IPv6 filtering

Owen DeLong owen at delong.com
Tue Jan 25 23:25:49 CST 2011


On Jan 25, 2011, at 9:03 PM, Franck Martin wrote:

> 
>    • ipv6 41 IPv6 # IPv6 
>    • ipv6-route 43 IPv6-Route # Routing Header for IPv6 
>    • ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 
>    • ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 
>    • ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 
>    • ipv6-icmp 58 IPv6-ICMP icmpv6 icmp6 # ICMP for IPv6 
>    • ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6 
>    • ipv6-opts 60 IPv6-Opts # Destination Options for IPv6 
> 
> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. 
> 
> But what about the others, should they be blocked, restricted? 
> 
> Does a ios "deny ipv6 any any" affect them?

DO NOT filter IPv6 ICMP like you filter IPv4.

If you do, you will break PMTU-Discovery, Neighbor Discovery,
and RA/SLAAC, all of which depend on ICMPv6.

Owen





More information about the NANOG mailing list