Hi, On Sun, Oct 06, 2024 at 11:28:26AM +0200, Michiel Klaver via ipv6-wg wrote:
-----Original message----- Am 05.10.2024 um 21:11:22 Uhr schrieb Sheikh Md Seum via ipv6-wg:
While going through the deployment procedure I was not able to find any BCP/BCOP regarding how to filter ICMPv6, what standards should be followed.
Don't filter it at all at the ISP level for your customers.
+1
The neighbor discovery packets can't be abused from other links because they will be discarded when they don't have TTL of 255. Make sure you reject RAs from the customers on your PPP links.
Although, inside a link (e.g. on a office network), filtering for certain packages like RA is needed to avoid certain intended or accidental stuff.
Other stuff like the destination unreachable must not be blocked at all.
ICMPv6 isn't a security risk itself.
Well, (in contrast to IPv4, unfortunately) it is. Else RFC 6105, RFC 6980 et al. wouldn't exist. Some guidance on filtering ICMPv6 in specific situations here: https://labs.ripe.net/author/enno_rey/local-packet-filtering-with-ipv6/ https://theinternetprotocolblog.wordpress.com/2020/11/28/ipv6-security-best-... cheers Enno
-- Gruß Marco
Send unsolicited bulk mail to 1728155482muell@cartoonies.org
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
-- Enno Rey Cell: +49 173 6745902 Twitter: @Enno_Insinuator IPv6 Blog: https://theinternetprotocolblog.wordpress.com