[ipv6hackers] Operational ICMPv6 Filtering
daniel.bartram at bt.com
daniel.bartram at bt.com
Thu May 31 15:12:47 CEST 2012
>> Congratulations for dropping neighbor discovery, and killing all your v6 right away.
Following implicit rules exists at the end of each IPv6 ACL to allow ICMPv6 neighbour discovery.
Permit icmp any any nd-na
Permit icmp any any nd-ns
Deny ipv6 any any
At least on Cisco anyway... I'm not aware though that other vendors do this? So as far as I'm aware, my ACL wouldn't affect the operation of IPv6 at all... Of course, I could be wrong?
Dan.
-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Gert Doering
Sent: 31 May 2012 13:11
To: IPv6 Hackers Mailing List
Subject: Re: [ipv6hackers] Operational ICMPv6 Filtering
Hi,
On Thu, May 31, 2012 at 11:43:12AM +0100, daniel.bartram at bt.com wrote:
> I take the viewpoint of allowing the following:
>
> Permit icmp any any packet-too-big
> Permit icmp any any time-exceeded
> Permit icmp any any echo-reply
> Permit icmp any any echo request
> Permit icmp any any destination-unreachable Permit icmp any any
> time-exceeded
>
> And blocking everything else.
Congratulations for dropping neighbor discovery, and killing all your v6 right away.
I can only strongly recommend people to not invent something new on their own, but read this RFC first...
4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. E.
Davies, J. Mohacsi. May 2007.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list