The enterprise network WAN link has been received several denial of service attacksfrom both IPv4 and IPv6 sources. Which three elements can you use to identify an IPv6 packet via its header, in order to filter future attacks?(Choose three)
A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset
I answering the question in the context of the setup (we are attempting to prevent DoS attacks from outside the enterprise), we would not want to filter on Hop Limit. The Flow Label has to do with sequencing of packets; so this is of no importance in the prevention of DoS attacks. The Traffic Class can be uses by Routers for QoS (providing higher priority to specific types of traffic). Fragment Offset is invalid (not filterable).
I was momentarily inclined to say that the Source address, Destination address, and Traffic Class be used.
That said, the question asks, not how is it best to filter to stop DoS attacks, but rather “which three elements can you use to identify an IPv6 packet via its header?” This may mean that we want to separate IPv6 from IPv4 via Header fields unique to IPv6. In this case, Traffic Class, Flow Label, and Hop Limit are Unique to IPv6 headers (not found in IPv4 headers) and therefore represent the correct responses to the question. (A C D).
A. Traffic Class
B. Source address
C. Flow Label
D. Hop Limit
E. Destination Address
F. Fragment Offset
Answer: A C D
BCE
B. Source address
C. Flow Label
E. Destination Address
The fields in the IPv6 header are:
Version – 4 bits are used to indicate the version of IP and is set to 6.
Traffic Class – Indicates the class or priority of the IPv6 packet. The size of this field is 8 bits. The Traffic Class field provides similar functionality to the IPv4 Type of Service field. In RFC 2460, the values of the Traffic Class field are not defined. However, an IPv6 implementation is required to provide a means for an application layer protocol to specify the value of the Traffic Class field for experimentation.
Flow Label – Indicates that this packet belongs to a specific sequence of packets between a source and destination, requiring special handling by intermediate IPv6 routers. The size of this field is 20 bits. The Flow Label is used for non-default quality of service connections, such as those needed by real-time data (voice and video). For default router handling, the Flow Label is set to 0. There can be multiple flows between a source and destination, as distinguished by separate non-zero Flow Labels.
Payload Length – Indicates the length of the IPv6 payload. The size of this field is 16 bits. The Payload Length field includes the extension headers and the upper layer PDU. With 16 bits, an IPv6 payload of up to 65,535 bytes can be indicated. For payload lengths greater than 65,535 bytes, the Payload Length field is set to 0 and the Jumbo Payload option is used in the Hop-by-Hop Options extension header.
Next Header – Indicates either the first extension header (if present) or the protocol in the upper layer PDU (such as TCP, UDP, or ICMPv6). The size of this field is 8 bits. When indicating an upper layer protocol above the Internet layer, the same values used in the IPv4 Protocol field are used here.
Hop Limit – Indicates the maximum number of links over which the IPv6 packet can travel before being discarded. The size of this field is 8 bits. The Hop Limit is similar to the IPv4 TTL field except that there is no historical relation to the amount of time (in seconds) that the packet is queued at the router. When the Hop Limit equals 0, an ICMPv6 Time Exceeded message is sent to the source address and the packet is discarded.
Source Address –Stores the IPv6 address of the originating host. The size of this field is 128 bits.
Destination Address – Stores the IPv6 address of the current destination host. The size of this field is 128 bits. In most cases the Destination Address is set to the final destination address. However, if a Routing extension header is present, the Destination Address might be set to the next router interface in the source route list.
Comment by Phani above does nothing to explain why Traffic Class, Flow Label, and Hop Limit are shown as correct answers for this question, it is just an explanation of what different fields in IPv6 header are.
I am no IPv6 expert, but in my experience the source IP address typically figures into identifying a packet, certainly more so than a hop limit.
Article here (Basic IPv6 Security Considerations, http://www.infosectoday.com/Articles/Basic_IPv6_Security_Considerations.htm) seems to suggest the answer might be BCE (Flow Label, Source Address, Destination Address):
“The usage of the 3-tuple of the Flow Label and the Source and Destination Address fields enables efficient IPv6 flow classification, where only IPv6 main header fields in fixed positions are used.”
and
“Denial-of-Service Attacks. Because the mapping of network traffic to flow-specific treatment is triggered by the IP addresses and Flow Label value of the IPv6 header, an intruder may be able to obtain better service by modifying the IPv6 header or by injecting packets with false addresses or labels. This can also give rise to a denial-of-service attack as the possibility exists for a large amount of malicious traffic to be sent with a high priority. A device would then prioritize the malicious traffic and this could potentially impact valid traffic on the network.