[ipv6hackers] Implications of IPv6 on network firewalls
Frederic Bovy
fred at fredbovy.com
Thu Nov 24 13:02:14 CET 2011
CISCO default is to deny by default the Routing Headers.
For the others I don't know and dont't think so.
I am not sure that we should deny all the headers by defaults as some of them are required for basic IPv6 features (hop by hop with Router Alert for MLD)...
Ok I have read that MLD should also be disabled by default.
So just unplug the MAC and you'll be safe!
Fred
Le 22 nov. 2011 à 00:04, Fernando Gont a écrit :
> Hi, Adrian,
>
> On 11/21/2011 07:16 AM, Adrian Bool wrote:
>> It therefore seems to me that a firewall should never need to process
>> more than eight extension headers - anything more than this should be
>> dropped and in ICMP error returned.
>>
>> Have I missed anything?
>
> There are other extension headers, specified in other RFCs. e.g.,
> CALIPSO, specified in RFC5570.
>
> However, I'm of the idea that the firewall policy should be "default
> deny", and that you should only support those extension headers that you
> want to support. -- Yes, this is usually at odds with "being liberal in
> what you accept"... but that's generally the case for any security
> controls that you enforce.
>
> Thanks!
>
> Best regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list