[ipv6hackers] Implications of IPv6 on network firewalls

Fernando Gont fgont at si6networks.com
Tue Nov 22 06:04:58 CET 2011


Hi, Adrian,

On 11/21/2011 07:16 AM, Adrian Bool wrote:
> It therefore seems to me that a firewall should never need to process
> more than eight extension headers - anything more than this should be
> dropped and in ICMP error returned.
> 
> Have I missed anything?

There are other extension headers, specified in other RFCs. e.g.,
CALIPSO, specified in RFC5570.

However, I'm of the idea that the firewall policy should be "default
deny", and that you should only support those extension headers that you
want to support. -- Yes, this is usually at odds with "being liberal in
what you accept"... but that's generally the case for any security
controls that you enforce.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492





More information about the Ipv6hackers mailing list