IPv6 filtering

Paul Graydon paul at paulgraydon.co.uk
Tue Jan 25 23:42:03 CST 2011


I may be dense, networking isn't my primary field (sysadmin).. but isn't 
ICMP there for a good reason?  I.e. congestion control?  I've always 
argued vehemently with PCI-DSS and similar auditors that I will not 
filter /all/ ICMP traffic on the border.

Paul

On 1/25/2011 7:20 PM, Franck Martin wrote:
> Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
>
> ----- Original Message -----
> From: "Roland Dobbins"<rdobbins at arbor.net>
> To: "nanog group"<nanog at nanog.org>
> Sent: Wednesday, 26 January, 2011 6:13:26 PM
> Subject: Re: IPv6 filtering
>
>
> On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
>
>> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
> Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
>
> ------------------------------------------------------------------------
> Roland Dobbins<rdobbins at arbor.net>  //<http://www.arbornetworks.com>
>
> Most software today is very much like an Egyptian pyramid, with millions
> of bricks piled on top of each other, with no structural integrity, but
> just done by brute force and thousands of slaves.
>
> 			  -- Alan Kay
>
>
>
>




More information about the NANOG mailing list