Extension headers and firewalls

Brian E Carpenter brian.e.carpenter at gmail.com
Mon Jul 23 14:18:02 CEST 2012


Thanks Eric, that seems to be the correct solution for a firewall.
Also of course sites need guidance on the appropriate policy.

     Brian

On 23/07/2012 09:15, Eric Vyncke (evyncke) wrote:
> Brian,
> 
> Assuming that by PIX you actually mean Cisco ASA (the new name), then indeed by default (prior version 8.4.2) ASA drops all packets containing RH0 or unknown extension header/layer-4 protocol (hence probably blocking also shim6). Since version 8.4.2, you can selectively permit/deny any specific extension header.
> 
> Hope it helps
> 
> -éric
> 
>> -----Original Message-----
>> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
>> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Brian E Carpenter
>> Sent: vendredi 20 juillet 2012 10:11
>> To: ipv6-ops at lists.cluenet.de
>> Subject: Extension headers and firewalls
>>
>> I'm hearing that shim6 headers are blocked by the BSD pf firewall, and that
>> the problem extends to other types of extension header.
>>
>> I'm also hearing that PIX boxes are said to drop shim6 headers.
>>
>> Does anybody have clear information about this?
>>
>> Regards
>>    Brian Carpenter
>>
> 




More information about the ipv6-ops mailing list