[ipv6hackers] Some stats on IPv6 fragments and EH filtering on the Internet

Marc Heuse mh at mh-sec.de
Tue Nov 5 08:57:51 CET 2013

Hi guys,

>>> On 11/04/2013 04:10 PM, Marc Blanchet wrote:
>>>> Fernando, clarification question (since I was not at IEPG):
>>>> define "failure" in your slides?
>>> Probe packets do not get to the intended destination.
>> ok. your presentation says that you used a single vantage point.  Do
>> you know where the filtering happened? 
> Not exactly

you can find this out easily by using a traceroute which can add
extension headers.
(patch it in or use trace6 from my thc-ipv6 package. trace6 -F eth0
<target> and trace6 eth0 <target> - and then you know which hop is
filtering it)

I am not sure if I am happy or unhappy with the results.
I find it troubling that fragmented packets are being filtered.
but filtering hop-by-hop, destination header and routing headers is
perfectly fine if you decide that in your network there is no business case.
most surprising for me was that the "most accepted" extension header was
the routing header!

Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573

More information about the Ipv6hackers mailing list