[135501] in North American Network Operators' Group
Re: IPv6 filtering
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Wed Jan 26 00:47:37 2011
Date: Wed, 26 Jan 2011 07:46:54 +0200
To: Franck Martin <franck@genius.com>,Roland Dobbins <rdobbins@arbor.net>
From: Hank Nussbacher <hank@efes.iucc.ac.il>
In-Reply-To: <6024623.294.1296019199315.JavaMail.franck@franck-martins-m
acbook-pro.local>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
At 18:20 26/01/2011 +1300, Franck Martin wrote:
>Content-Transfer-Encoding: 7bit
>
>Well we filter icmp due to exploits, if no exploits, then we can let the
>whole of icmpv6 through. Or is there something terribly dangerous in
>icmpv6 already?
Ever since Cisco came out with "IPv6 Routing Header Vulnerability" in 2007
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml
I have had the following enabled:
On the protected interface:
ipv6 traffic-filter filter-rh in
ipv6 access-list filter-rh
deny ipv6 any any log routing
permit ipv6 any any
and have stopped many pkts that way. I still occasionally see hits in our
log from all sorts of newbies who continue to try old bugs.
-Hank
