IPv6 Route Type 0 Filtering (Was: IPv6 Type 0 Routing Header issues)

Jeroen Massar jeroen at unfix.org
Sat Apr 28 14:47:10 CEST 2007


Hi again,

For the core details read:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

See below of a summary on how to filter these on your platform.

I do hope that folks by now realize what this does and that they should
have applied these things like last week already... Unless you of course
want to become a victim of it: Your network will nicely suck itself up :)

Greets,
 Jeroen

--

*** Cisco

Use:
"no ipv6 source-route"

*** Juniper

Not yet, they claim to be busy with it, call your TAC and complain  ;)

*** Linux

# Filter all packets that have RT0 headers
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

(of course before accepting anything else  ;)

*** FreeBSD

One has to upgrade the kernel with at least the following patch in place:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/route6.c.diff?r1=1.12&r2=1.13

*** OpenBSD

A source code patch for OpenBSD 4.0-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/012_route6.patch.

A source code patch for OpenBSD 3.9-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070428/a9b7ee03/signature.bin


More information about the ipv6-ops mailing list