Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Bypassing ACL using extension headers

Apachez-
Trusted Contributor

Bypassing ACL using extension headers

It seems that it is possible to completely bypass the IPv6 ACL in Comware-based devices according to http://6lab.cz/article/bypassing-acl-using-extension-headers/ (and it was verified on A5800).

 

Other than waiting for HP to release a proper fix (or for that matter issue a "undo ipv6") - is there any other mitigation one can apply to secure the device?

 

I havent found a way to bind ssh and snmp to a dedicated vlan interface - instead the Comware-device will by default listen on ALL interfaces the device has setup (routed interfaces, vlan-interfaces and loopback interfaces) which is kind of bad when the IPv6 ACL can be bypassed.

4 REPLIES
ThomasGlanzmann
Frequent Advisor

Re: Bypassing ACL using extension headers

Hello,

the current ACL implementation of Comware is really in bad shape. I will revert back to my Cisco core on the weekend. Because of the following:

 

- Layer 3 ACLs apply on Layer2: Setting an ACL on an vlan interface also affects the Layer 2 traffic going through the switch.

 

- IPv6 outbound ACLs do not apply to the management processor.

 

- IPv6 ACLs are completly useless as it turns out.

 

- There is no logging interface which logs which rule has triggered the ACL. This is a nightmare when debugging

    ACLs rules or in this case implementation.

 

Cheers,

      Thomas

Apachez-
Trusted Contributor

Re: Bypassing ACL using extension headers

HP assigned problem security number: SSRT101416

 

It seems that an updated firmware sent to the above user fixed this issue so the rest of us will hopefully see this update online within 1-3 months (I guess it will go through the normal Early Access -> General Availability process).

 

The thing to look for in the release notes will be something like:

 

There is a new command - "ipv6 option drop enable".
This option drops packets, if the packets cannot be proccessed in hw.

 

Which I guess one would need to enable in order to get the IPv6 ACLs to work as you expect them to.

MichaelM55
Trusted Contributor

Re: Bypassing ACL using extension headers

Well it´s a matter of fact that current switches, i.e. HP A5500-EI and A5800 do not support blocking IPv6 extension headers, Comware 5 has the following rules:

 
·         rule deny icmpv6 fragment *
·         rule deny ipv6 fragment *
·         rule deny icmpv6 routing *
·         rule deny ipv6 routing *

 

But if you apply them on ports it will tell you:

 

"FILTER/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy **** on interface ****.Not supported"

 

I do not know anything about a firmware for A5500-EI or A5800 that will make blocking extension headers possible.

Apachez-
Trusted Contributor

Re: Bypassing ACL using extension headers

I looks like the ACL engine in comware v5 currently cannot deal with ipv6 fragments.

 

You can configure it but after reboot the particular line is gone.

 

I have an ongoing supportcase with HP regarding this matter.