Educause Security Discussion mailing list archives
Re: IPv6 and DHCP and ICMP
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Wed, 23 May 2012 17:10:36 -0700
On 05/23/2012 14:22, John Ladwig wrote:
ICMPv4 should **never** have been “completely eliminated” from public network (interacting with local network), but there’s only a small set of messages that **need** to pass an Internet/local policy boundary. Limited, yes, but I’ve seen way to many blanket drop policies that I’m a little touchy on the subject. There’s a slightly larger set of required ICMPv6 messages that must cross an Internet/local policy boundary to enable, for example, path-MTU discovery. Our current proposals, LAN and WAN testbed configurations follow RFC 4890 ICMPv6 recommendations for firewall transit “must not be dropped” and “normally should not be dropped” pretty closely, although we’re not currently testing mobile IPv6, and haven’t decided whether to support it in the near term.
+1 on RFC 4890--it's a really good resource both for firewalls and router ACLs. Keep in mind that blocking all ICMPv6 means blocking all IPv6. You simply won't have connectivity if you block ND, for example.
michael
Current thread:
- Re: IPv6 and DHCP and ICMP Manjak, Martin (May 23)
- Re: IPv6 and DHCP and ICMP Morrow Long (May 23)
- Re: IPv6 and DHCP and ICMP John Ladwig (May 23)
- Re: IPv6 and DHCP and ICMP Michael Sinatra (May 23)
- Re: IPv6 and DHCP and ICMP randy marchany (May 23)
- Re: IPv6 and DHCP and ICMP John Ladwig (May 24)
- Re: IPv6 and DHCP and ICMP Everett, Alex D (May 24)
- Re: IPv6 and DHCP and ICMP John Ladwig (May 24)
- Re: IPv6 and DHCP and ICMP Michael Sinatra (May 23)