[ipv6hackers] IPv6 security (slides and training)

Fernando Gont fgont at si6networks.com
Sun Nov 13 09:33:44 CET 2011

On 11/09/2011 10:45 PM, Owen DeLong wrote:
>>> I had a very heated argument some time ago with one person that said
>>> that deploying IPv6 was an unacceptable proposition to him because
>>> some ICMP messages had to be let through filters. 
>> This is pretty dumb, since the same thing applied to IPv4: some messages
>> -- notably "frag needed and df bit set" -- must not be filtered. It is
>> filtering such messages that e.g. has led to PMTUD black-holes.
> In case you've been living under a rock, hardly anyone actually expects
> IPv4 PMTU-D to work. We've all long-since worked around broken ICMP
> filters in IPv4.

For the must part, what has worked around PMTUD baclholes is the fact
that Ethernet is so widely deployed, that in many cases the Path-MTU is
1500 bytes, and hence PMTUD is not really triggered. PMTUD has been
broken well before any implementations incorporated any sort of PMTUD
blackhole detection.

In any case, this is not the point I was trying to make. The point was
that if IPv6 is deemed insecure because it requires you to not filter
some ICMP, then IPv4 is as equally insecure, because it also requires
you to not filter some ICMP. (i.e., this is not really a "new" thing).

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list