of the bit 0x20 DNS label
References:
IETF Internet-Draft draft-vixie-dnsext-dns0x20-00 "Use of Bit 0x20 in DNS Labels to Improve Transaction Identity"
https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
| Test |
Name |
Synopsis |
Verify DNS proxy enforces DNS strict privacy usage profile |
ipv6_dns_tcp_500 |
Verify DNS proxy enforces DNS strict privacy usage profile |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Initiate a DNS lookup for the new unique hostname from the LAN
client to the DUT's DNS proxy
step 3. Verify the LAN client receives a valid DNS response
step 4. Verify a new DNS request is sent to the primary or backup
DNS servers using DNS over TLS
NOTE: The list of secure transports (i.e. TLS, HTTPS (DoH) or
both) which the DUT is expected to use when sending DNS queries
can be configured via the testvar
dnsUsageProfileStrictPrivacyTransports.
References:
IETF RFC 8310 "Usage Profiles for DNS over (D)TLS" Section 5: Usage Profiles
https://tools.ietf.org/html/rfc8310#section-5
dns-tls-v6.tcl
IPv6 DNS over TLS proxy and DNS failover related tests
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
ipv6_dns_tls_10 |
Verify IPv6 DNS proxy does not cache DNS entry when DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup for the same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
ipv6_dns_tls_11 |
Verify IPv6 DNS proxy returns TTL of 0 when returned DNS TTL is 0 |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Verify the returned TTL from the DNS proxy is 0
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_tls_40 |
Verify AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6 DNS
type AAAA lookups.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
ipv6_dns_tls_41 |
Verify AAAA IPv6 DNS queries can return no address for IPv6 to IPv4 failover |
step 1. Initiate an AAAA IPv6 DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send an empty return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case. The DNS relay or proxy must understand IPv6
DNS type AAAA lookups.
References:
IETF RFC 4074 "Common Misbehavior Against DNS Queries for IPv6 Addresses"
https://tools.ietf.org/html/rfc4074
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
ipv6_dns_tls_45 |
Verify IPv6 DNS failover when non-zero error codes are received in non-authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit not set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverNonAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverNonAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
| Test |
Name |
Synopsis |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
ipv6_dns_tls_46 |
Verify IPv6 DNS failover when non-zero error codes are received in authoritative DNS response |
step 1. Verify DNS error codes from 1 - 15.
step 2. For each error code, send 3 DNS queries for a unique
hostname to the DUT's LAN IP address.
step 3. Verify a valid DNS response was received for all 3 DNS
queries.
step 4. Verify that all 3 DNS queries were received on the same
WAN DNS server address, known as the current primary DNS
server address.
step 5. Configure DNS queries sent to the current primary DNS
server address to return the error code, and all other DNS
server addresses to return the normal response.
step 6. All error responses from the current primary DNS server
address will have the authoritative bit set.
step 7. Send 3 DNS queries for another unique hostname to the
DUT's LAN IP address.
step 8. Verify a valid DNS response is received if the error code
is expected to trigger DNS failover.
step 9. Verify that a DNS query was received on the current
primary DNS server address.
NOTE: Most DNS clients that support multiple DNS servers (primary and
backup) use some type of failover for certain DNS error codes. The behavior
for each error code is implementation dependent. The list of error codes
that will cause DNS failover can be configured using the testvar
'dnsFailoverAuth'. If no DNS error codes will cause failover, the testvar
should be configured with the keyword 'none'.
Example:
testvar dnsFailoverAuth "2 4 5"
Example with no failover support:
testvar dnsFailoverAuth none
NOTE: Unix OSes based on bind will normally failover if DNS error
codes 2, 4, or 5 are received. Windows based OSes will normally
failover on all DNS error codes except 3 (No Such Name).
