Examining and controlling IPv6 extension headers

摘要

Methods and systems for selectively blocking, allowing and/or reformatting IPv6 headers by traversing devices are provided. According to one embodiment, reputation information regarding observed senders of Internet Protocol (IP) version 6 (IPv6) packets and packet fragments is maintained by a traversing device based on conformity or nonconformity of extension headers contained within the IPv6 packets with respect to a set of security checks performed by the traversing device. When an IPv6 packet or packet fragment is received from a particular source IP address indicated by the reputation information to be associated with one or more nonconformity issues, then dropping, rate limiting or quarantining, by the traversing device, the IPv6 packet or the packet fragment.

主权项

1. A method comprising:
receiving, by a traversing device within a protected network, a plurality of Internet Protocol (IP) version 6 (IPv6) packets or packet fragments; applying, by the traversing device, a set of security checks to extension headers within each of the plurality of IPv6 packets or packet fragments, wherein the set of security checks includes a security check relating to a limit on a number of extension headers that may be included within an IPv6 packet or packet fragment based on an application or a protocol with which the IPv6 packet or packet fragment is associated; based on results of the set of security checks, updating, by the traversing device, sender reputation information maintained by the traversing device corresponding to senders of the plurality of IPv6 packets or packet fragments, wherein the sender reputation information is indicative of observed conformity/non-conformity of IPv6 extension headers with one or more security checks of the set of security checks; and making use of the sender reputation information, by the traversing device, to drop, rate limit or quarantine one or more subsequently received IPv6 packets or packet fragments.