[135496] in North American Network Operators' Group
Re: IPv6 filtering
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 26 00:29:30 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <32507261.286.1296018229100.JavaMail.franck@franck-martins-macbook-pro.local>
Date: Tue, 25 Jan 2011 21:25:49 -0800
To: Franck Martin <franck@genius.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 25, 2011, at 9:03 PM, Franck Martin wrote:
>=20
> =95 ipv6 41 IPv6 # IPv6=20
> =95 ipv6-route 43 IPv6-Route # Routing Header for IPv6=20
> =95 ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6=20
> =95 ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6=20
> =95 ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6=20
> =95 ipv6-icmp 58 IPv6-ICMP icmpv6 icmp6 # ICMP for IPv6=20
> =95 ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6=20
> =95 ipv6-opts 60 IPv6-Opts # Destination Options for IPv6=20
>=20
> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.=20
>=20
> But what about the others, should they be blocked, restricted?=20
>=20
> Does a ios "deny ipv6 any any" affect them?
DO NOT filter IPv6 ICMP like you filter IPv4.
If you do, you will break PMTU-Discovery, Neighbor Discovery,
and RA/SLAAC, all of which depend on ICMPv6.
Owen