NOTE: In most configurations the DUT will learn the IPv4 and/or IPv6
addresses of several DNS servers on the WAN. While CDRouter will Initiate
all DNS queries on the LAN over IPv4 in this test, the DUT may use any of
the DNS servers in its list (IPv4 of IPv6) for final resolution.
| Test |
Name |
Synopsis |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
ipv6_dns_tls_50 |
Verify Reverse PTR DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
| Test |
Name |
Synopsis |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
ipv6_dns_tls_51 |
Verify Reverse AAAA IPv6 DNS queries to router are forwarded to real DNS server |
step 1. Initiate a reverse AAAA IPv6 DNS query from the LAN client
to the configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return response back to LAN
step 5. Verify the response is received by LAN client
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
ipv6_dns_tls_60 |
Verify IPv6 DNS proxy fails over when new primary DNS server is learned |
step 1. Create a new primary and backup DNS server
step 2. Terminate the WAN link and bring back up
step 3. Issue DNS query from the LAN client to the DUT's LAN IP
address
step 4. Verify LAN client receives response from new DNS servers
step 5. If DNS query fails, make additional attempts to allow
possible failover
step 6. Terminate the WAN link and bring back up with original DNS
servers
NOTE: This test is only run when the WAN mode is dynamic.
NOTE: The amount of time to wait before checking that DNS has
been updated after the WAN link is restored can be configured
using the testvar 'dnsFailoverDelay'. The default is 10 seconds.
NOTE: In IPv4 and IPv6 dual stack scenarios, the DUT may switch
over to IPv6 DNS server addresses which have not changed. These
servers are also unresponsive during the test and the DUT should
fail over to the new IPv4 DNS servers. The number of DNS queries
attempted may be configured using the testvar 'dnsFailoverAttempts'.
| Test |
Name |
Synopsis |
Verify IPv6 DNS lookups with multiple IPv4 responses |
ipv6_dns_tls_70 |
Verify IPv6 DNS lookups with multiple IPv4 responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server
step 2. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 3. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy recovers after DNS server outage |
ipv6_dns_tls_100 |
Verify IPv6 DNS proxy recovers after DNS server outage |
step 1. Verify initial DNS lookup is working
step 2. Disable all DNS servers
step 3. Initiate 3 DNS lookups for new domains which should fail
from the LAN client to the DUT's LAN IP address
step 4. Enable all DNS servers
step 5. Verify DNS lookups start working again
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries including the EDNS0 option |
ipv6_dns_tls_110 |
Verify IPv6 DNS queries including the EDNS0 option |
step 1. Initiate a DNS lookup containing EDNS0 option for a new
unique hostname from the LAN client to the configured DNS
server
step 2. Return DNS response with TTL set to 0 from WAN DNS server
step 3. Change the IP address on the DNS server for the new hostname
step 4. Initiate a new DNS lookup containing EDNS0 option for the
same hostname
step 5. Verify a new DNS request is sent to the primary or backup
DNS servers; inclusion of EDNS0 option should not affect
ability to successfully resolve hostnames
NOTE: Zero values are interpreted to mean that the RR can only be
used for the transaction in progress, and should not be cached.
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 3.2.1: Format
https://tools.ietf.org/html/rfc1035#section-3.2.1
| Test |
Name |
Synopsis |
Verify large DNS responses using EDNS0 option |
ipv6_dns_tls_120 |
Verify large DNS responses using EDNS0 option |
step 1. Configure a DNS entry with 200 IPv4 matching records that
requires a UDP response slightly less than 4096
step 2. Initiate a DNS lookup for a new unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 3. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 4. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify maximum UDP payload value in EDNS0 option |
ipv6_dns_tls_121 |
Verify maximum UDP payload value in EDNS0 option |
step 1. Initiate a DNS lookup for a unique hostname from the LAN
client to the configured DNS server using EDNS0 option
announcing a UDP buffer size of 4096
step 2. Verify DNS response contains EDNS0 option
step 3. Configure a DNS entry with enough matching IPv4 records that
requires a UDP response slightly less than the EDNS0 UDP
buffer size seen in step 2
step 4. Initiate a DNS lookup for the same hostname from LAN client
using EDNS0 option announcing a UDP buffer size of 4096
step 5. Return DNS response with multiple IPv4 answers from WAN DNS
server
step 6. Verify LAN client learns all IPv4 answers from DNS lookup
