[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Marc Heuse mh at mh-sec.de
Sun Mar 10 04:18:02 CET 2013

Hi Jim,

On 10.03.2013 02:10, Jim Small wrote:
>>>>> 11)   Extension header attacks - this one is especially tough,
>>>>> probably lots more to find...  I especially like Marc's warp packets
>>>>> with the router alert "high speed tag" which also double as ACL
>>>>> bypass agents.
>> I havent come across such things for quite some time now.
>> Agreed it was a problem, I remember the old ndpmon implementation.
>> Do you have information on affected products/tools that are "current"?
>> I can't believe I am arguing "pro" here ;-)
> I know of many "enterprise-grade" commercial firewalls that are IMHO
> unsatisfactory with their current IPv6 extension header capabilities.
> I would like to see a firewall be able to arbitrarily block any
> extension header by number regardless of where it is in the chain
> or regardless of fragmentation.  I would also like the ability to
> parse/inspect any extension header with the same criteria -
> regardless of where it is in the chain and regardless of fragmentation.
> There are definitely some capabilities here, but not as much as I
> would like.

I am just now reviewing four different firewalls for the IPv6
capabilities for a german magazine.
useful filtering on extension headers - only Cisco ASA can do this with
their newest firmware.
Filtering on options: nobody can do this at the moment. and this is
important (but also for an admin not very feasible to also know and make
good decisions about. I was told ASA can should be able to do that at
the end of the year. But lets see.


Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list