Icmp access lists on dhcp-pd deployments
Seth Mos
seth.mos at dds.nl
Thu May 31 16:29:39 CEST 2012
Op 31-5-2012 15:58, SM schreef:
> Hi Seth,
> At 22:56 30-05-2012, Seth Mos wrote:
>> As a pfSense developer I've already seen a few of our 2.1 development
>> installs in the field on DHCP-PD connections. Be it DHCP6 on PPPoE or
>> on ethernet.
>>
>> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
>> can't actually ping the link-local address of the default gateway.
>>
>> Is this something that could be worked into a RFC so that users can
>> always verify that their default gateway works? It seems highly
>> counter intuitive to block ICMP6 for a link that you know belongs to
>> your client and own network.
>
> RFC 4890 provides some recommendations about filtering ICMPv6 messages
> in firewalls. There is a discussion of ICMPv6 Echo in that document.
> Does it address the above?
I think it does, but they mention echo and reply seperate from the
router advertisements and solicits.
They do not explicitly cover the case of ICMP6 echo/reply on link-local
addressing, although section 4.4 "Recommendations for ICMPv6 Local
Configuration Traffic" says this:
"4.4.1. Traffic That Must Not Be Dropped
Error messages that are essential to the establishment and
maintenance of communications:
o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only
Connectivity checking messages:
o Echo Request (Type 128)
o Echo Response (Type 129)
As discussed in Section 4.3.1,"
I would think that covers link-local traffic, so that makes me wonder
why a ISP would find blocking this neccesary.
Regards,
Seth
More information about the ipv6-ops
mailing list