Screen options offer protection against malicious information gathering probe or an attack by analyzing Layer 2, Layer 3 and/or Layer 4 headers.
This article summarizes the list of screening features, both statistics and signature based supported for IPv6.
By default SRX devices do not forward IPv6 traffic and drop all the IPv6 traffic. This default behaviour can be changed to either flow based processing or packet based processing.The packet-based processing is used to implement only Firewall filters and class of service whereas flow-based processing creates sessions and process traffic using packet-based features [firewall filters and class of service] as well as flow-based features [screens, security-policies]. To summarize, flow-based processing need to enabled for certain screening options of IPv6 traffic in SRX. It can be performed using the followingcommand:
user@host# set security forwarding-options family inet6 mode ?
Possible completions:
drop Disable forwarding
flow-based Enable flow-based forwarding
packet-based Enable packet-based forwarding
[edit]
user@host# set security forwarding-options family inet6 mode flow-based
To enable the screening options for IPv6, no new CLI commands are needed. The same set of commands as used for IPv4 will be used for IPv6 for the same screening options. The list is shown below:
NAME |
TARGET-RELEASE |
PLATFORM |
DEPENDENCY |
V4/V6 |
winnuke |
10.2 |
ALL |
Basic Flow |
4, 6 |
syn-frag |
10.2 |
ALL |
Basic Flow |
4, 6 |
tcp-no-flag |
10.2 |
ALL |
Basic Flow |
4, 6 |
syn-fin |
10.2 |
ALL |
Basic Flow |
4, 6 |
fin-no-ack |
10.2 |
ALL |
Basic Flow |
4, 6 |
ping-death |
10.2 |
ALL |
Basic Flow |
4, 6 |
icmp-fragment |
10.2 |
ALL |
Basic Flow |
4, 6 |
icmp-large |
10.2 |
ALL |
Basic Flow |
4, 6 |
land |
10.2 |
ALL |
Basic Flow |
4, 6 |
unknown-protocol |
10.2 |
ALL |
Basic Flow |
4, 6 |
block-frag |
10.2 |
ALL |
Basic Flow |
4, 6 |
ip-loose-src-route |
10.2 |
ALL |
Basic Flow |
4, 6 |
port-scan |
10.2 |
ALL |
Basic Flow |
4, 6 |
ip-sweep |
10.2 |
ALL |
Basic Flow |
4, 6 |
limit-session-src |
10.2 |
ALL |
Basic Flow |
4, 6 |
limit-session-dst |
10.2 |
ALL |
Basic Flow |
4, 6 |
syn-flood |
10.2 |
ALL |
Basic Flow |
4, 6 |
syn-flood-src |
10.2 |
ALL |
Basic Flow |
4, 6 |
syn-flood-dst |
10.2 |
ALL |
Basic Flow |
4, 6 |
icmp-flood |
10.2 |
ALL |
Basic Flow |
4, 6 |
udp-flood |
10.2 |
ALL |
Basic Flow |
4, 6 |
tear-drop |
10.2 |
ALL |
Basic Flow |
4, 6 |
syn-proxy/syn-cookie |
10.4 |
ALL |
Basic Flow |
4, 6 |
syn-ack-ack-proxy |
10.4 |
ALL |
Auth |
4, 6 |
ip-spoofing |
10.4 |
ALL |
Flow |
4, 6 |
ip-bad-option |
N/A |
N/A |
N/A |
4 |
ip-record-route |
N/A |
N/A |
N/A |
4 |
ip-security-opt |
N/A |
N/A |
N/A |
4 |
ip-stream-opt |
N/A |
N/A |
N/A |
4 |
ip-strict-src-route |
N/A |
N/A |
N/A |
4 |
ip-timestamp-opt |
N/A |
N/A |
N/A |
4 |
Since there is no change in the TCP header with IPv4 or IPv6, the screen options for TCP remained unchanged for IPv6 network. The above firewall screens for IPv6 were introduced in versions 10.2 or 10.4.
New CLI commands were introduced in 12.1x46-D10 for enhanced IPv6 screening options ipv6-extension-header, ipv6-extension-header-limit, ipv6-malformed-header, icmpv6-malformed and more screening criteria were added for existing CLI command [ip bad-options]. The details about these enhanced screening options can be found in section Understanding IPv6 support for Screens.
In 12.3X48-D10, support for IPv6 Screen for tunneling was added.
CLI Details:
tunnel (Security Screen)
Screen Tunneling Details:
Understanding Screen IPv6 Tunneling Control