Bug ID 502106: Incoming IPv6 packets with IPv4 mapped IPv6 addresses may be dropped in HW

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Opened: Jan 21, 2015
Severity: 3-Major

Symptoms

If AFM DoS is enabled in hardware, and the sys db tunable <userinput>dos.dropv4mapped</userinput> is not set, incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in hardware if the <userinput>ipv6_bad_addr</userinput> vector is enabled with a finite rate-limit/detection value.

Impact

Packets might be dropped in HW.

Conditions

AFM HW DoS enabled with vector ipv6_bad_addr enabled with a finite rate-limit/detection value. Then if you have incoming IPv6 packets which have src or dst address as a IPv4 mapped IPv6 address.

Workaround

To avoid this, configure the rate-limit and detection for <uicontrol>IPv6 Bad Addr</uicontrol> vector to be infinite when you have set <userinput>dos.dropv4mapped</userinput> to false.

Fix Information

None

Behavior Change