IPv6 Route Type 0 Filtering (Was: IPv6 Type 0 Routing Header issues)
Jeroen Massar
jeroen at unfix.org
Sat Apr 28 14:47:10 CEST 2007
Hi again,
For the core details read:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
See below of a summary on how to filter these on your platform.
I do hope that folks by now realize what this does and that they should
have applied these things like last week already... Unless you of course
want to become a victim of it: Your network will nicely suck itself up :)
Greets,
Jeroen
--
*** Cisco
Use:
"no ipv6 source-route"
*** Juniper
Not yet, they claim to be busy with it, call your TAC and complain ;)
*** Linux
# Filter all packets that have RT0 headers
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
(of course before accepting anything else ;)
*** FreeBSD
One has to upgrade the kernel with at least the following patch in place:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/route6.c.diff?r1=1.12&r2=1.13
*** OpenBSD
A source code patch for OpenBSD 4.0-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/012_route6.patch.
A source code patch for OpenBSD 3.9-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070428/a9b7ee03/attachment.sig>
More information about the ipv6-ops
mailing list