[ipv6hackers] Operational ICMPv6 Filtering
daniel.bartram at bt.com
daniel.bartram at bt.com
Thu May 31 16:45:58 CEST 2012
>> Sometimes I wish the situation for network engineers was the same as for
doctors: follow the BCPs or be sued for malpractice...
:-D
-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Simon Perreault
Sent: 31 May 2012 15:44
To: ipv6hackers at lists.si6networks.com
Subject: Re: [ipv6hackers] Operational ICMPv6 Filtering
On 2012-05-31 10:33, daniel.bartram at bt.com wrote:
> So this prompted me to do a bit of research into ICMPv6 Type 4, which
> I probably should have done earlier.
>
> RFC4443: If an IPv6 node processing a packet finds a problem with a
> field in the IPv6 header or extension headers such that it cannot
> complete processing the packet, it MUST discard the packet and SHOULD
> originate an ICMPv6 Parameter Problem message to the packet's source,
> indicating the type and location of the problem.
>
> Now interesting points here. The router must discard a problematic
> packet after realising it can't process it, fair enough. But it SHOULD
> originate an ICMPv6 type 4 message - it doesn't necessarily have to.
> So by RFC4890 stating it MUST not be dropped, is not entirely correct.
> In fact, I'd prefer it not to generate a message.
The reason it's a SHOULD is to account for ICMP error generation rate limiting. Not personal preference.
> Say a rouge user is sending randomly constructed ICMPv6 packets into a
> network, and they finally send one that a node returns a type 4
> packet. Now the rouge user knows they've found a packet structure the
> node cannot process so not only can they now flood this router with
> this type of packet (that it has to process to figure out it's not
> valid), it now also creates additional network bandwidth by constantly
> sending these type 4's back - almost like a self-inflicted DoS.
They don't need ICMP to find a header that the node doesn't know how to process. They can just go to IANA and pick one that doesn't exist.
> So must I still allow ICMPv6 type 4's through?
Yes, unless you can find better justification.
Sometimes I wish the situation for network engineers was the same as for
doctors: follow the BCPs or be sued for malpractice...
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list