[ipv6hackers] Firewall or IPS inspection Option Paddings

Marksteiner, Stefan stefan.marksteiner at joanneum.at
Wed May 23 21:13:24 CEST 2012

Hi Folks,

[Potyraj, 2007, p.13] says:

"The exact nature of the filtering scheme is left to firewall vendors, though some examples
of unreasonable padding are as follows:
• More than one padding option back-to-back should never occur.
• PadN options with data length greater than 5 should never be needed (i.e. overall
option length of 7). This assumes the RFC 2460 Appendix B guidelines of a
maximum of an 8-byte boundary being defined.
• Any PadN option with data bytes that are not zeros should be dropped. This is
suspicious behavior that may indicate a data channel."

Does any one of you know a Firewall or an IPS which actually supports this behaviour and inspects the IPv6 option paddings?
In this case it doesn't matter whether it's a free or commercial product, I'm just looking for ANY device compliant to this design guidelines.



[Potyraj, 2007] Potyraj, C. (2007). Firewall Design Considerations for IPv6 (Report I733-041R-2007). National Security Agency. Available under http://www.nsa.gov/ia/ files/ipv6/I733-041R-2007.pdf

More information about the Ipv6hackers mailing list