Re: IPv6 filtering

[Paul Graydon <paul () paulgraydon co uk>]

I may be dense, networking isn't my primary field (sysadmin).. but isn't 
ICMP there for a good reason?  I.e. congestion control?  I've always 
argued vehemently with PCI-DSS and similar auditors that I will not 
filter /all/ ICMP traffic on the border.

Paul

On 1/25/2011 7:20 PM, Franck Martin wrote:
> Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something 
> terribly dangerous in icmpv6 already?
>
> ----- Original Message -----
> From: "Roland Dobbins"<rdobbins () arbor net>
> To: "nanog group"<nanog () nanog org>
> Sent: Wednesday, 26 January, 2011 6:13:26 PM
> Subject: Re: IPv6 filtering
>
>
> On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
>
> > Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
> Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it 
> is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not 
> well-understood in many quarters, heh.
>
> ------------------------------------------------------------------------
> Roland Dobbins<rdobbins () arbor net>  //<http://www.arbornetworks.com>
>
> Most software today is very much like an Egyptian pyramid, with millions
> of bricks piled on top of each other, with no structural integrity, but
> just done by brute force and thousands of slaves.
>
>                           -- Alan Kay