Software filtering of ipv6 source-routed packets, Hardware filtering of ipv6 source-routed packets – Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual
Page 479
Multi-Service IronWare Routing Configuration Guide
451
53-1003033-02
IPv6 source routing security enhancements
•
Hardware – IPv6 source-routed packets that contain a type 0 routing extension header
immediately after the IPv6 header are dropped in hardware by default.
•
Software – IPv6 source-routed packets addressed to any IPv6 address on a device (regardless
of where the routing extension header is located) are dropped in software by default.
Details of hardware and software filtering of IPv6 source-routed packets is provided in the
following.
Hardware filtering of IPv6 source-routed packets
All IPv6 source-routed packets that contain a type 0 routing extension header immediately after the
IPv6 header are automatically dropped in hardware. This filtering is performed on both IPv6
packets that require forwarding and IPv6 packets addressed to one of the IPv6 addresses on the
device without sending an ICMP error message. This filtering behavior is enabled by default.
Consequently, if you want a the device to process IPv6 source-routed packets that contain a type 0
routing extension header immediately after the IPv6 header you must direct it to perform this
action through use of the ipv6 forward-source-route command, as shown in the following.
Brocade(config)# ipv6 forward-source-route
Syntax: [no] ipv6 forward-source-route
The default condition is for source-routed packets to be dropped. If you enable forwarding using
this command, you can return to the default state by using the no option in front of the command.
NOTE
Source routed, IPv6 packets where the type 0 routing extension header does not follow directly after
the IPv6 header are not automatically dropped in hardware.
Software filtering of IPv6 source-routed packets
By default, all IPv6 source-routed packets addressed to any IPv6 address on a Brocade device are
dropped by software (regardless of where the Routing Extension Header resides). You can enable
the forwarding of these packets by using the ipv6 source-route command, as the following example
shows.
Brocade(config)# ipv6 source-route
Syntax: [no] ipv6 source-route
The default condition is to disallow the forwarding of source-routed packets to IPv6 addresses. If
you enable forwarding by using this command, you can return to the default state by using the no
option of the command.
The ipv6 forward-source-route command must be enabled for the ipv6 source-route command to
operate.
By default, ICMP error messages are sent for packets dropped by software. You can use the ipv6
icmp source-route command to disable the generation of ICMPv6 parameter problem for software
discarded IPv6 source-routed packets addressed to one of the IPv6 addresses of a device. This is
described in
“Disabling ICMP error messages for source-routed IPv6 packets”