What we have published

Fill 4

ERNW White Paper 62

RA Guard Evasion Revisited

On designing the IPv6 to be the successor to IPv4, multiple design changes have been taken into consideration; one of which was to have a simpler header format and a better support for extensions and headers. Extensions support is already implemented within IPv4 header as it contains the Options field. This field is mainly used to give some additional information on the packet and the way it should be processed. The Options field has a significance effect on the performance. As a result, the Options field has been replaced with optional customized headers called extension headers. These extension headers can be added as needed after the IPv6 header. These extension headers act as optional internet-layer information that is placed between the IPv6 Header and upper-layer header in the packet. These headers can be used in case of fragmentation or defining a path for the packet and other multiple cases that are out of scope of this paper. In the past, the general extension header concept created several security problems that include the evasion of IDPS devices/appliances and first hop security features (e.g. RA Guard) on typical enterprise grade access layer switches. While these problems are not new, the goal of this whitepaper is to get an impression whether the situation (on an infrastructure level) has improved in the meantime specifically in the context of RA Guard.