Well some months ago I did the course and that's what led to this discussion.
I missed that in RFC 9288 it was recommended to drop packet with certain extension header if know that header is not used which I mistakenly got confused with ICMPv6.

I recommend that you take part in the RIPE IPv6 Security training course at the RIPE Academy. One of the topics covered is ICMPv6 filtering (Unit 4). In this unit, you will learn about best practices for filtering and rate limiting certain IPv6 and/or ICMPv6 packets.

Rinse

On 5-10-2024 21:20, Marco Moock wrote:

Am 05.10.2024 um 21:11:22 Uhr schrieb Sheikh Md Seum via ipv6-wg:

While going through the deployment procedure I was not able to find
any BCP/BCOP regarding how to filter ICMPv6, what standards should be
followed.

Don't filter it at all at the ISP level for your customers.

The neighbor discovery packets can't be abused from other links because
they will be discarded when they don't have TTL of 255.
Make sure you reject RAs from the customers on your PPP links.

Although, inside a link (e.g. on a office network), filtering for
certain packages like RA is needed to avoid certain intended or
accidental stuff.

Other stuff like the destination unreachable must not be blocked at all.

ICMPv6 isn't a security risk itself.

-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. 
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/

-- 
Regards
Sheikh Md Seum