Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP AFM
Opened: Jan 21, 2015 Severity: 3-Major
If AFM DoS is enabled in hardware, and the sys db tunable <userinput>dos.dropv4mapped</userinput> is not set, incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in hardware if the <userinput>ipv6_bad_addr</userinput> vector is enabled with a finite rate-limit/detection value.
Packets might be dropped in HW.
AFM HW DoS enabled with vector ipv6_bad_addr enabled with a finite rate-limit/detection value. Then if you have incoming IPv6 packets which have src or dst address as a IPv4 mapped IPv6 address.
To avoid this, configure the rate-limit and detection for <uicontrol>IPv6 Bad Addr</uicontrol> vector to be infinite when you have set <userinput>dos.dropv4mapped</userinput> to false.
None