This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marc_Lampo
Contributor
‎2018-10-16 04:08 AM

IPv6 static route for 2000::/3 no longer possible (R80.20)

Hello,

following a recommendation I heard from a guy from Cisco, on an IETF conference (IPv6 working group), I have since then configured a static route for 2000::/3, while the IPv6 default route was blackholed.  (As IPv6 public addresses start with 2...:: or 3...:: exclusively, a route for 2000::/3 is enough - hijacking of addresses outside that list can no longer cause harm)

This worked fine up tille and including R80.10 :

# fw ver
This is Check Point's software version R80.10 - Build 027

(extract from the configuration)

set ipv6 static-route default nexthop blackhole
set ipv6 static-route 2000::/3 comment "Route public address space only"
set ipv6 static-route 2000::/3 nexthop gateway <-my:IPv6:routers:addres-> on

To my surprise, R80.20 refuses IPv6 static routes for masks <8 !

CP helpdesk was very quick to point at sk118074, claiming this - IPv6 routes for a /3 - is not possible since R75.
(which obviously is not true, since I have R80.10's configured like that)

CP helpdesk even closed the ticket before I could point this out to them : good for their statistics, bad for customer/partner feeling ...

Given the number of people that already voted in favor of supporting R77.30 for (at least !?) another year,
I would think Check Point has more important things to fix,
rather than breaking something which worked fine up till now 😞

Sincerely,

0 Kudos
2 Replies
Danny
Champion Champion
Champion
‎2018-10-16 04:22 AM

@Hugo van der Kooij: What are you thinking about this in regards to your post here?

PhoneBoy
Admin
Admin
‎2018-10-16 08:47 AM

Based on that SK, one could argue that the fact the OS allowed configuring IPv6 with mask length less than 8 as a defect that we "fixed" in R80.20. Smiley Happy

That said, I see the other side of it.

We would probably have to address it as an RFE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top