Knowledge Search


×
 

[ScreenOS] How to block 'type 0' routing extension header on the firewall

  [KB23455] Show Article Properties


Summary:

The Routing extension header is a way for a source to list one or more intermediate nodes, which are to be 'visited' on the way to the packet’s destination. It is analogous to source routing in IPv4.

The Routing type is one of the 6 fields in the routing extension header format, which allows multiple routing types to be defined. The routing types are:

  • Type 0: Primarily used by attackers.
  • Type 1: Defined by Nimrod. This type is unused.
  • Type 2: Used by MIPv6 and is understood only by MIPv6 compliant stacks.
Symptoms:
  • A single type 0 routing header may contain multiple intermediate node addresses and the same address may be included more than once in the same header.
  • This allows a packet to be constructed, in such a way that it will oscillate between two processing hosts or routers many times, causing amplification by the attacker.
  • This could lead to congestion along arbitrary remote paths and subsequently act as a denial-of-service mechanism.
Solution:

To prevent this on the ScreenOS firewall, which has the IPv6 functionality enabled, a change has been introduced from ScreenOS 6.3r8 onwards. You can either block all the header types or a specific type, depending on the requirement.

  1. Create a custom service, by using the following command:
    Set service <service name> protocol routing-ext-hdr type 0
  2. Invoke the service in a policy with the action set to deny. Place the policy at the top of the rule base.

  3. Alternatively, to block all the header types, use the following command:
    Set service <service name> protocol routing-ext-hdr all
Modification History:
2019-09-24: Minor, non-technical update.
Related Links: