ICMP(v6) filtering?

Benedikt Stockebrand me at benedikt-stockebrand.de
Fri Aug 3 14:39:16 CEST 2012 

Hi Shane and list,

> Is there any reason to filter ICMP6?

yes, in some cases you may want to filter e.g. routing headers and
such.  More generally speaking, with new ICMP6 types possibly coming
up you may want to whitelist rather than blacklist individual ICMP6
types/codes.

> Specifically the ones that I actually see when debugging, such as
> echo (ping) and destination unreachable (traceroute)?

Ping is a matter of personal preferences, or more specifically if you
rather want to explain an external security auditor why you leave your
network open to scanning (assuming he has the average sub-limited
knowledge of IPv6) or if you rather have the necessary infrastructure
at hand to diagnose and fix a network problem.

It's really your call, or maybe your management's.

As far as the unreachables go, this is generally considered something
not to block because it leads to horrendous timeout behaviours.  Geoff
Houston had a couple of implementation specific timeout values for
various OSes at the last RIPE meeting in Ljubljana---IIRC they went up
as far as three minutes.

> Do people on this list filter such traffic?

If I was an ISP I'd rather not filter them---doing so is likely to
cause trouble with customers doing things one doesn't expect.  But on
a leaf site I prefer to whitelist ICMP6s.  I allow

  1          Destination unreachable
  2          Packet too big
  3          Hop Limit exceeded
  4          Parameter Problem
135, 136     Neighbor Discovery

because they are in virtually all cases essential for normal
operation.  Additionally I allow 

128, 129     Echo Request/Reply

because I want to be able to monitoring and troubleshoot, in
subnets where I use autoconfiguration I also allow

133, 134     Router Solicitation/Advertisement

and finally in case I accidentially upgrade a switch with something
MLD-aware

130-132, 143 Multicast Listener Discovery

Everything else is blocked.  This includes

137 Redirect

because in the network topology I'm currently running they can't occur
anyway, and

138 Router renumbering

because (a) I don't use it and (b) this one has rather serious
security implications.  Plus whatever routing headers and such that
don't even make it on my personal list of relevant ICMP6 types.


Finally, you can frequently limit a number of ICMP6 types to traffic
between link-local addresses, with hop limit of 255, and especially if
you're using Linux exclude them from being forwarded.

> It annoys me, but I may be missing something important.

Well, the most important thing is probably some new ICMP6 type being
defined and causing significant trouble on existing implementations.


Cheers,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/

More information about the ipv6-ops mailing list