G root servers unreachable via ICMP(v6)

• Previous message (by thread): G root servers unreachable via ICMP(v6)
• Next message (by thread): G root servers unreachable via ICMP(v6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 15, 2023 at 8:38 PM Willy Manga <mangawilly at gmail.com> wrote:
> Side question: even if it was by design, is it a good practice to
> completely restrict ICMP(v6)?

Answering only your side question: there's a difference between
completely restricting ICMPv6 and restricting echo-request.

Restricting echo-request is more or less harmless. You deny
troubleshooters insight into your system, but that's a wash because
you deny hackers the same thing. And if you're popular enough to be a
target for "am I connected to the Internet right now" probes and don't
want to be, restricting it is not the worst idea.

Restricting all ICMPv6 is disastrous. Similar to IPv4, machines
running IPv6 require ICMPv6 packet-too-big messages to successfully
implement path MTU discovery. Without them, many protocols do not work
reliably. This includes TCP.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): G root servers unreachable via ICMP(v6)
• Next message (by thread): G root servers unreachable via ICMP(v6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]