IPv6 filtering

Mark D. Nagel mnagel at willingminds.com
Tue Jan 25 23:49:12 CST 2011


On 1/25/2011 9:25 PM, Owen DeLong wrote:
>
> DO NOT filter IPv6 ICMP like you filter IPv4.
>
> If you do, you will break PMTU-Discovery, Neighbor Discovery,
> and RA/SLAAC, all of which depend on ICMPv6.
>

This can bite you in unexpected ways, too.  For example, on a Cisco ASA,
if you add a system-level 'icmpv6 permit' line and if this does not
include ND, then you break ND responses to the ASA.  This is much unlike
ARP, which is unaffected by 'icmp permit' statements for IPv4.  And, the
default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This
seems so obvious in retrospect, but at the time was a bit of a
head-scratcher.

Mark

-- 
Mark D. Nagel, CCIE #3177 <mnagel at willingminds.com>
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854

*** Please send support requests to support at willingminds.com! *** 





More information about the NANOG mailing list