ICMP(v6) filtering?

Doug Barton dougb at dougbarton.us
Mon Aug 6 05:00:05 CEST 2012


On 08/03/2012 05:39, Benedikt Stockebrand wrote:
> yes, in some cases you may want to filter e.g. routing headers and
> such. 

Do you have references to this issue?

> More generally speaking, with new ICMP6 types possibly coming
> up you may want to whitelist rather than blacklist individual ICMP6
> types/codes.

This is the opposite of what should be done, for 2 reasons. First, you
should only blacklist things you know you're having problems with.
Second, but taking the approach you suggest you miss out if the protocol
changes and you don't update your filters.

The whole concept of blanket ICMP restrictions in v4 was bad, doing it
for ICMPv6 is really bad.

-- 

    I am only one, but I am one.  I cannot do everything, but I can do
    something.  And I will not let what I cannot do interfere with what
    I can do.
			-- Edward Everett Hale, (1822 - 1909)



More information about the ipv6-ops mailing list