Extension headers and firewalls
Merike Kaeo
merike at doubleshotsecurity.com
Sat Jul 21 21:58:38 CEST 2012
Just last week I had posted on a security mailing list that my favorite litmus test question for vendors who supported IPv6 was 'How do you handle extension headers'? Sadly, there is a lot of work to do here with most vendors. And I've been asking this for at least 2 years. Very often it's an issue with performance since the ASIC designs to accommodate a variable packet header sizes isn't so straightforward, or so I'm told :)
- merike
On Jul 20, 2012, at 1:17 AM, Erik Kline wrote:
> I know that (at least some models of) Brand J router ACLs can't filter when there are extension headers so the packets are usually just dropped. Extension headers, and by extension, fragmentation, really kinda just don't work in the IPv6 world right now. :-(
>
>
> On 20 July 2012 17:10, Brian E Carpenter <brian.e.carpenter at gmail.com> wrote:
> I'm hearing that shim6 headers are blocked by the BSD pf firewall, and that
> the problem extends to other types of extension header.
>
> I'm also hearing that PIX boxes are said to drop shim6 headers.
>
> Does anybody have clear information about this?
>
> Regards
> Brian Carpenter
>
>
>
More information about the ipv6-ops
mailing list