[ipv6hackers] Operational ICMPv6 Filtering
Marc Heuse
mh at mh-sec.de
Thu May 31 14:19:53 CEST 2012
Am 31.05.2012 14:11, schrieb Gert Doering:
> Hi,
>
> On Thu, May 31, 2012 at 11:43:12AM +0100, daniel.bartram at bt.com wrote:
>> I take the viewpoint of allowing the following:
>>
>> Permit icmp any any packet-too-big
>> Permit icmp any any time-exceeded
>> Permit icmp any any echo-reply
>> Permit icmp any any echo request
>> Permit icmp any any destination-unreachable
>> Permit icmp any any time-exceeded
>>
>> And blocking everything else.
>
> Congratulations for dropping neighbor discovery, and killing all your v6
> right away.
I am pretty sure these are transit rules, not local receives.
On several devices you configure transit and local rules in different
locations, e.g. Cisco ASA.
otherwise more would be missing than NDP (less critical than NDP though ;-))
> I can only strongly recommend people to not invent something new on their
> own, but read this RFC first...
>
> 4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. E.
> Davies, J. Mohacsi. May 2007.
which is way to open. written from a networker perspective, not a
security perspective.
Greets,
Marc
--
Marc Heuse
www.mh-sec.de
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
More information about the Ipv6hackers
mailing list