Moin,
It advises blocking ICMP Type 137 (Redirect) and Type 138 (Route Renumbering). The other types should not be blocked; however, some prefer to rate limit Echo requests/replies (Type 128 and 129). You may want to rate limit these types of requests to your infrastructure nodes or handle them in the control plane on your nodes.
This is a somewhat good point; There is a somewhat annoying corner-case bug between OpenBSD and Linux that can lead to a bit of a packet storm in even more corner-case-y middle box interactions. The problem is, that sending packet-too-big is not rate-limited on Linux; On OpenBSD, there is no rate-limiting of retransmissions. For IPv6 there then is the problem that OpenBSD will retransmit for a packet-too-big signaling the _same_ MTU it already sent a packet for. This means that the OpenBSD box will shell out 'whatever it can' in terms of retransmits, until the connection times out. I hit this so far in two cases: - A middle box that slipped in a fragmentation header for 0 fragments into packets, pushing the framesize by 8b, leading to constant packet- to-big messages for 1476b; Over the Internet, ~50-100mbit sustained for 30-40m outbound from the OpenBSD system - A weird setup where i use iBGP as an IGP with asymetric routing over an asymetric MTU path, where the mismatch between overlay and underlay path lead to the system ignoring the pkt-too-big messages. That one gave 1gbit (link saturation) sustained. Problem here is that you imho do not really want to catch this on your core, as that likely can break more than not. But it might be good to watch for repeated pkt-too-big messages between consistent src/dest touples in one's monitoring, especially if you happen to have a lot of clients. With best regards, Tobias -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tobias@fiebig.nl