ipv6 network fail (newbie alert)
Darren Pilgrim
list_ipv6-ops at bluerosetech.com
Wed Mar 20 18:34:36 CET 2013
On 2013-03-20 00:48, Nick Edwards wrote:
> ok, so, it would be best to simply remove all icmp/icmp6 options,
> clear them all out, but then use :
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
> blocking nothing else?
That's excessively liberal, IMO, as there are things you should block.
Some types should only have specific types of source or destination
addresses or have a certain hop limit. Filtering on this basis prevents
some forms of malicious use. For examples, RA and NDP packets can be
limited to a hop limit of 255. Multicast does it ICMPv6 using only
link-local addresses. If you aren't going to use router advertisements,
you can avoid the rogue router issue entirely by dropping type 134.
There are types which actually are a security problem and should be
dropped unless you know you need them.
Really it comes down to reading RFC 4890 and doing your homework.
Debate about the entrance bar to IPv6 adminship aside, if you can't be
bothered, there are blogs which publish ip6tables rulesets built
directly from the RFC.
More information about the ipv6-ops
mailing list