- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Bypassing ACL using extension headers
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2014 10:01 PM
01-12-2014 10:01 PM
Bypassing ACL using extension headers
It seems that it is possible to completely bypass the IPv6 ACL in Comware-based devices according to http://6lab.cz/article/bypassing-acl-using-extension-headers/ (and it was verified on A5800).
Other than waiting for HP to release a proper fix (or for that matter issue a "undo ipv6") - is there any other mitigation one can apply to secure the device?
I havent found a way to bind ssh and snmp to a dedicated vlan interface - instead the Comware-device will by default listen on ALL interfaces the device has setup (routed interfaces, vlan-interfaces and loopback interfaces) which is kind of bad when the IPv6 ACL can be bypassed.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2014 10:14 AM
01-14-2014 10:14 AM
Re: Bypassing ACL using extension headers
Hello,
the current ACL implementation of Comware is really in bad shape. I will revert back to my Cisco core on the weekend. Because of the following:
- Layer 3 ACLs apply on Layer2: Setting an ACL on an vlan interface also affects the Layer 2 traffic going through the switch.
- IPv6 outbound ACLs do not apply to the management processor.
- IPv6 ACLs are completly useless as it turns out.
- There is no logging interface which logs which rule has triggered the ACL. This is a nightmare when debugging
ACLs rules or in this case implementation.
Cheers,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2014 08:33 PM
01-17-2014 08:33 PM
Re: Bypassing ACL using extension headers
HP assigned problem security number: SSRT101416
It seems that an updated firmware sent to the above user fixed this issue so the rest of us will hopefully see this update online within 1-3 months (I guess it will go through the normal Early Access -> General Availability process).
The thing to look for in the release notes will be something like:
There is a new command - "ipv6 option drop enable".
This option drops packets, if the packets cannot be proccessed in hw.
Which I guess one would need to enable in order to get the IPv6 ACLs to work as you expect them to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2014 01:02 AM - edited 01-18-2014 01:04 AM
01-18-2014 01:02 AM - edited 01-18-2014 01:04 AM
Re: Bypassing ACL using extension headers
Well it´s a matter of fact that current switches, i.e. HP A5500-EI and A5800 do not support blocking IPv6 extension headers, Comware 5 has the following rules:
· rule deny icmpv6 fragment *
· rule deny ipv6 fragment *
· rule deny icmpv6 routing *
· rule deny ipv6 routing *
But if you apply them on ports it will tell you:
"FILTER/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy **** on interface ****.Not supported"
I do not know anything about a firmware for A5500-EI or A5800 that will make blocking extension headers possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2014 05:32 AM
06-06-2014 05:32 AM
Re: Bypassing ACL using extension headers
I looks like the ACL engine in comware v5 currently cannot deal with ipv6 fragments.
You can configure it but after reboot the particular line is gone.
I have an ongoing supportcase with HP regarding this matter.