ICMP(v6) filtering?

Philipp Kern phil at philkern.de
Tue Aug 7 22:08:19 CEST 2012


am Sun, Aug 05, 2012 at 08:00:05PM -0700 hast du folgendes geschrieben:
> The whole concept of blanket ICMP restrictions in v4 was bad, doing it
> for ICMPv6 is really bad.

I would like to whitelist ICMPv6 to all hosts in our network, even if the
TCP/UDP ports are currently filtered statefully and need explicit whitelisting.
But is there a cunning plan to stop address sweeping attacks that cause a lot
of neighbor solicitations and cache entries? We already have this problem with
IPv4, given that we have quite a bit of unused (legacy) space. Is the only
level to solve that some kind of IDS/IPS? Or is there also a way to rate-limit
such traffic? (Possibly at the expence of some legitimate neighbor

Kind regards
Philipp Kern
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 588 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120807/f4a751ba/attachment.bin 

More information about the ipv6-ops mailing list