IPv6 Type 0 Routing Header issues

Gert Doering gert at space.net
Mon Apr 30 18:34:14 CEST 2007

Hi Patrick,

On Mon, Apr 30, 2007 at 06:18:43PM +0200, Patrick Grossetete wrote:
>         I will recommend looking at the PSIRT published in January 
> <http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml>http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml 
> to find what is available from a given IOS release. 

Thanks for reminding me :-) - yes, we have installed those upgrades over
the previous months, where available (we're still waiting for 12.2(18)S3,
which was scheduled to be available "early April", grrr).

> I understand we need to get "no ipv6 source-route"
> as default across all release trains but can't state when it will happen.

A changed default value would be useful, but this is not my main gripe.

My main problem is that there *is no* "no ipv6 source-route" command on 
12.2SX* IOS, and this is the only IOS that I can run on our 7600 boxes 
- given that these don't run "main stream" IOS (well, technically there
is 12.2SR* as well, but due to Cisco politics, we won't run that - and 
as far as I know, SR doesn't have "no ipv6 source-route" either).

On some of the 7200s, we run 12.2S or 12.2SB (due to the assumption that
these IOSes are targeted towards ISP customers), and these don't have it 
either.  12.3 main has it.

So while I'm safe against the crashes due to "bad" RH0 headers (which 
is good :) ), my routers can still be used to create RH0 traffic loops,
to eat bandwith, and possibly hurt other folks - and I can't see a 
good way to handle that.  Control plane policing *might* do the job, 

Gert Doering
        -- NetMaster
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070430/63e1c5a3/attachment-0001.bin

More information about the ipv6-ops mailing list