[ipv6hackers] Implications of IPv6 on network firewalls
Fernando Gont
fgont at si6networks.com
Thu Nov 24 18:24:07 CET 2011
On 11/24/2011 06:02 AM, Frederic Bovy wrote:
> CISCO default is to deny by default the Routing Headers.
That's for patched IOS... which might or might not be the IOS version
your device is running...
> I am not sure that we should deny all the headers by defaults as some
> of them are required for basic IPv6 features (hop by hop with Router
> Alert for MLD)...
I don't think extension headers other than "Fragment Header" are needed
for basic functionality. Regarding use of HBH extension headers for MLD,
they are only needed if:
a) Your local network is supported by an MLD-snooping switch, or,
b) You're using "global" multicast (as opposed to link-local multicast)
When it comes to "a", *if* you wanted, you could disable the
MLD-snooping functionality (your switch might not even support it, anyway).
"b" is not the case for most networks.
In any case, *MLDv1* is fine (simple enough). OTOH, MLDv2 is
unnecessarily complex if you just want to support link-local multicast.
So my advice would be that, rather than disabling MLD completely, you
use MLDv1 (instead of MLDv2), and use MLDv2 only if you're expecting to
use non-local multicast.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list