Sunday, May 13, 2007

RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls

All you fans of mindlessly blocking ICMP traffic are going to be in trouble if you try that strategy with IPv6. Luckily this month RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls was just published. This Informational RFC provides concrete guidance using these categories:

  • Traffic That Must Not Be Dropped

  • Traffic That Normally Should Not Be Dropped

  • Traffic That Will Be Dropped Anyway -- No Special Attention Needed

  • Traffic for Which a Policy Should Be Defined

  • Traffic That Should Be Dropped Unless a Good Case Can Be Made


This is a nice reference for those who wish to implement some degree of control over ICMPv6, which is an integral part of IPv6 and not something one can blindly block.

2 comments:

Anonymous said...

Do you run IPv6 in your labs at home, and have you created an "IPv6 tunnel" to the outside world? Just curious.

Richard Bejtlich said...

Querying the blog for IPv6 reveals IPv6 Only FreeBSD Scenario.