-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014/06/23 23:01 , Joachim Tingvold wrote:
Hi,
I recently installed a probe at home, and now my router spits out loads of 'denied icmpv6'-messages.
After going through the logs for the last two days, I have ~1900 entries of denies towards the probe -- all of them more or less like this (with different source);
### Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102) -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets ###
I've got an ACL applied ingress on the link to my ISP, and the relevant part is shown below;
### ipv6 access-list ipv6-inbound sequence 2000 permit icmp any any echo-reply sequence 2005 permit icmp any any echo-request sequence 2010 permit icmp any any packet-too-big sequence 2015 permit icmp any any time-exceeded sequence 2020 permit icmp any any destination-unreachable sequence 2025 permit icmp any any parameter-problem sequence 2100 deny icmp any any log-input ###
This ACL conforms to RFC4890[1] (except the Mobile IPv6 part).
Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them have the code bit[2] set to 1, and ~1600 of them are set to 4.
Type 1, code 4 is port unreachable. That is triggered by UDP traceroute. It would be better not to filter those packets. Type 1, code 1 means administratively prohibited. It is best to allow that one as well. Or in general, any destination unreachable ICMP. Though I don't understand why 'sequence 2020 permit icmp any any destination-unreachable' does accept those packets. Philip -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOomfkACgkQ23LKRM64egJu+QCfVdUc8qMYufSw+IvThUYfzPyn nwYAoIK0MmsAYptBL8DUgqCB4bb1brC0 =5Cqj -----END PGP SIGNATURE-----