Icmp access lists on dhcp-pd deployments
Seth Mos
seth.mos at dds.nl
Thu May 31 07:56:18 CEST 2012
Hi,
As a pfSense developer I've already seen a few of our 2.1 development installs in the field on DHCP-PD connections. Be it DHCP6 on PPPoE or on ethernet.
What I'm seeing is that ICMP6 (echo) is allowed to the internet but I can't actually ping the link-local address of the default gateway.
Is this something that could be worked into a RFC so that users can always verify that their default gateway works? It seems highly counter intuitive to block ICMP6 for a link that you know belongs to your client and own network.
Surely it must be something as simple as a erronous acl that does allow all traffic from the registered prefix, but not the fe80::/10 which could be on any interface.
I was wondering if many more people seeing this behaviour.
On another note, I'm also seeing this on 6rd relays. For example, the Charter 6rd relay does not respond to ICMP6 and as such you don't know if it works. I mean, it can't really be their intention that we all ping6 ipv6.google.com to see if our connection works? That seems silly.
On IPv4 I have always been able to ping my default gateway on any ISP. Why block this now. Oh wait, maybe that's why pmtu doesn't work.
Cheers,
Seth
More information about the ipv6-ops
mailing list