• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Protocol 59 inbound - OK or no?

Started by rhester72, September 23, 2010, 07:36:45 PM

Previous topic - Next topic

rhester72

I'm running a HE tunnel on my Tomato-based (open-source) SOHO router, with a pretty standard set of inbound firewall rules for IPv6 traffic.

Everything looks pretty normal, but I am seeing about two or three dozen of these per day:

Sep 23 21:28:27 cerberus user.warn kernel: IPv6 INPUT DROP:IN=he-ipv6 OUT= MAC=88:02:f1:ad:88:64:11:00:10:25:00:3e:00:21:45:00:00:3c:00:00:40:00:fc:29:5d:8d:d1:33:a1:0e:43:64:6b:65:60:00:00:00:00:00:3b:12:20:01:00:00 TUNNEL=209.51.161.14->67.100.107.101 SRC=2001:0000:5ef5:79fd:38c2:1336:a829:bfdf DST=2001:0470:1f07:0b17:e2cb:4eff:fead:eea5 LEN=40 TC=0 HOPLIMIT=18 FLOWLBL=0 PROTO=59

For the truly ignorant among us, even though I know this means "no next header", I have little concept of what _that_ means (other than it's a packet devoid of an actual IPv6 payload)...and more importantly, I don't know if my blocking it (from Internet hosts, because this clearly isn't coming from the PoP) is a problem.

Any thoughts/help/guidance/sneers?  :)

Rodney

sttun

Hmm,and here i thought i knew somethimg about networking,oh well. Can anyone tell me why a host wold send a copletely emtty pacet (thay is only the ipv6 header?
Am I right i thinking that for a packet to have any use (even for some kind of keep alive) it needs at least an udb/tcp header?

Ass always, thanks for any answer
Have a nice day
Bjarne Nilsson

rhester72

In absence of any other information, I've managed to locate a test suite for a firewall/hardening configuration for cdrouter:

http://www.qacafe.com/static/6_1/test-summary/test-summary-ipv6.htm

It appears to suggest that (this applies from Internet->LAN only)...

- ALL protocol 59 packets where Next Header=0 should be dropped
- INBOUND protocol 59 packets (to the routing/firewall device) should be dropped
- FORWARDED protocol 59 packets (to a device behind the firewall) should be forwarded normally

(see tests 4-6)

As I have thus far seen only INBOUND protocol 59 packets and no FORWARDED packets of that type, and I have been silently dropping them apparently without issue, I will follow the guidelines above until someone tells me I should do otherwise (and gives reasons for doing so ;).

Hope this helps someone else...

Rodney

rhester72

In the interest of completeness...either I misinterpreted the test cases or they are flat wrong.

*ALL* proto 59 packets should be allowed, whether WAN or LAN, so long as they carry no payload.

On Tomato, the following is appropriate (avoiding layering overhead since 40-byte header is guaranteed in IPv6):


for CHAIN in INPUT FORWARD OUTPUT; do
ip6tables -A $CHAIN -p ipv6-nonxt -m length --length 40 -j ACCEPT
done


Rodney