[f-nsp] IPv6 security heads up, traffic filters

[George B.]

Just a little note of something to be aware of if folks are moving to a
dual-stack v4-v6 configuration.

If you apply a packet filter to an interface as is common to do on traffic
inbound from he internet and if you don't have enough/any v6 L4 cam (say you
are running an ipv4 cam profile with static CAM), the application of the
traffic filter will silently fail.  You can apply it, and it will appear to
"take" but will get immediately "unapplied" if there is not enough L4 CAM.

This can bite you if you have SOME routers that have enough CAM and some
not.  You apply the traffic filter to the first few and everything looks
great.  Then you move on and apply the filter to a router that doesn't have
enough CAM, the command line doesn't complain, move on to the next one, only
to discover later when you come back to that one that the traffic filter is
not in the config.  You apply it again, look at the config, and it isn't
there!  Now it WILL log a message in the log so it isn't completely "silent"
but it provides no feedback at the command line when you applied the filter
that there was insufficient CAM for it and the system removed it.

Just a heads up to check if you are dual stacking or haven't changed the
cam-profile (or kicked the unit since you changed the profile)

George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20101029/e2a6e21c/attachment.html>