nanog mailing list archives
Re: IPv6 filtering
From: Hank Nussbacher <hank () efes iucc ac il>
Date: Wed, 26 Jan 2011 07:46:54 +0200
At 18:20 26/01/2011 +1300, Franck Martin wrote:
Content-Transfer-Encoding: 7bitWell we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
Ever since Cisco came out with "IPv6 Routing Header Vulnerability" in 2007 http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml I have had the following enabled: On the protected interface: ipv6 traffic-filter filter-rh in ipv6 access-list filter-rh deny ipv6 any any log routing permit ipv6 any anyand have stopped many pkts that way. I still occasionally see hits in our log from all sorts of newbies who continue to try old bugs.
-Hank
Current thread:
- IPv6 filtering Franck Martin (Jan 25)
- Re: IPv6 filtering Roland Dobbins (Jan 25)
- Re: IPv6 filtering Franck Martin (Jan 25)
- Re: IPv6 filtering Paul Graydon (Jan 25)
- Re: IPv6 filtering Seth Mattinen (Jan 25)
- Message not available
- Re: IPv6 filtering Hank Nussbacher (Jan 25)
- Re: IPv6 filtering Franck Martin (Jan 25)
- Re: IPv6 filtering Roland Dobbins (Jan 25)
- Re: IPv6 filtering Owen DeLong (Jan 25)
- Re: IPv6 filtering Mark D. Nagel (Jan 25)
- Re: IPv6 filtering Michael Loftis (Jan 26)
- Re: IPv6 filtering Mark D. Nagel (Jan 25)
- Re: IPv6 filtering Mikael Abrahamsson (Jan 25)
- Re: IPv6 filtering Mohacsi Janos (Jan 25)