On Sat, Oct 30, 2004 at 03:09:37PM +1000, Darren Reed wrote: > In some email I received from Paul D. Robertson, sie wrote: > > Is anyone doing anything with IPv6 other than either "let it back if I > > talk it out," "block it completely," or "ignore it and hope it goes away?" > > I'm rather dismayed at firewalling and IPv6, even just within packet > filters, because there seems to be little understandng (as yet) of > what IPv6 does and can do, along with the security implications of > that. What extension headers need to be blocked ? What ones are > safe to allow ? What are the risks with each of these ?
Darren, Can you talk about your ideas in this direction? I've just compiled ipf 4.1.2 with BPF support to get at the IPv6 next-header field(s) and the extension headers themselves; was hoping to try something like using "tcpdump -dd ip6 protochain 43" to generate BPF code to match a routing header that might be buried behind a hop-by-hop header, but that generates 39 4-tuples or nearly 1KB of code (!).
