me at benedikt-stockebrand.de
Fri Aug 3 14:39:16 CEST 2012
Hi Shane and list,
> Is there any reason to filter ICMP6?
yes, in some cases you may want to filter e.g. routing headers and
such. More generally speaking, with new ICMP6 types possibly coming
up you may want to whitelist rather than blacklist individual ICMP6
> Specifically the ones that I actually see when debugging, such as
> echo (ping) and destination unreachable (traceroute)?
Ping is a matter of personal preferences, or more specifically if you
rather want to explain an external security auditor why you leave your
network open to scanning (assuming he has the average sub-limited
knowledge of IPv6) or if you rather have the necessary infrastructure
at hand to diagnose and fix a network problem.
It's really your call, or maybe your management's.
As far as the unreachables go, this is generally considered something
not to block because it leads to horrendous timeout behaviours. Geoff
Houston had a couple of implementation specific timeout values for
various OSes at the last RIPE meeting in Ljubljana---IIRC they went up
as far as three minutes.
> Do people on this list filter such traffic?
If I was an ISP I'd rather not filter them---doing so is likely to
cause trouble with customers doing things one doesn't expect. But on
a leaf site I prefer to whitelist ICMP6s. I allow
1 Destination unreachable
2 Packet too big
3 Hop Limit exceeded
4 Parameter Problem
135, 136 Neighbor Discovery
because they are in virtually all cases essential for normal
operation. Additionally I allow
128, 129 Echo Request/Reply
because I want to be able to monitoring and troubleshoot, in
subnets where I use autoconfiguration I also allow
133, 134 Router Solicitation/Advertisement
and finally in case I accidentially upgrade a switch with something
130-132, 143 Multicast Listener Discovery
Everything else is blocked. This includes
because in the network topology I'm currently running they can't occur
138 Router renumbering
because (a) I don't use it and (b) this one has rather serious
security implications. Plus whatever routing headers and such that
don't even make it on my personal list of relevant ICMP6 types.
Finally, you can frequently limit a number of ICMP6 types to traffic
between link-local addresses, with hop limit of 255, and especially if
you're using Linux exclude them from being forwarded.
> It annoys me, but I may be missing something important.
Well, the most important thing is probably some new ICMP6 type being
defined and causing significant trouble on existing implementations.
Business Grade IPv6
Consulting, Training, Projects
Benedikt Stockebrand, Dipl.-Inform. http://www.benedikt-stockebrand.de/
More information about the ipv6-ops