Hello guys from Mikrotik,

have You ever consider possibility of filtering Route Header Type 0?
Route Header Type 0 can be exploited for attack. It is know vulnerability described in RFC5095.
https://www.ietf.org/rfc/rfc5095.txt

It would be if we have this implemented in Mikrotik RouterOS.

PS: Sorry if I used wrong section for this post.

Moders is it implemented? viewtopic.php?t=73230

As far as I know it is dropped by linux kernel, you do not need to add specific firewall rules for that. Correct me if I am wrong.

We have linux v3.3.5 kernel for now. This behavior was fixed in 2.6. I will try to test it, but won't refuse for some help

As far as I know it is dropped by linux kernel, you do not need to add specific firewall rules for that. Correct me if I am wrong.

mrz, do we have something according to https://www.ietf.org/rfc/rfc2460 ?

particularly:

If, while processing a received packet, a node encounters a Routing
header with an unrecognized Routing Type value, the required behavior
of the node depends on the value of the Segments Left field, as
follows:

If Segments Left is zero, the node must ignore the Routing header
and proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header.

If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type.

If, after processing a Routing header of a received packet, an
intermediate node determines that the packet is to be forwarded onto
a link whose link MTU is less than the size of the packet, the node
must discard the packet and send an ICMP Packet Too Big message to
the packet's Source Address.