IPv6 filtering
Owen DeLong
owen at delong.com
Wed Jan 26 05:25:49 UTC 2011
On Jan 25, 2011, at 9:03 PM, Franck Martin wrote:
>
> • ipv6 41 IPv6 # IPv6
> • ipv6-route 43 IPv6-Route # Routing Header for IPv6
> • ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
> • ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6
> • ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6
> • ipv6-icmp 58 IPv6-ICMP icmpv6 icmp6 # ICMP for IPv6
> • ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
> • ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
>
> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
>
> But what about the others, should they be blocked, restricted?
>
> Does a ios "deny ipv6 any any" affect them?
DO NOT filter IPv6 ICMP like you filter IPv4.
If you do, you will break PMTU-Discovery, Neighbor Discovery,
and RA/SLAAC, all of which depend on ICMPv6.
Owen
More information about the NANOG
mailing list