I may be dense, networking isn't my primary field (sysadmin).. but isn't ICMP there for a good reason? I.e. congestion control? I've always argued vehemently with PCI-DSS and similar auditors that I will not filter /all/ ICMP traffic on the border. Paul On 1/25/2011 7:20 PM, Franck Martin wrote:
Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
----- Original Message ----- From: "Roland Dobbins"<rdobbins@arbor.net> To: "nanog group"<nanog@nanog.org> Sent: Wednesday, 26 January, 2011 6:13:26 PM Subject: Re: IPv6 filtering
On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
------------------------------------------------------------------------ Roland Dobbins<rdobbins@arbor.net> //<http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.
-- Alan Kay