Cisco does not support IPv6 Protocol numbers

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Generate a policy that references IPv6 ICMP packets:
header {
    target:: cisco iACL-V6 inet6
}

term permit-icmp {
    comment:: "Permit all ICMP traffic"
    protocol:: icmp
    action:: accept
}

2. Attempt to load generated filter file into a router:
no ipv6 access-list iACL-V6
ipv6 access-list iACL-V6
remark $Id:$
remark $Date:$

remark permit-icmp
remark Permit all ICMP traffic
 permit 1 any  any

3. Apply ACL to interface:
interface g0/0
 ipv6 traffic-filter iACL-V6 in

What is the expected output? What do you see instead?
Expect generated ACL to allow all IPv6 ICMP packets when applied to an 
interface.  Line does not match ICMP packets, and the packets are denied.  

What version of the product are you using? On what operating system?
Tested on both IOS 12.2(33)SXI1 and IOS 15.1(3)T.

Please provide any additional information below.
It appears that Cisco IOS does not correctly handle Protocol #s in IPv6 
access-lists.  Manually creating a "permit icmp any any" rule works as 
expected.  I have not tested with other protocol numbers, but would expect the 
handling to be similar.  I cannot find any reference to this limitation in the 
documentation, or in the Bug tracker.

Is there a flag to force protocol names instead of numbers in the cisco ACL 
processor?

Original issue reported on code.google.com by brandon....@gmail.com on 24 Feb 2011 at 8:37

[GoogleCodeExporter]

Further testing shows I am incorrect -- IOS correctly recognizes protocols 6 
and 17, converting them to TCP and UDP:

LAB6500#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
LAB6500(config)#ipv6 access-list testing
LAB6500(config-ipv6-acl)#permit 6 any any
LAB6500#show ipv6 access-list testing
IPv6 access list testing
    permit tcp any any sequence 10

So it appears just ICMP needs to not be converted, and left as a string

Original comment by brandon....@gmail.com on 25 Feb 2011 at 4:37

[GoogleCodeExporter]

This seems like a bug in the Cisco IOS code rather than in capirca, as the 
cisco docs indicate a numeric protocol is acceptable.

I tested this and my routers seems to accept the ACL onto the interface, 
although I didn't test against live traffic to see if the actions work as 
expected.

I'll take a close look at this soon.

Original comment by watson@google.com on 13 Jul 2011 at 9:55

• Changed state: Started

[GoogleCodeExporter]

Brandon: To filter ICMP messages in inet6 filters one must use icmpv6 in term 
definition:

term permit-icmp {
    comment:: "Permit all ICMP traffic"
    protocol:: icmpv6
    action:: accept
}

This will result in the following output:

permit 58 any  any

58 is a protocol number for icmpv6 which Cisco also properly recognizes (tested 
on C4900M, IOS version 12.2(54)SG).

This info is based on the latest SVN version of capirca. It is possible that 
icmpv6 handling for Cisco was indeed broken when this bug was opened.

Original comment by ma...@vadnjal.net on 7 Aug 2011 at 3:45

[GoogleCodeExporter]

ma...@vadnjal.net is correct.

use protocol icmpv6 (protocol 58) instead of icmp (protocol 1) when working 
with IPv6 ICMP.

Original comment by watson on 18 Aug 2011 at 1:00

• Changed state: Fixed