Hi, I recently installed a probe at home, and now my router spits out loads of 'denied icmpv6'-messages. After going through the logs for the last two days, I have ~1900 entries of denies towards the probe -- all of them more or less like this (with different source); ### Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102) -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets ### I've got an ACL applied ingress on the link to my ISP, and the relevant part is shown below; ### ipv6 access-list ipv6-inbound sequence 2000 permit icmp any any echo-reply sequence 2005 permit icmp any any echo-request sequence 2010 permit icmp any any packet-too-big sequence 2015 permit icmp any any time-exceeded sequence 2020 permit icmp any any destination-unreachable sequence 2025 permit icmp any any parameter-problem sequence 2100 deny icmp any any log-input ### This ACL conforms to RFC4890[1] (except the Mobile IPv6 part). Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them have the code bit[2] set to 1, and ~1600 of them are set to 4. These are the top sources; ### 367 2001:500:2::C 313 2001:500:2D::D 289 2A01:4F8:130:24A4::13:76 289 2001:500:3::42 196 2A01:4F8:121:30A4::78:15 161 2001:DC3::35 100 2001:7FE::53 67 2001:7FD::1 60 2001:500:2F::F ### All of these are DNS root servers (except those starting with 2A01:4F8, which are some Atlas-thingies). It seems to me that the Atlas-probe sends quite some amount of ICMPv6-packets to the root DNS-servers (and even Atlas' own boxes), that are being returned with errors. Why does the probe do this, and does it actually rely on these replies? [1] <http://www.ietf.org/rfc/rfc4890.txt> [2] <http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xml#icmpv6-parameters-codes-2> -- Joachim