[ipv6hackers] Implications of IPv6 on network firewalls

Fernando Gont fgont at si6networks.com
Thu Nov 24 18:24:07 CET 2011

On 11/24/2011 06:02 AM, Frederic Bovy wrote:
> CISCO default is to deny by default the Routing Headers.

That's for patched IOS... which might or might not be the IOS version
your device is running...

> I am not sure that we should deny all the headers by defaults as some
> of them are required for basic  IPv6 features (hop by hop with Router
> Alert for MLD)... 

I don't think extension headers other than "Fragment Header" are needed
for basic functionality. Regarding use of HBH extension headers for MLD,
they are only needed if:

a) Your local network is supported by an MLD-snooping switch, or,
b) You're using "global" multicast (as opposed to link-local multicast)

When it comes to "a", *if* you wanted, you could disable the
MLD-snooping functionality (your switch might not even support it, anyway).

"b" is not the case for most networks.

In any case, *MLDv1* is fine (simple enough). OTOH, MLDv2 is
unnecessarily complex if you just want to support link-local multicast.
So my advice would be that, rather than disabling MLD completely, you
use MLDv1 (instead of MLDv2), and use MLDv2 only if you're expecting to
use non-local multicast.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list