[nsp-sec] IPv6 bad actors ??
Gert Doering
gert at greenie.muc.de
Wed Mar 14 16:08:36 EDT 2012
Hi,
On Wed, Mar 14, 2012 at 03:49:58PM -0400, Dario Ciccarone wrote:
> Same question I asked Eli - you mention IPv6 traffic w/ RH headers -
> I assume you mean RH0 w/ segleft > 0 ? And how did you became aware of
> it - classification/filtering ACLs, or IDS/IPS signatures?
Well... I'm not sure what was in that packet, but that it matched
this ACL rule:
deny ipv6 any any log-input routing (77 matches) sequence 10
the platform used (6500/Sup720/SX* IOS) can not specifically match on
RH0 vs. RH2, so we drop all packets with RH and wait for complaints
about mobile IPv6 being broken...
The packets' source and destination addresses didn't look like mobile IP
with RH2, though (destination should have been inside our network then),
so I assume it was RH0 probing.
((And no, I have no idea why IOS decided to put "log-input" before the
ext-header match in the ACL, instead of at the end of the line where *I*
put it... ACL keywords in IOS tend to have "interesting" aspects every
now and then))
gert
--
Gert Doering
SpaceNet AG, AS 5539, gert at space.net. PGP-KeyID: 0x65514975
Also reachable via gert at greenie.muc.de and gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120314/5b0f9e60/attachment-0001.sig>
More information about the nsp-security
mailing list