Comware Based
Showing results for 
Search instead for 
Did you mean: 

Bypassing ACL using extension headers

Trusted Contributor

Bypassing ACL using extension headers

It seems that it is possible to completely bypass the IPv6 ACL in Comware-based devices according to (and it was verified on A5800).


Other than waiting for HP to release a proper fix (or for that matter issue a "undo ipv6") - is there any other mitigation one can apply to secure the device?


I havent found a way to bind ssh and snmp to a dedicated vlan interface - instead the Comware-device will by default listen on ALL interfaces the device has setup (routed interfaces, vlan-interfaces and loopback interfaces) which is kind of bad when the IPv6 ACL can be bypassed.

Not applicable

Re: Bypassing ACL using extension headers


the current ACL implementation of Comware is really in bad shape. I will revert back to my Cisco core on the weekend. Because of the following:


- Layer 3 ACLs apply on Layer2: Setting an ACL on an vlan interface also affects the Layer 2 traffic going through the switch.


- IPv6 outbound ACLs do not apply to the management processor.


- IPv6 ACLs are completly useless as it turns out.


- There is no logging interface which logs which rule has triggered the ACL. This is a nightmare when debugging

    ACLs rules or in this case implementation.




Trusted Contributor

Re: Bypassing ACL using extension headers

HP assigned problem security number: SSRT101416


It seems that an updated firmware sent to the above user fixed this issue so the rest of us will hopefully see this update online within 1-3 months (I guess it will go through the normal Early Access -> General Availability process).


The thing to look for in the release notes will be something like:


There is a new command - "ipv6 option drop enable".
This option drops packets, if the packets cannot be proccessed in hw.


Which I guess one would need to enable in order to get the IPv6 ACLs to work as you expect them to.

Trusted Contributor

Re: Bypassing ACL using extension headers

Well it´s a matter of fact that current switches, i.e. HP A5500-EI and A5800 do not support blocking IPv6 extension headers, Comware 5 has the following rules:

·         rule deny icmpv6 fragment *
·         rule deny ipv6 fragment *
·         rule deny icmpv6 routing *
·         rule deny ipv6 routing *


But if you apply them on ports it will tell you:


"FILTER/5/FLT_SET_POLICY_NOTSUPPORT_FAIL: Failed to apply the filter policy to or refresh the filter policy **** on interface ****.Not supported"


I do not know anything about a firmware for A5500-EI or A5800 that will make blocking extension headers possible.

Trusted Contributor

Re: Bypassing ACL using extension headers

I looks like the ACL engine in comware v5 currently cannot deal with ipv6 fragments.


You can configure it but after reboot the particular line is gone.


I have an ongoing supportcase with HP regarding this matter.