[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 filtering
- Subject: IPv6 filtering
- From: paul at paulgraydon.co.uk (Paul Graydon)
- Date: Tue, 25 Jan 2011 19:42:03 -1000
- In-reply-to: <6024623.294.1296019199315.JavaMail.franck@franck-martins-macbook-pro.local>
- References: <6024623.294.1296019199315.JavaMail.franck@franck-martins-macbook-pro.local>
I may be dense, networking isn't my primary field (sysadmin).. but isn't
ICMP there for a good reason? I.e. congestion control? I've always
argued vehemently with PCI-DSS and similar auditors that I will not
filter /all/ ICMP traffic on the border.
Paul
On 1/25/2011 7:20 PM, Franck Martin wrote:
> Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
>
> ----- Original Message -----
> From: "Roland Dobbins"<rdobbins at arbor.net>
> To: "nanog group"<nanog at nanog.org>
> Sent: Wednesday, 26 January, 2011 6:13:26 PM
> Subject: Re: IPv6 filtering
>
>
> On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
>
>> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
> Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
>
> ------------------------------------------------------------------------
> Roland Dobbins<rdobbins at arbor.net> //<http://www.arbornetworks.com>
>
> Most software today is very much like an Egyptian pyramid, with millions
> of bricks piled on top of each other, with no structural integrity, but
> just done by brute force and thousands of slaves.
>
> -- Alan Kay
>
>
>
>