References:
IETF RFC 6891 "Extension Mechanisms for DNS (EDNS0)"
https://tools.ietf.org/html/rfc6891
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for TXT records |
ipv6_dns_tls_130 |
Verify IPv6 DNS queries for TXT records |
step 1. Initiate a DNS TXT query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return TXT response back to LAN
step 5. Verify the response is received by LAN client
Reference: RFC 1035 Domain names - implementation and specification
| Test |
Name |
Synopsis |
Verify DNS queries for CNAME records |
ipv6_dns_tls_132 |
Verify DNS queries for CNAME records |
step 1. Initiate a DNS CNAME query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send a return CNAME response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and A records |
ipv6_dns_tls_133 |
Verify DNS queries for responses returning both CNAME and A records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and A records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and A records
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify DNS queries for responses returning both CNAME and AAAA records |
ipv6_dns_tls_134 |
Verify DNS queries for responses returning both CNAME and AAAA records |
step 1. Initiate a DNS query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS server
step 4. Send both a CNAME and AAAA records response back to LAN
step 5. Verify the response is received by LAN client with both CNAME
and AAAA records
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION"
https://tools.ietf.org/html/rfc1035
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SPF records |
ipv6_dns_tls_140 |
Verify IPv6 DNS queries for SPF records |
step 1. Initiate a DNS SPF query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SPF response back to LAN
step 5. Verify the response is received by LAN client
References:
IETF RFC 4408 "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"
https://tools.ietf.org/html/rfc4408
| Test |
Name |
Synopsis |
Verify IPv6 DNS queries for SRV records |
ipv6_dns_tls_141 |
Verify IPv6 DNS queries for SRV records |
step 1. Initiate a DNS SRV query from the LAN client to the
configured DNS server
step 2. Verify the query is received by real DNS server on the WAN
side
step 3. The query may be received by the primary or backup DNS
server
step 4. Send a return SRV response back to LAN
step 5. Verify the response is received by LAN client
step 6. Verify the response priority, weight, port and target fields
References:
IETF RFC 2782 "A DNS RR for specifying the location of services (DNS SRV)"
https://tools.ietf.org/html/rfc2782
| Test |
Name |
Synopsis |
Verify DNS proxy behavior for DNS server status requests |
ipv6_dns_tls_150 |
Verify DNS proxy behavior for DNS server status requests |
step 1. Send a DNS server status request from the LAN client to the
configured DNS server
step 2. Verify that the DNS proxy either forwards the server status request
to the real DNS server or drops it based on the proxy's expected
behavior
NOTE: Scanning tools including Nmap utilize DNS server status requests when
probing a host. Some DNS proxy implementations will drop DNS server status
requests for security reasons. The testvar dnsForwardServerStatus should be
set to a value of **no** if this is the expected behavior of the DUT's DNS
proxy. For DNS proxy implementations that forward server status request
messages upstream, the testvar dnsForwardServerStatus should be set to a
value of **yes**.
References:
IETF RFC 5625 "DNS Proxy Implementation Guidelines" Section 3: Transparency Principle
https://tools.ietf.org/html/rfc5625#section-3
The DNS Status OPCODE Section 6: Security Considerations
http://www.eric-a-hall.com/specs/draft-hall-status-opcode-00-1.txt6
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
ipv6_dns_tls_200 |
Verify IPv6 DNS proxy does not mangle DNSSEC queries |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a DNSKEY response back to LAN
step 4. Verify the response is received by LAN client and all fields
are correct
step 5. Repeat steps 1-5 for RRSIG, DS, and NSEC queries
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 4034 "Resource Records for the DNS Security Extensions"
https://tools.ietf.org/html/rfc4034
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
ipv6_dns_tls_201 |
Verify IPv6 DNS proxy does not mangle large DNSSEC responses |
step 1. Initiate a DNSKEY query from the LAN client to the
configured DNS server
step 2. The query may be received by the primary or backup DNS
server
step 3. Send a large RRSIG response (greater than 1220 bytes) back
to LAN
step 4. Verify full response is received by LAN client and all
fields are correct
NOTE: The router must support some type of DNS relay or proxy to
pass this test case.
