[ipv6hackers] Implications of IPv6 on network firewalls

Frederic Bovy fred at fredbovy.com
Thu Nov 24 13:02:14 CET 2011

CISCO default is to deny by default the Routing Headers.
For the others I don't know and dont't think so.

I am not sure that we should deny all the headers by defaults as some of them are required for basic  IPv6 features (hop by hop with Router Alert for MLD)...
Ok I have read that MLD should also be disabled by default.

So just unplug the MAC and you'll be safe!


Le 22 nov. 2011 à 00:04, Fernando Gont a écrit :

> Hi, Adrian,
> On 11/21/2011 07:16 AM, Adrian Bool wrote:
>> It therefore seems to me that a firewall should never need to process
>> more than eight extension headers - anything more than this should be
>> dropped and in ICMP error returned.
>> Have I missed anything?
> There are other extension headers, specified in other RFCs. e.g.,
> CALIPSO, specified in RFC5570.
> However, I'm of the idea that the firewall policy should be "default
> deny", and that you should only support those extension headers that you
> want to support. -- Yes, this is usually at odds with "being liberal in
> what you accept"... but that's generally the case for any security
> controls that you enforce.
> Thanks!
> Best regards,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list