[ipv6hackers] Implications of IPv6 on network firewalls
Adrian Bool
adrian.bool at revolution.net.eu
Mon Nov 21 11:16:15 CET 2011
Hi Fernando,
On Monday, 21 November 2011 at 01:20, Fernando Gont wrote:
> An article about IPv6 firewalls that I've written for Techtarget has
> just been published. It is available here:
> <http://searchenterprisewan.techtarget.com/tip/IPv6-firewall-security-Fixing-issues-introduced-by-the-new-protocol>
>
>
On the subject IPv6 extension headers...
My understanding is that there are seven extension headers defined in RFC2460, which then goes on to state,
> Each extension header should occur at most once, except for the Destination Options header which should occur at most twice.
>
And earlier in the same RFC,
> [if] the Next Header value in the current header is unrecognized by the node, it should discard the packet and send an ICMP Parameter Problem message
>
It therefore seems to me that a firewall should never need to process more than eight extension headers - anything more than this should be dropped and in ICMP error returned.
Have I missed anything?
Kind regards,
Adrian
--
Adrian Bool, Director, Network Revolution Limited
e adrian.bool at revolution.net.eu (mailto:adrian.bool at revolution.net.eu)
m +44 7525 781 982
Network Revolution Limited, 145-157 St John Street, London, EC1V 4PW, United Kingdom.
Registered in England and Wales, 7607414.
More information about the Ipv6hackers
mailing list