ICMP(v6) filtering?

Gert Doering gert at space.net
Fri Aug 3 09:42:04 CEST 2012


Hi,

On Fri, Aug 03, 2012 at 09:39:18AM +0200, Shane Kerr wrote:
> Is there any reason to filter ICMP6? Specifically the ones that I
> actually see when debugging, such as echo (ping) and destination
> unreachable (traceroute)?
> 
> Do people on this list filter such traffic?
> 
> It annoys me, but I may be missing something important.

We do not filter any ICMP (we do rate-limit ICMP to our routers, though,
to protect the control-plane).  I like ping and traceroute :-)

If a customer insists on filtering ICMP, I point them at RFC4890

4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. E.  
     Davies, J. Mohacsi. May 2007. (Format: TXT=83479 bytes) (Status:
     INFORMATIONAL)

... which usually results in a reasonable compromise...

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279


More information about the ipv6-ops mailing list