Chapter 23: IPv6
STANDARD Revision 1.0 C4® CMTS Release 8.3 User Guide
© 2016 ARRIS Enterprises LLC. All Rights Reserved. 723
Network Infrastructure Service
C4/c CMTS Security Features for IPv6
The C4/c CMTS provides a number of features to resist various IPv6 Denial of Service (DoS) or spoofing attacks. Here is a
summary:
1. Since DHCPv6 and ND/RD packets are targeted to the C4/c CMTS host processor, there is a potential for a malicious
subscriber to bombard the C4/c CMTS with a large amount of these packets. This could deny service to other
legitimate subscribers. The C4/c CMTS has implemented two features to prevent this type of attack:
a. Host protocol throttling to throttle the rate at which individual protocol packets are passed to the C4/c CMTS host
CPU.
b. Per MAC address throttling to limit the number of DHCPv6 and ND/RD packets that can be sent by any single
modem.
2. The C4/c CMTS does not process any IPv6 Router Advertisement (RA) or ICMP redirect messages. These are silently
discarded.
3. Dataplane dropping of invalid IPv6 packets is also done by the C4/c CMTS. This eliminates the need for some IPv6
filters.
a. Received packets with IPv6 link-local source address are never routed through the C4/c CMTS.
b. Upstream Link-local traffic is terminated by theC4/c CMTS and is never re-forwarded on a downstream cable
interface.
c. Only the well known link-local, site-local and global addresses are allowed as source or destination IP addresses.
o Link-local 0xfe80
o Global 0x20
o Site-local 0xfec0, 0xfc, 0xfd
d. IPv6 multicast addresses are not valid as a source address and are silently dropped.
e. A source address of all zeros is allowed only with a multicast DMAC.
To Next Page
Loading...
Need help?
General
