[ipv6hackers] Operational ICMPv6 Filtering

Marksteiner, Stefan stefan.marksteiner at joanneum.at
Tue May 29 17:10:42 CEST 2012


in [1] it's stated that most of the ICMPv6 Destination Unreachable messages are to be permitted through intermediate devices (i.e. firewalls; on p. 33). On the other hand, [2] describes an ICMPv6 blind connection reset attack based on "hard errors" (p. 12).  I know that this is eventually a stack implementer's issue, as host should basically not accept "hard errors" in an established connection, but my question is: should operators rely on implementers or just block Destination Unreachable and the likes and take the drawback of having their hosts wait for timeouts instead of getting errors?



[1] http://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-03
[2] http://tools.ietf.org/html/rfc5927

More information about the Ipv6hackers mailing list