Interpreting the Results

Although we’ve tried to automate the process of testing and analyzing, there are cases in which you have to interpret the data yourself.
The following lines belong to experiences which were made with ft6-1.0 of 2013. Similar results did not arise with the 2019 version of ft6. We decided to still list the experiences here, because of their importance.

It showed that 4 ICMPv6 messages had been incorrectly dropped:

  • Destination Unreachable
  • Packet Too Big
  • Time Exceeded
  • Parameter Problem

whilst all others had been handled correctly. Even when configuring policies to explicitly allow these packets, they still didn’t get through to the server.
So we concluded that the firewall was not too stupid but in fact too smart.
This becomes clear when thinking about what these messages are saying: “There was a problem with the packet I just received”.
Because the server never sent a packet that was too big, the client “responding” with Packet Too Big doesn’t make much sense.
We guessed that the firewall was stateful enough to detect that.

After a lengthy discussion we still chose to keep it that way.
There are just too many unforeseen things that could happen that we feel we are never able to completely analyze the tests automatically.
We think it’s best to keep the tool simple and trust in your ability to come up with smart interpretation.

Continue Reading at Hacking ft6 or go back to the table of contents.