References:
IETF RFC 4035 "Protocol Modifications for the DNS Security Extensions" Section 4.1: EDNS Support
https://tools.ietf.org/html/rfc4035#section-4.1
| Test |
Name |
Synopsis |
Verify IPv6 DNS proxy honors TTL values when caching responses |
ipv6_dns_tls_300 |
Verify IPv6 DNS proxy honors TTL values when caching responses |
step 1. Initiate a DNS lookup for a hostname from the LAN client to
the DUT's LAN IP address
step 2. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
step 3. Change the address on the WAN DNS server for the new
hostname
step 4. Wait half the TTL value of the response
step 5. Perform a DNS lookup on the same hostname from the LAN
step 6. If supportsDnsCaching is yes, verify DUT's DNS proxy returns
cached response from step 2 and does not forward the query
to the WAN DNS server. If supportsDnsCaching is no, verify
DUT's DNS proxy forwards the query to the WAN DNS server
step 7. Wait long enough for the TTL value of the response from
step 2 to have elapsed
step 8. Perform a DNS lookup on the same hostname from the LAN
step 9. Verify DUT's DNS proxy forwards the query to the WAN DNS
server
References:
IETF RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" Section 4.1.3: Resource Record Format
https://tools.ietf.org/html/rfc1035#section-4.1.3
| Test |
Name |
Synopsis |
Verify maximum number of cached DNS responses |
ipv6_dns_tls_301 |
Verify maximum number of cached DNS responses |
step 1. Initiate a DNS lookup for a new unique hostname from the LAN
client to the DUT's LAN IP address
step 2. Verify that the DUT's DNS proxy forwards the query to the
WAN DNS server
step 3. Send a valid response to the DUT on the WAN and verify that
DUT's DNS proxy forwards this response to the LAN client
step 4. Repeat steps 1 through 3 (dnsCacheSize + 10) times
step 5. Repeat steps 1 through 4 but look up the hostnames in
reverse order
step 6. Verify that the last 10 hostname lookups are not cached by
the DUT's DNS proxy
NOTE: The testvar dnsCacheSize should be configured to match the
size of the DUT's DNS cache.
| Test |
Name |
Synopsis |
Verify parallel DNS queries |
ipv6_dns_tls_400 |
Verify parallel DNS queries |
step 1. Initiate a DNS A record lookup for a new unique hostname
from the LAN client to the configured DNS server.
step 2. Initiate a DNS AAAA record lookup from the LAN client for
the same hostname used in step 1 to the configured DNS
server on the same socket as used in step 1.
step 3. Verify that DNS responses are received for both DNS
queries.
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
ipv6_dns_tls_410 |
Verify DNS does not deploy NXDOMAIN hijacking for type A records |
step 1. Initiate a DNS lookup for a new unique type A DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
ipv6_dns_tls_411 |
Verify DNS does not deploy NXDOMAIN hijacking for type AAAA records |
step 1. Initiate a DNS lookup for a new unique type AAAA DNS record from
the LAN client to the configured DNS server
step 2. Return DNS response with NXDOMAIN (No such domain reply code)
step 3. Verify the NXDOMAIN response is returned to the LAN client
References:
DNS NXDOMAIN Hijacking
http://en.wikipedia.org/wiki/DNS_hijacking
| Test |
Name |
Synopsis |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
ipv6_dns_tls_420 |
Verify DNS proxy handles use of bit 0x20 in DNS labels |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Create a new bit 0x20 version of the DNS hostname
step 3. Initiate a DNS lookup from the LAN client using the bit 0x20 DNS label
step 4. Verify the LAN client receives a valid DNS response
step 5. Repeat this process for 100 variations of the bit 0x20 DNS label
References:
IETF Internet-Draft draft-vixie-dnsext-dns0x20-00 "Use of Bit 0x20 in DNS Labels to Improve Transaction Identity"
https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
| Test |
Name |
Synopsis |
Verify DNS proxy enforces DNS strict privacy usage profile |
ipv6_dns_tls_500 |
Verify DNS proxy enforces DNS strict privacy usage profile |
step 1. Add a new DNS hostname to the DNS servers on the WAN
step 2. Initiate a DNS lookup for the new unique hostname from the LAN
client to the DUT's DNS proxy
step 3. Verify the LAN client receives a valid DNS response
step 4. Verify a new DNS request is sent to the primary or backup
DNS servers using DNS over TLS
NOTE: The list of secure transports (i.e. TLS, HTTPS (DoH) or
both) which the DUT is expected to use when sending DNS queries
can be configured via the testvar
dnsUsageProfileStrictPrivacyTransports.
