[ipv6hackers] Implications of IPv6 on network firewalls
adrian.bool at revolution.net.eu
Mon Nov 21 11:16:15 CET 2011
On Monday, 21 November 2011 at 01:20, Fernando Gont wrote:
> An article about IPv6 firewalls that I've written for Techtarget has
> just been published. It is available here:
On the subject IPv6 extension headers...
My understanding is that there are seven extension headers defined in RFC2460, which then goes on to state,
> Each extension header should occur at most once, except for the Destination Options header which should occur at most twice.
And earlier in the same RFC,
> [if] the Next Header value in the current header is unrecognized by the node, it should discard the packet and send an ICMP Parameter Problem message
It therefore seems to me that a firewall should never need to process more than eight extension headers - anything more than this should be dropped and in ICMP error returned.
Have I missed anything?
Adrian Bool, Director, Network Revolution Limited
e adrian.bool at revolution.net.eu (mailto:adrian.bool at revolution.net.eu)
m +44 7525 781 982
Network Revolution Limited, 145-157 St John Street, London, EC1V 4PW, United Kingdom.
Registered in England and Wales, 7607414.
More information about the Ipv6hackers