[nsp-sec] IPv6 bad actors ??
Dario Ciccarone
dciccaro at cisco.com
Wed Mar 14 16:22:08 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gert:
Appreciate your answer. I have about a gazillion extra questions to
ask you, but let me limit myself to one: what do you use as source of
recommendations or best practices wrt IPv6 traffic filtering/IPv6
security in general - RFCs, NANOG, Cisco/other vendors whitepapers, Eric
Vyncke's book, etc . . .
And as a bonus one: if you were to ask for a whitepaper/set of
whitepapers on IPv6 security or resiliency issues, or addressing best
practices, or first hop security, etc - which topics would be of
interest to you ?
And the one about "we will filter all, wait for Mobile IPv6 clients
to complain" - I would laugh, but I've heard that one before already :)
Thanks,
Dario
On 3/14/12 4:08 PM, Gert Doering wrote:
> Hi,
>
> On Wed, Mar 14, 2012 at 03:49:58PM -0400, Dario Ciccarone wrote:
>> Same question I asked Eli - you mention IPv6 traffic w/ RH headers -
>> I assume you mean RH0 w/ segleft > 0 ? And how did you became aware of
>> it - classification/filtering ACLs, or IDS/IPS signatures?
>
> Well... I'm not sure what was in that packet, but that it matched
> this ACL rule:
>
> deny ipv6 any any log-input routing (77 matches) sequence 10
>
> the platform used (6500/Sup720/SX* IOS) can not specifically match on
> RH0 vs. RH2, so we drop all packets with RH and wait for complaints
> about mobile IPv6 being broken...
>
> The packets' source and destination addresses didn't look like mobile IP
> with RH2, though (destination should have been inside our network then),
> so I assume it was RH0 probing.
>
> ((And no, I have no idea why IOS decided to put "log-input" before the
> ext-header match in the ACL, instead of at the end of the line where *I*
> put it... ACL keywords in IOS tend to have "interesting" aspects every
> now and then))
>
> gert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9g/fAACgkQjJUYH7oa4PDuFgCg+IZSsy8QFwbDmPR/23NxsZ7v
Lv0AnA5BvCQPb44n5LWVWUU4GpkQeHxa
=fI10
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list