[135500] in North American Network Operators' Group
Re: IPv6 filtering
daemon@ATHENA.MIT.EDU (Paul Graydon)
Wed Jan 26 00:42:14 2011
Date: Tue, 25 Jan 2011 19:42:03 -1000
From: Paul Graydon <paul@paulgraydon.co.uk>
To: nanog@nanog.org
In-Reply-To: <6024623.294.1296019199315.JavaMail.franck@franck-martins-macbook-pro.local>
X-SA-Exim-Mail-From: paul@paulgraydon.co.uk
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I may be dense, networking isn't my primary field (sysadmin).. but isn't
ICMP there for a good reason? I.e. congestion control? I've always
argued vehemently with PCI-DSS and similar auditors that I will not
filter /all/ ICMP traffic on the border.
Paul
On 1/25/2011 7:20 PM, Franck Martin wrote:
> Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
>
> ----- Original Message -----
> From: "Roland Dobbins"<rdobbins@arbor.net>
> To: "nanog group"<nanog@nanog.org>
> Sent: Wednesday, 26 January, 2011 6:13:26 PM
> Subject: Re: IPv6 filtering
>
>
> On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
>
>> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
> Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
>
> ------------------------------------------------------------------------
> Roland Dobbins<rdobbins@arbor.net> //<http://www.arbornetworks.com>
>
> Most software today is very much like an Egyptian pyramid, with millions
> of bricks piled on top of each other, with no structural integrity, but
> just done by brute force and thousands of slaves.
>
> -- Alan Kay
>
>
>
>
