ICMP(v6) filtering?
Shade
shade at shadez.info
Tue Aug 7 22:16:07 CEST 2012
Hi Phillip,
Without having checked this, weren't neighbour solicitations sent with TTL
1 to avoid specifically this problem?
Kind regards,
Dimitar Pavlov
On Aug 7, 2012 11:08 PM, "Philipp Kern" <phil at philkern.de> wrote:
> Hi,
>
> am Sun, Aug 05, 2012 at 08:00:05PM -0700 hast du folgendes geschrieben:
> > The whole concept of blanket ICMP restrictions in v4 was bad, doing it
> > for ICMPv6 is really bad.
>
> I would like to whitelist ICMPv6 to all hosts in our network, even if the
> TCP/UDP ports are currently filtered statefully and need explicit
> whitelisting.
> But is there a cunning plan to stop address sweeping attacks that cause a
> lot
> of neighbor solicitations and cache entries? We already have this problem
> with
> IPv4, given that we have quite a bit of unused (legacy) space. Is the only
> level to solve that some kind of IDS/IPS? Or is there also a way to
> rate-limit
> such traffic? (Possibly at the expence of some legitimate neighbor
> solicitations.)
>
> Kind regards
> Philipp Kern
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120807/cec59bbd/attachment.html
More information about the ipv6-ops
mailing list