References:
IETF RFC 8310 "Usage Profiles for DNS over (D)TLS" Section 5: Usage Profiles
https://tools.ietf.org/html/rfc8310#section-5
url-filter-v6.tcl
IPv6 URL filtering tests for LAN side HTTP clients
| Test |
Name |
Synopsis |
Verify HTTP GETs to filtered URLs over IPv6 are blocked |
ipv6_urlfilter_10 |
Verify HTTP GETs to filtered URLs over IPv6 are blocked |
step 1. Set up new web server on WAN side using IPv6 free network address
step 2. Resolve domain IPv6 address using DNS AAAA lookup from LAN client
step 3. Initiate IPv6 TCP connection to web server from LAN client
step 4. Verify TCP connection is opened
step 5. Send HTTP GET from LAN client to new server for requested URL
step 6. URL is considered blocked if one of the following occurs:
a. The LAN client does not receive a page from the webserver
b. The LAN client receives a page from the webserver, but
the HTTP status code is not 200 "OK"
c. The LAN client receives a page from the webserver with
an HTTP status code of 200, but the returned page contains
text indicating that the page was administratively blocked,
as defined by the testvar 'urlFilterBlockedText'
step 7. Repeat for each configured filtered URL
step 8. Verify that each configured non-filtered URL returns a valid
webpage
NOTE: This test is only performed if the testvar 'urlFilterSupported'
is set to "yes". The testvars 'filtered-urls' and 'non-filtered-urls'
are used to specify which URLs are used during this test.
NOTE: This test allows the CPE to block a URL by preventing establishment
of the TCP connection in step 4, using a proxy to return a non-200 HTTP
status code in step 6, or using a proxy to return a 200 HTTP status code
in step 6 with alternate webpage text indicating that the page was
admninistratively blocked. The testvar 'urlFilterBlockedText' should be
configured with a portion of the expected text returned when a page is
blocked by the CPE.
| Test |
Name |
Synopsis |
Verify HTTP GETs to filtered URLs over IPv6 are blocked without DNS lookups |
ipv6_urlfilter_12 |
Verify HTTP GETs to filtered URLs over IPv6 are blocked without DNS lookups |
step 1. Set up new web server on WAN side using IPv6 free network address
step 2. Resolve only domain IPv6 addresses for non-filtered URLs using AAAA
lookup from LAN client
step 3. Initiate IPv6 TCP connection to web server from LAN client
step 4. Verify TCP connection is opened
step 5. Send HTTP GET from LAN client to new server for requested URL
step 6. URL is considered blocked if one of the following occurs:
a. The LAN client does not receive a page from the webserver
b. The LAN client receives a page from the webserver, but
the HTTP status code is not 200 "OK"
c. The LAN client receives a page from the webserver with
an HTTP status code of 200, but the returned page contains
text indicating that the page was administratively blocked,
as defined by the testvar 'urlFilterBlockedText'
step 7. Repeat for each configured filtered URL
step 8. Verify that each configured non-filtered URL returns a valid
webpage
NOTE: This test is only performed if the testvar 'urlFilterSupported'
is set to "yes". The testvars 'filtered-urls' and 'non-filtered-urls'
are used to specify which URLs are used during this test.
NOTE: This test allows the CPE to block a URL by preventing establishment
of the TCP connection in step 4, using a proxy to return a non-200 HTTP
status code in step 6, or using a proxy to return a 200 HTTP status code
in step 6 with alternate webpage text indicating that the page was
admninistratively blocked. The testvar 'urlFilterBlockedText' should be
configured with a portion of the expected text returned when a page is
blocked by the CPE.
| Test |
Name |
Synopsis |
Verify HTTP HEADs to filtered URLs over IPv6 are blocked |
ipv6_urlfilter_15 |
Verify HTTP HEADs to filtered URLs over IPv6 are blocked |
step 1. Set up new web server on WAN side using IPv6 free network address
step 2. Resolve domain IPv6 address using DNS AAAA lookup from LAN client
step 3. Initiate IPv6 TCP connection to web server from LAN client
step 4. Verify TCP connection is opened
step 5. Send HTTP HEAD from LAN client to new server for requested URL
step 6. URL is considered blocked if one of the following occurs:
a. The LAN client does not receive a page from the webserver
b. The LAN client receives a page from the webserver, but
the HTTP status code is not 200 "OK"
c. The LAN client receives a page from the webserver with
an HTTP status code of 200, but the returned page contains
text indicating that the page was administratively blocked,
as defined by the testvar 'urlFilterBlockedText'
step 7. Repeat for each configured filtered URL
step 8. Verify that each configured non-filtered URL returns a valid
webpage
NOTE: This test is only performed if the testvar 'urlFilterSupported'
is set to "yes". The testvars 'filtered-urls' and 'non-filtered-urls'
are used to specify which URLs are used during this test.
