[ipv6hackers] Operational ICMPv6 Filtering

Romain Boissat rboissat at lv0.in
Thu May 31 17:11:36 CEST 2012


On Tue, May 29, 2012 at 05:10:42PM +0200, Marksteiner, Stefan wrote:
> Hi,
> in [1] it's stated that most of the ICMPv6 Destination Unreachable
> messages are to be permitted through intermediate devices (i.e.
> firewalls; on p. 33). On the other hand, [2] describes an ICMPv6 blind
> connection reset attack based on "hard errors" (p. 12).  I know that
> this is eventually a stack implementer's issue, as host should
> basically not accept "hard errors" in an established connection, but
> my question is: should operators rely on implementers or just block
> Destination Unreachable and the likes and take the drawback of having
> their hosts wait for timeouts instead of getting errors?

I use the [1] following set of ip6tables on my gnu/linux routers
(personnal appliances only), treating both input and transit icmpv6
traffic. Translating every rule into another syntax may be not possible,

These rules have been used for a year now, on several appliances, with
success so far. Feel free to comment :)

When I was designing ICMPv6 filtering with ip6tables, I followed the
recommendations available on ipv6security.nl [2]

[1] https://n0.pe/p/7yh3k
[2] http://www.ipv6security.nl/?p=233

Romain Boissat

More information about the Ipv6hackers mailing list