• ipv6 41 IPv6 # IPv6 • ipv6-route 43 IPv6-Route # Routing Header for IPv6 • ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 • ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 • ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 • ipv6-icmp 58 IPv6-ICMP icmpv6 icmp6 # ICMP for IPv6 • ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6 • ipv6-opts 60 IPv6-Opts # Destination Options for IPv6 Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. But what about the others, should they be blocked, restricted? Does a ios "deny ipv6 any any" affect them?
On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh. ------------------------------------------------------------------------ Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already? ----- Original Message ----- From: "Roland Dobbins" <rdobbins@arbor.net> To: "nanog group" <nanog@nanog.org> Sent: Wednesday, 26 January, 2011 6:13:26 PM Subject: Re: IPv6 filtering On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh. ------------------------------------------------------------------------ Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
I may be dense, networking isn't my primary field (sysadmin).. but isn't ICMP there for a good reason? I.e. congestion control? I've always argued vehemently with PCI-DSS and similar auditors that I will not filter /all/ ICMP traffic on the border. Paul On 1/25/2011 7:20 PM, Franck Martin wrote:
Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
----- Original Message ----- From: "Roland Dobbins"<rdobbins@arbor.net> To: "nanog group"<nanog@nanog.org> Sent: Wednesday, 26 January, 2011 6:13:26 PM Subject: Re: IPv6 filtering
On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
------------------------------------------------------------------------ Roland Dobbins<rdobbins@arbor.net> //<http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.
-- Alan Kay
On 1/25/11 9:13 PM, Roland Dobbins wrote:
On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
Also, try to resist popular opinion in outright blocking of ICMP - it's not really that evil. ~Seth
On Jan 25, 2011, at 9:03 PM, Franck Martin wrote:
• ipv6 41 IPv6 # IPv6 • ipv6-route 43 IPv6-Route # Routing Header for IPv6 • ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 • ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 • ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 • ipv6-icmp 58 IPv6-ICMP icmpv6 icmp6 # ICMP for IPv6 • ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6 • ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
But what about the others, should they be blocked, restricted?
Does a ios "deny ipv6 any any" affect them?
DO NOT filter IPv6 ICMP like you filter IPv4. If you do, you will break PMTU-Discovery, Neighbor Discovery, and RA/SLAAC, all of which depend on ICMPv6. Owen
On 1/25/2011 9:25 PM, Owen DeLong wrote:
DO NOT filter IPv6 ICMP like you filter IPv4.
If you do, you will break PMTU-Discovery, Neighbor Discovery, and RA/SLAAC, all of which depend on ICMPv6.
This can bite you in unexpected ways, too. For example, on a Cisco ASA, if you add a system-level 'icmpv6 permit' line and if this does not include ND, then you break ND responses to the ASA. This is much unlike ARP, which is unaffected by 'icmp permit' statements for IPv4. And, the default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This seems so obvious in retrospect, but at the time was a bit of a head-scratcher. Mark -- Mark D. Nagel, CCIE #3177 <mnagel@willingminds.com> Principal Consultant, Willing Minds LLC (http://www.willingminds.com) cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854 *** Please send support requests to support@willingminds.com! ***
On Tue, Jan 25, 2011 at 10:49 PM, Mark D. Nagel <mnagel@willingminds.com> wrote:
This can bite you in unexpected ways, too. For example, on a Cisco ASA, if you add a system-level 'icmpv6 permit' line and if this does not include ND, then you break ND responses to the ASA. This is much unlike ARP, which is unaffected by 'icmp permit' statements for IPv4. And, the default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This seems so obvious in retrospect, but at the time was a bit of a head-scratcher.
ARP is a seperate protocol supporting IPv4 ... For IPv6 ND is done using ICMPv6 messages. A bit confusing transitioning from IPv4/ARP for sure.
Mark
On Wed, 26 Jan 2011, Franck Martin wrote:
But what about the others, should they be blocked, restricted?
"Recommendations for Filtering ICMPv6 Messages in Firewalls" <http://www.ietf.org/rfc/rfc4890.txt> -- Mikael Abrahamsson email: swmike@swm.pp.se
On Wed, 26 Jan 2011, Franck Martin wrote:
? ipv6 41 IPv6 # IPv6 ? ipv6-route 43 IPv6-Route # Routing Header for IPv6 ? ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 ? ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 ? ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 ? ipv6-icmp 58 IPv6-ICMP icmpv6 icmp6 # ICMP for IPv6 ? ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6 ? ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4.
But what about the others, should they be blocked, restricted?
Does a ios "deny ipv6 any any" affect them?
Have a look at RFC 4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. Regards, Janos Mohacsi
participants (9)
-
Franck Martin
-
Mark D. Nagel
-
Michael Loftis
-
Mikael Abrahamsson
-
Mohacsi Janos
-
Owen DeLong
-
Paul Graydon
-
Roland Dobbins
-
Seth Mattinen