ICMP(v6) filtering?

Merike Kaeo merike at doubleshotsecurity.com
Sat Aug 4 03:52:49 CEST 2012

On Aug 3, 2012, at 12:42 AM, Gert Doering wrote:

> Hi,
> On Fri, Aug 03, 2012 at 09:39:18AM +0200, Shane Kerr wrote:
>> Is there any reason to filter ICMP6? Specifically the ones that I
>> actually see when debugging, such as echo (ping) and destination
>> unreachable (traceroute)?
>> Do people on this list filter such traffic?
>> It annoys me, but I may be missing something important.
> We do not filter any ICMP (we do rate-limit ICMP to our routers, though,
> to protect the control-plane).  I like ping and traceroute :-)
> If a customer insists on filtering ICMP, I point them at RFC4890
> 4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. E.  
>     Davies, J. Mohacsi. May 2007. (Format: TXT=83479 bytes) (Status:
> ... which usually results in a reasonable compromise...

ICMP filtering started with smurf attack in mid 90's.  It doesn't necessarily make sense for IPv6 IMHO.

Rate limiting is what I've seen most folks implement and what I usually recommend since configuring explicit ICMPv6 filters 
for specific types ends up inevitably with some mistakes and operational issues.  

- merike

More information about the ipv6-ops mailing list