Extension headers and firewalls

Eric Vyncke (evyncke) evyncke at cisco.com
Mon Jul 23 10:15:58 CEST 2012


Assuming that by PIX you actually mean Cisco ASA (the new name), then indeed by default (prior version 8.4.2) ASA drops all packets containing RH0 or unknown extension header/layer-4 protocol (hence probably blocking also shim6). Since version 8.4.2, you can selectively permit/deny any specific extension header.

Hope it helps


> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Brian E Carpenter
> Sent: vendredi 20 juillet 2012 10:11
> To: ipv6-ops at lists.cluenet.de
> Subject: Extension headers and firewalls
> I'm hearing that shim6 headers are blocked by the BSD pf firewall, and that
> the problem extends to other types of extension header.
> I'm also hearing that PIX boxes are said to drop shim6 headers.
> Does anybody have clear information about this?
> Regards
>    Brian Carpenter

More information about the ipv6-ops mailing list