- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Bypassing ACL using extension headers
-
- Forums
-
Blogs
- Alliances
- Around the Storage Block
- Behind the scenes @ Labs
- HPE Careers
- HPE Storage Tech Insiders
- Infrastructure Insights
- Inspiring Progress
- Internet of Things (IoT)
- My Learning Certification
- OEM Solutions
- Servers: The Right Compute
- Shifting to Software-Defined
- Telecom IQ
- Transforming IT
- Infrastructure Solutions German
- L’Avenir de l’IT
- IT e Trasformazione Digitale
- Enterprise Topics
- ИТ для нового стиля бизнеса
- Blogs
-
Quick Links
- Community
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Contact
- Email us
- Tell us what you think
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Enterprise.nxt
- Marketplace
- Aruba Airheads Community
-
Forums
-
Blogs
-
InformationEnglish
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-12-2014 10:01 PM
01-12-2014 10:01 PM
Bypassing ACL using extension headers
It seems that it is possible to completely bypass the IPv6 ACL in Comware-based devices according to http://6lab.cz/article/bypassing-acl-using-extension-headers/ (and it was verified on A5800).
Other than waiting for HP to release a proper fix (or for that matter issue a "undo ipv6") - is there any other mitigation one can apply to secure the device?
I havent found a way to bind ssh and snmp to a dedicated vlan interface - instead the Comware-device will by default listen on ALL interfaces the device has setup (routed interfaces, vlan-interfaces and loopback interfaces) which is kind of bad when the IPv6 ACL can be bypassed.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-14-2014 10:14 AM
01-14-2014 10:14 AM
Re: Bypassing ACL using extension headers
Hello,
the current ACL implementation of Comware is really in bad shape. I will revert back to my Cisco core on the weekend. Because of the following:
- Layer 3 ACLs apply on Layer2: Setting an ACL on an vlan interface also affects the Layer 2 traffic going through the switch.
- IPv6 outbound ACLs do not apply to the management processor.
- IPv6 ACLs are completly useless as it turns out.
- There is no logging interface which logs which rule has triggered the ACL. This is a nightmare when debugging
ACLs rules or in this case implementation.
Cheers,
Thomas
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-17-2014 08:33 PM
01-17-2014 08:33 PM
Re: Bypassing ACL using extension headers
HP assigned problem security number: SSRT101416
It seems that an updated firmware sent to the above user fixed this issue so the rest of us will hopefully see this update online within 1-3 months (I guess it will go through the normal Early Access -> General Availability process).
The thing to look for in the release notes will be something like:
There is a new command - "ipv6 option drop enable".
This option drops packets, if the packets cannot be proccessed in hw.
Which I guess one would need to enable in order to get the IPv6 ACLs to work as you expect them to.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-18-2014 01:02 AM - edited 01-18-2014 01:04 AM
01-18-2014 01:02 AM - edited 01-18-2014 01:04 AM
Re: Bypassing ACL using extension headers
Well it´s a matter of fact that current switches, i.e. HP A5500-EI and A5800 do not support blocking IPv6 extension headers, Comware 5 has the following rules:
· rule deny icmpv6 fragment *
· rule deny ipv6 fragment *
· rule deny icmpv6 routing *
· rule deny ipv6 routing *
But if you apply them on ports it will tell you:
"FILTER/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy **** on interface ****.Not supported"
I do not know anything about a firmware for A5500-EI or A5800 that will make blocking extension headers possible.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-06-2014 05:32 AM
06-06-2014 05:32 AM
Re: Bypassing ACL using extension headers
I looks like the ACL engine in comware v5 currently cannot deal with ipv6 fragments.
You can configure it but after reboot the particular line is gone.
I have an ongoing supportcase with HP regarding this matter.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2019 Hewlett Packard Enterprise Development LP