IPv6 Type 0 Routing Header issues

Gert Doering gert at space.net
Tue Apr 24 15:26:52 CEST 2007


Hi,

On Tue, Apr 24, 2007 at 12:53:42AM +0100, Jeroen Massar wrote:
> Just in case folks are missing out on this, find below a rather nasty
> security issue.

Indeed, good reminder to

  - deploy uRPF wherever possible
    (Cisco speak: "ipv6 verify unicast reverse-path")

  - keep your systems up-to-date (the Cisco advisory is from January)

and the BSDs need to do a bit of homework (should never forward packets if 
ip6.forwarding is 0, and it's surprising that pf(4) can't filter on RH0s).

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279


More information about the ipv6-ops mailing list