Quick summary for IPv6 Drop of Zone Protection and IPv6 Routing header.
0
Created On 06/07/19 05:54 AM - Last Modified 07/19/22 23:14 PM
Question
Starting with PANOS 8.0, PaloAltoNetworks customer can use IPv6 Drop of Zone Protection in order to filter varied IPv6 routing header packet.
However in most cases it's hard for the customer to determine which of IPv6 routing header packets.should be filtered.
How can the customer determine which of IPv6 routing header packets should be filtered ?
Environment
- PANOS 8.0
- PANOS 8.1
- PANOS 9.0
Answer
You can obtain the detailed information for the type of IPv6 routing header packets in the below IETF URL.
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml
Value for IPv6 routing types are assigned as the below screenshot shows.
When the customer enables Zone Protection for Zone, the default setting for IPv6 Drop of Zone Protection are as below.
By the default setting the firewall filters IPv6 routing types 0,1,4-252 and 255.
Since they are in the status of "Deprecated" or "Unassigned" or "Reserved", which means that the routing types
being one of those status are not usually used by the network device. So in most case we can leave the default setting alone.
However "4" is sometimes used for Routing Type of Segment Routing Extension Header for IPv6 Segment Routing.
So If when the customer is using IPv6 Segment Routing in his / her network,the firewall may filter a valid IPv6 Segment Routing packet with "Drop packets with type 4 to type 252 routing header" which is the one of the default setting of IPv6 Drop of Zone Protection.