Cisco Cisco Packet Data Gateway (PDG)
Firewall-and-NAT Policy Configuration Mode Commands
▀ firewall dos-protection
▄ Command Line Interface Reference, StarOS Release 17
5058
ipv6-frag-hdr nested-fragmentation
Drops IPv6 packets containing nested fragmentation (reassembled packets containing a fragment header).
IPv6 fragmentation is done only by the source node. An IPv6 fragment packet must have only one fragment
header. Firewall will drop packets with more than one fragment header. The Reassembled packet containing a
fragment header will be dropped by Firewall. As per RFC 2460, the fragment length (except for last
fragment) must be a multiple of 8 octets. If not, such fragments are dropped.
IPv6 fragmentation is done only by the source node. An IPv6 fragment packet must have only one fragment
header. Firewall will drop packets with more than one fragment header. The Reassembled packet containing a
fragment header will be dropped by Firewall. As per RFC 2460, the fragment length (except for last
fragment) must be a multiple of 8 octets. If not, such fragments are dropped.
ipv6-hop-by-hop [ invalid-options | jumbo-payload | router-alert | unknown-
options ]
options ]
Drops IPv6 packets containing the hop-by-hop extension header.
The Hop-by-Hop Options extension header, if present, must be the first header to follow the IPv6 main
header. This is indicated by a value of 0x00 in the next header field in the main header. The length must be
expressed as a multiple of 8 octets (excluding the first 8 octets). If not, such packets will be dropped.
The Hop-by-Hop Options extension header, if present, must be the first header to follow the IPv6 main
header. This is indicated by a value of 0x00 in the next header field in the main header. The length must be
expressed as a multiple of 8 octets (excluding the first 8 octets). If not, such packets will be dropped.
invalid-options
: Drops IPv6 packets containing invalid IPv6 hop-by-hop options.
The following values are invalid in a Hop-by-Hop extension header option type field. Packets with
these options in a hop-by-hop header will be dropped.
these options in a hop-by-hop header will be dropped.
Value 0x04, Tunnel Encapsulation limit
Value 0xC9, Home Address Destination option
Value 0xC3, NSAP Address option
The options are present in TLV (Type Length Value) format. If the length specified is invalid, then
such packets will be dropped.
such packets will be dropped.
jumbo-payload
: Drops IPv6 packets with jumbo payload hop-by-hop options.
The Jumbo Payload option (RFC 2675) has the option type value 0xC2 and is only valid as a Hop-
by-Hop option. This option allows the creation of very large IP packets (packets larger than 65K
bytes). If this option is allowed, the following validity checks will be done.
by-Hop option. This option allows the creation of very large IP packets (packets larger than 65K
bytes). If this option is allowed, the following validity checks will be done.
The IP payload length must be 0x00 when the Jumbo Payload option is present.
The Jumbo Payload option must be used only when the length is greater than 65,535; the two
most significant bytes of the Jumbo length cannot be 0x00.
The Jumbo Payload option cannot be used in conjunction with a Fragmentation extension
header.
If any of the above checks fail, then the IPv6 packet will be dropped. The Option Type field must
have 4n+2 alignment.
have 4n+2 alignment.
router-alert
: Drops IPv6 packets with router alert hop-by-hop options.
The Router Alert (RFC 2711) option is used to signal the routers that a closer inspection of the
packet is warranted. Denial of service (DoS) attacks can occur if an attacker sends large number of
packets with this option. Only one option of this type must be present, regardless of value, per Hop-
by-Hop header with 2n + 0 alignment.
packet is warranted. Denial of service (DoS) attacks can occur if an attacker sends large number of
packets with this option. Only one option of this type must be present, regardless of value, per Hop-
by-Hop header with 2n + 0 alignment.
unknown-options
: Drops IPv6 packets containing unknown IPv6 hop-by-hop options.
mime-flood
Enables protection against HTTP Multiple Internet Mail Extension (MIME) header flooding attacks.
port-scan
Enables protection against Port Scan attacks.