[135557] in North American Network Operators' Group
Re: IPv6 filtering
daemon@ATHENA.MIT.EDU (Michael Loftis)
Wed Jan 26 15:25:22 2011
In-Reply-To: <4D3FB5D8.3060408@willingminds.com>
Date: Wed, 26 Jan 2011 13:24:27 -0700
From: Michael Loftis <mloftis@wgops.com>
To: "Mark D. Nagel" <mnagel@willingminds.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 25, 2011 at 10:49 PM, Mark D. Nagel <mnagel@willingminds.com> w=
rote:
> This can bite you in unexpected ways, too. =A0For example, on a Cisco ASA=
,
> if you add a system-level 'icmpv6 permit' line and if this does not
> include ND, then you break ND responses to the ASA. =A0This is much unlik=
e
> ARP, which is unaffected by 'icmp permit' statements for IPv4. =A0And, th=
e
> default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This
> seems so obvious in retrospect, but at the time was a bit of a
> head-scratcher.
>
ARP is a seperate protocol supporting IPv4 ... For IPv6 ND is done
using ICMPv6 messages. A bit confusing transitioning from IPv4/ARP
for sure.
> Mark
