IPv6 filtering

Hank Nussbacher hank at efes.iucc.ac.il
Tue Jan 25 23:46:54 CST 2011

At 18:20 26/01/2011 +1300, Franck Martin wrote:
>Content-Transfer-Encoding: 7bit
>Well we filter icmp due to exploits, if no exploits, then we can let the 
>whole of icmpv6 through. Or is there something terribly dangerous in 
>icmpv6 already?

Ever since Cisco came out with "IPv6 Routing Header Vulnerability" in 2007

I have had the following enabled:

On the protected interface:
ipv6 traffic-filter filter-rh in

ipv6 access-list filter-rh
  deny ipv6 any any log routing
  permit ipv6 any any

and have stopped many pkts that way.  I still occasionally see hits in our 
log from all sorts of newbies who continue to try old bugs.


More information about the NANOG mailing list