HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

To enable proper operation of IPv6 networks, the default operation of HP-UX IPSec allows the

following ICMPv6 messages to pass in clear text:

• Router Solicitation

• Router Advertisement

• Neighbor Solicitation

• Neighbor Advertisement

• Redirect

• Destination Unreachable

• Packet Too Big

• Time Exceeded

• Parameter Problem

• Router Renumbering

HP recommends that you do not modify the default behavior; do not configure any policies to

discard or secure packets by explicitly specifying these type values in -src_icmpv6_type or

-dst_icmpv6_type arguments.

If you configure an host policy that specifies the protocol value ALL or ICMPV6 and do not specify

an ICMPv6 type (you do not specify -src_icmpv6_type or -dst_icmpv6_type), only the

following ICMPv6 messages affected by the policy:

• Echo Request

• Echo Reply

• Mobile Prefix Advertisement

• Mobile Prefix Solicitation

Syntax

If you specify ICMPV6 for the protocol argument in a host policy, you can specify ICMPv6

message type values for the packet filter using the -dst_icmpv6_type and -src_icmpv6_type

arguments. The syntax for these arguments in an ipsec_config add host command is as

follows:

-dst_icmpv6_type type_number[,type_number]...|ALL

-src_icmpv6_type type_number[,type_number]...|ALL

Where type_number is the integer ICMPv6 message type (0 - 255).

Example

ipsec_config add host no_bogus -protocol ICMPV6 -src_icmp_type 100

-action DISCARD

164 Product Specifications