[ipv6hackers] Operational ICMPv6 Filtering
stefan.marksteiner at joanneum.at
Tue May 29 17:10:42 CEST 2012
in  it's stated that most of the ICMPv6 Destination Unreachable messages are to be permitted through intermediate devices (i.e. firewalls; on p. 33). On the other hand,  describes an ICMPv6 blind connection reset attack based on "hard errors" (p. 12). I know that this is eventually a stack implementer's issue, as host should basically not accept "hard errors" in an established connection, but my question is: should operators rely on implementers or just block Destination Unreachable and the likes and take the drawback of having their hosts wait for timeouts instead of getting errors?
More information about the Ipv6hackers