ICMP(v6) filtering?
Philipp Kern
phil at philkern.de
Fri Aug 3 14:48:28 CEST 2012
On Fri, Aug 03, 2012 at 12:39:16PM +0000, Benedikt Stockebrand wrote:
> > Specifically the ones that I actually see when debugging, such as
> > echo (ping) and destination unreachable (traceroute)?
> Ping is a matter of personal preferences, or more specifically if you
> rather want to explain an external security auditor why you leave your
> network open to scanning (assuming he has the average sub-limited
> knowledge of IPv6) or if you rather have the necessary infrastructure
> at hand to diagnose and fix a network problem.
And you trade that with being unable to communicate with Teredo hosts.
Depending on what you do there's potentially a lot of Teredo traffic[1].
That's why echo request/reply is in the "must not filter" list in
RFC4890.
But then I guess that Windows would actually prefer IPv4 communication
to IPv6 Teredo communication, so the legacy IP fallback might save you
in some cases.
Kind regards
Philipp Kern
[1] With Bittorrent running behind IPv4 NAT and native IPv6 it's likely
that you receive most of the data from Teredo endpoints. At
surprisingly good speeds.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 588 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120803/f24d659b/attachment.bin
More information about the ipv6-ops
mailing list