IPv6 filtering

Hank Nussbacher hank at efes.iucc.ac.il
Tue Jan 25 23:46:54 CST 2011


At 18:20 26/01/2011 +1300, Franck Martin wrote:
>Content-Transfer-Encoding: 7bit
>
>Well we filter icmp due to exploits, if no exploits, then we can let the 
>whole of icmpv6 through. Or is there something terribly dangerous in 
>icmpv6 already?

Ever since Cisco came out with "IPv6 Routing Header Vulnerability" in 2007
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml

I have had the following enabled:

On the protected interface:
ipv6 traffic-filter filter-rh in

ipv6 access-list filter-rh
  deny ipv6 any any log routing
  permit ipv6 any any

and have stopped many pkts that way.  I still occasionally see hits in our 
log from all sorts of newbies who continue to try old bugs.

-Hank





More information about the NANOG mailing list