Icmp access lists on dhcp-pd deployments

SM sm at resistor.net
Thu May 31 15:58:40 CEST 2012


Hi Seth,
At 22:56 30-05-2012, Seth Mos wrote:
>As a pfSense developer I've already seen a few of our 2.1 
>development installs in the field on DHCP-PD connections. Be it 
>DHCP6 on PPPoE or on ethernet.
>
>What I'm seeing is that ICMP6 (echo) is allowed to the internet but 
>I can't actually ping the link-local address of the default gateway.
>
>Is this something that could be worked into a RFC so that users can 
>always verify that their default gateway works? It seems highly 
>counter intuitive to block ICMP6 for a link that you know belongs to 
>your client and own network.

RFC 4890 provides some recommendations about filtering ICMPv6 
messages in firewalls.  There is a discussion of ICMPv6 Echo in that 
document.  Does it address the above?

Regards,
-sm






More information about the ipv6-ops mailing list