ICMP(v6) filtering?
Merike Kaeo
merike at doubleshotsecurity.com
Sat Aug 4 03:52:49 CEST 2012
On Aug 3, 2012, at 12:42 AM, Gert Doering wrote:
> Hi,
>
> On Fri, Aug 03, 2012 at 09:39:18AM +0200, Shane Kerr wrote:
>> Is there any reason to filter ICMP6? Specifically the ones that I
>> actually see when debugging, such as echo (ping) and destination
>> unreachable (traceroute)?
>>
>> Do people on this list filter such traffic?
>>
>> It annoys me, but I may be missing something important.
>
> We do not filter any ICMP (we do rate-limit ICMP to our routers, though,
> to protect the control-plane). I like ping and traceroute :-)
>
> If a customer insists on filtering ICMP, I point them at RFC4890
>
> 4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. E.
> Davies, J. Mohacsi. May 2007. (Format: TXT=83479 bytes) (Status:
> INFORMATIONAL)
>
> ... which usually results in a reasonable compromise...
ICMP filtering started with smurf attack in mid 90's. It doesn't necessarily make sense for IPv6 IMHO.
Rate limiting is what I've seen most folks implement and what I usually recommend since configuring explicit ICMPv6 filters
for specific types ends up inevitably with some mistakes and operational issues.
- merike
More information about the ipv6-ops
mailing list