ipv6 network fail (newbie alert)

Darren Pilgrim list_ipv6-ops at bluerosetech.com
Wed Mar 20 18:34:36 CET 2013


On 2013-03-20 00:48, Nick Edwards wrote:
> ok, so, it would be best to simply remove all icmp/icmp6 options,
> clear them all out, but then use :
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
> blocking nothing else?

That's excessively liberal, IMO, as there are things you should block. 
Some types should only have specific types of source or destination 
addresses or have a certain hop limit.  Filtering on this basis prevents 
some forms of malicious use.  For examples, RA and NDP packets can be 
limited to a hop limit of 255.  Multicast does it ICMPv6 using only 
link-local addresses.  If you aren't going to use router advertisements, 
you can avoid the rogue router issue entirely by dropping type 134. 
There are types which actually are a security problem and should be 
dropped unless you know you need them.

Really it comes down to reading RFC 4890 and doing your homework. 
Debate about the entrance bar to IPv6 adminship aside, if you can't be 
bothered, there are blogs which publish ip6tables rulesets built 
directly from the RFC.



More information about the ipv6-ops mailing list