NOTE: This test allows the CPE to block a URL by preventing establishment
of the TCP connection in step 4, using a proxy to return a non-200 HTTP
status code in step 6, or using a proxy to return a 200 HTTP status code
in step 6 with alternate webpage text indicating that the page was
admninistratively blocked. The testvar 'urlFilterBlockedText' should be
configured with a portion of the expected text returned when a page is
blocked by the CPE.
| Test |
Name |
Synopsis |
Verify HTTP POSTs to filtered URLs over IPv6 are blocked |
ipv6_urlfilter_20 |
Verify HTTP POSTs to filtered URLs over IPv6 are blocked |
step 1. Set up new web server on WAN side using IPv6 free network address
step 2. Resolve domain IPv6 address using DNS AAAA lookup from LAN client
step 3. Initiate IPv6 TCP connection to web server from LAN client
step 4. Verify TCP connection is opened
step 5. Send HTTP POST from LAN client to new server for requested URL
step 6. URL is considered blocked if one of the following occurs:
a. The LAN client does not receive a page from the webserver
b. The LAN client receives a page from the webserver, but
the HTTP status code is not 200 "OK"
c. The LAN client receives a page from the webserver with
an HTTP status code of 200, but the returned page contains
text indicating that the page was administratively blocked,
as defined by the testvar 'urlFilterBlockedText'
step 7. Repeat for each configured filtered URL
step 8. Verify that each configured non-filtered URL returns a valid
webpage
NOTE: This test is only performed if the testvar 'urlFilterSupported'
is set to "yes". The testvars 'filtered-urls' and 'non-filtered-urls'
are used to specify which URLs are used during this test.
NOTE: This test allows the CPE to block a URL by preventing establishment
of the TCP connection in step 4, using a proxy to return a non-200 HTTP
status code in step 6, or using a proxy to return a 200 HTTP status code
in step 6 with alternate webpage text indicating that the page was
admninistratively blocked. The testvar 'urlFilterBlockedText' should be
configured with a portion of the expected text returned when a page is
blocked by the CPE.
| Test |
Name |
Synopsis |
Verify URL filtering over IPv6 does not look at Cookie data |
ipv6_urlfilter_30 |
Verify URL filtering over IPv6 does not look at Cookie data |
step 1. Set up new web server on WAN side using IPv6 free network address
step 2. Resolve domain IPv6 address using DNS AAAA lookup from LAN client
step 3. Initiate IPv6 TCP connection to web server from LAN client
step 4. Verify TCP connection is opened
step 5. Send HTTP GET from LAN client to new server for requested URL
step 6. Use one of the filtered URLs as the cookie data
step 7. Verify webserver does return a response
step 8. Repeat for each configured allowed URL
NOTE: This test is only performed if the testvar 'urlFilterSupported'
is set to "yes". The testvars 'filtered-urls' and 'non-filtered-urls'
are used to specify which URLs are used during this test.
| Test |
Name |
Synopsis |
Verify HTTPS GETs to filtered URLs over IPv6 are blocked |
ipv6_urlfilter_40 |
Verify HTTPS GETs to filtered URLs over IPv6 are blocked |
step 1. Set up new HTTPS server on WAN side using IPv6 free network address
step 2. Resolve domain IPv6 address using DNS AAAA lookup from LAN client
step 3. Initiate IPv6 TCP connection to web server from LAN client
step 4. If TCP connection is not established, skip to step 9
step 5. Verify TCP connection is opened
step 6. Establish SSL connection to server
step 7. Send HTTPS GET from LAN client to new server for requested URL
step 8. URL is considered blocked if one of the following occurs:
a. The LAN client does not receive a page from the webserver
b. The LAN client receives a page from the webserver, but
the HTTP status code is not 200 "OK"
c. The LAN client receives a page from the webserver with
an HTTP status code of 200, but the returned page contains
text indicating that the page was administratively blocked,
as defined by the testvar 'urlFilterBlockedText'
step 9. Repeat for each configured filtered URL
step 10. Verify that each configured non-filtered URL returns a valid
webpage
NOTE: This test is only performed if the testvar 'urlFilterSupported'
is set to "yes". The testvars 'filtered-urls' and 'non-filtered-urls'
are used to specify which URLs are used during this test.
