[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 filtering

Subject: IPv6 filtering
From: franck at genius.com (Franck Martin)
Date: Wed, 26 Jan 2011 18:20:00 +1300 (FJST)
In-reply-to: <[email protected]>

Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?

----- Original Message -----
From: "Roland Dobbins" <rdobbins at arbor.net>
To: "nanog group" <nanog at nanog.org>
Sent: Wednesday, 26 January, 2011 6:13:26 PM
Subject: Re: IPv6 filtering

On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:

> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. 

Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.

------------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

			  -- Alan Kay

Follow-Ups:
- IPv6 filtering
  - From: paul at paulgraydon.co.uk (Paul Graydon)

References:
- IPv6 filtering
  - From: rdobbins at arbor.net (Roland Dobbins)

Prev by Date: Using IPv6 with prefixes shorter than a /64 on a LAN
Next by Date: IPv6 filtering
Previous by thread: IPv6 filtering
Next by thread: IPv6 filtering
Index(es):
- Date
- Thread