[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 filtering

Subject: IPv6 filtering
From: hank at efes.iucc.ac.il (Hank Nussbacher)
Date: Wed, 26 Jan 2011 07:46:54 +0200
In-reply-to: <6024623.294.1296019199315.JavaMail.franck@franck-martins-m acbook-pro.local>
References: <[email protected]>

At 18:20 26/01/2011 +1300, Franck Martin wrote:
>Content-Transfer-Encoding: 7bit
>
>Well we filter icmp due to exploits, if no exploits, then we can let the 
>whole of icmpv6 through. Or is there something terribly dangerous in 
>icmpv6 already?

Ever since Cisco came out with "IPv6 Routing Header Vulnerability" in 2007
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml

I have had the following enabled:

On the protected interface:
ipv6 traffic-filter filter-rh in

ipv6 access-list filter-rh
  deny ipv6 any any log routing
  permit ipv6 any any

and have stopped many pkts that way.  I still occasionally see hits in our 
log from all sorts of newbies who continue to try old bugs.

-Hank

References:
- IPv6 filtering
  - From: rdobbins at arbor.net (Roland Dobbins)

Prev by Date: IPv6 filtering
Next by Date: IPv6 filtering
Previous by thread: IPv6 filtering
Next by thread: IPv6 filtering
Index(es):
- Date
- Thread