NOTE: This test allows the CPE to block a URL by preventing establishment
of the TCP connection in step 4, using a proxy to return a non-200 HTTP
status code in step 8, or using a proxy to return a 200 HTTP status code
in step 8 with alternate webpage text indicating that the page was
admninistratively blocked. The testvar 'urlFilterBlockedText' should be
configured with a portion of the expected text returned when a page is
blocked by the CPE.
mcast-v6.tcl
MLDv1/v2 and multicast data tests for IPv6 MLD proxy
| Test |
Name |
Synopsis |
MLD packets from LAN are proxied to WAN interface |
ipv6_mcast_1 |
MLD packets from LAN are proxied to WAN interface |
step 1. Send an MLDv1/2 Query on the WAN to allow device to detect MLD version
step 2. Send an MLDv1/2 Membership Report packet on the LAN interface
step 3. Verify an MLDv1/2 Membership Report packet is received on the WAN interface
step 4. For MLDv2, verify group record is CHANGE_TO_EXCLUDE_MODE for the group
with an empty source list.
step 5. Repeat test using an MLDv1 Leave packet or MLDv2 Memebership Report
to leave the multicast group
step 6. For MLDv2, verify group record is CHANGE_TO_INCLUDE_MODE for the group
with an empty source list.
NOTE: Some routers may send an MLD query on the LAN interface after the
MLD Leave from the LAN client. The MLD Leave may not be sent on the
WAN interface until the LAN side has made multiple queries.
The amount of time this test case should wait before expecting the
MLD Leave on the WAN interface may be configured by setting the
testvar 'ipv6MulticastCacheTimeout'.
Example:
testvar ipv6MulticastCacheTimeout 30
References:
IETF RFC 2710 "Multicast Listener Discovery (MLD) for IPv6"
https://tools.ietf.org/html/rfc2710
IETF RFC 3810 "Multicast Listener Discovery Version 2 (MLDv2) for IPv6"
https://tools.ietf.org/html/rfc3810
| Test |
Name |
Synopsis |
Verify IPv6 Hop-Limit is decremented for multicast packets |
ipv6_mcast_2 |
Verify IPv6 Hop-Limit is decremented for multicast packets |
step 1. Send an MLDv1/2 Query on the WAN to allow device to detect MLD version
step 2. Join a multicast group on the LAN interface
step 3. Send a UDP packet to the multicast group from the WAN
step 4. Verify the multicast packet is received on the LAN
step 5. Verify the TTL is decremented by the expected IP hop count
NOTE: This test will work with either a multicast pass through implementation
or a multicast proxy implementation.
NOTE: The number of expected IP hops can be configured using the testvar
'IPv6HopCount'. The default is 1 IP hop. If the device is using bridge
mode, the expected IPv6HopCount is 0.
NOTE: The testvar ipv6MulticastJoinDelay can be used to control how long
the test waits to verify the multicast traffic after receiving the
MLD report. The default value is 2 seconds.
testvar ipv6MulticastJoinDelay 2
References:
IETF RFC 2710 "Multicast Listener Discovery (MLD) for IPv6"
https://tools.ietf.org/html/rfc2710
IETF RFC 3810 "Multicast Listener Discovery Version 2 (MLDv2) for IPv6"
https://tools.ietf.org/html/rfc3810
| Test |
Name |
Synopsis |
Forward Multicast IPv6 UDP packets with various packet lengths (LAN to WAN) |
ipv6_mcast_11 |
Forward Multicast IPv6 UDP packets with various packet lengths (LAN to WAN) |
step 1. Send an MLDv1/2 Query on the WAN to allow device to detect MLD version
step 2. Join a multicast group on the WAN interface
step 3. Forward a multicast UDP packet from the LAN with UDP length 4
step 4. Verify the packet is received on the WAN interface
step 5. Repeat for all packet sizes up to the max MTU
NOTE: This test will work with either a multicast pass through implementation
or a multicast proxy implementation.
NOTE: The testvar ipv6MulticastJoinDelay can be used to control how long
the test waits to verify the multicast traffic after receiving the
MLD report. The default value is 2 seconds.
testvar ipv6MulticastJoinDelay 2
NOTE: If the device does not support forwarding multiast traffic
to the WAN, this test case may be skipped by setting
the testvar supportsIPv6MulticastOut to no.
For examp