RFC 4890:Recommendations for Filtering ICMPv6 Mess...
RFC-Ref

1 - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - Q - R - S - T - U - V - W

destination

Click on the red underlined text to get to the source

1. Introduction
... router on the local link for the destination address or pointing out that a destination is actually on the local link ...
... link for the destination address or pointing out that a destination is actually on the local link even if it is not obvious from the IP address ...
... addresses in ICMPv6 packets as well as the specific source and destination addresses. Compared with the corresponding IPv4 protocol ...


2. Classifying ICMPv6 Messages
... ICMPv6 messages are sent using various kinds of source and destination address types and scopes. The source address is usually a unicast address ...
... RFC3590]. The destination address can be either a well-known multicast address, ...
... address resolution messages are solely for local communications [RFC2461], whereas the Destination Unreachable messages are any-to-end in nature. Generally, end-to-end ...
... ICMPv6 messages used in local communications may contravene the usual rules requiring compatible scopes for source and destination addresses. ...


3. Security Considerations
... almost any location in the wider Internet, and these messages may occur as a result of the first message sent to a destination. Establishing security associations with all possible sources of ...
... ways, including simply sending excessive numbers of ICMPv6 packets to destinations in the site and sending error messages that disrupt established communications by causing sessions ...


4. Filtering Recommendations
... (link-local, global unicast, etc.) of source and destination addresses. In some cases, it may be desirable to filter on the Code field of ICMPv6 error messages ...
... ICMPv6 error messages. If the embedded packet has a source address that does not match the destination of the error message, the packet can be dropped. This provides a partial defense ...
... attacks on TCP that use spoofed ICMPv6 error messages, but the checks can also be carried out at the destination. For further information on these attacks see [ICMP-ATTACKS ...
... ICMP-ATTACKS]. In general, the scopes of source and destination addresses of ICMPv6 messages should be matched, and packets with mismatched addresses ...
... communications on the local link will be sent with link-local addresses for at least one of their source and destination. Routers conforming to the IPv6 ...
... to drop out-of-specification packets of these types. If they have non-link-local source and destination addresses, allowing them to traverse the firewall/router ...
... firewall/router, they would be rejected because of the checks performed at the destination. Again, firewall administrators ...
... maintenance of communications: o Destination Unreachable (Type 1) - All codes o Packet Too Big (Type 2) ...
... link. During normal operations, these messages will have destination addresses, mostly link local but in some cases global unicast ...
... a multicast site scope or site local destination being forwarded across a site boundary provided these are correctly configured. Since site local addresses ...
... maintenance of communications: o Destination Unreachable (Type 1) - All codes o Packet Too Big (Type 2) ...
... As discussed in Section 4.3.1, dropping connectivity checking messages will prevent the firewall being the destination of a Teredo tunnel and it is not considered necessary to disable connectivity ...


7. Appendix A. Notes on Individual ICMPv6 Messages
... A.1. Destination Unreachable Error Message ...
... Destination Unreachable (Type 1) error messages [RFC4443] are sent ...
... congestion. Destination Unreachable messages are useful for debugging, but are also important to speed up cycling through possible addresses, as ...
... part of the process of establishing or maintaining communications. It is a common practice in IPv4 to refrain from generating ICMP Destination Unreachable messages in an attempt to hide the networking topology and/or service ...
... RFC3041]. If policy allows the generation of ICMPv6 Destination Unreachable messages, it is important that nodes provide the correct reason code, one of: no route ...
... nodes provide the correct reason code, one of: no route to destination, administratively prohibited, beyond scope of source address, address ...
... source address failed ingress/egress policy, or reject route to destination. ...
... node. o Code 1 messages are generated at the destination node and sent end-to-end ...
... Code 0 messages can be needed as part of the establishment of communications if the path to a particular destination requires an unusually large number of hops. ...
... The great majority of Parameter Problem (Type 4) error messages will be generated by the destination node when processing destination ...
... be generated by the destination node when processing destination options and other extension headers, and hence are sent end-to-end ...
... hop option is included or from any routing waypoint if there are faulty or unrecognized destination options associated with a Type 0 routing header. In these cases, the message will be sent any-to-end ...
... routing header. In these cases, the message will be sent any-to-end using unicast source and destination addresses. Parameter Problem Code 1 (Unrecognized Next Header ...
... IPv6 Option) messages may result if a node on the path (usually the destination) is unable to process a correctly formed extension header or option. If these messages are not returned to ...
... extension header or option. If these messages are not returned to the source, communication cannot be established, as the source would need to adapt its choice of options probably because the destination does not implement these capabilities. Hence, these messages need to be generated and allowed for effective IPv6 communications ...
... Code 2 messages, only, can be generated for packets with multicast destination addresses. It is possible that attackers ...
... end-to-end and would have a unicast address as destination and either a unicast or anycast address as source. They are mainly used in combination for ...
... Note that the address scopes of the source and destination addresses on Neighbor Solicitations and Neighbor ...
... Address Discovery Reply and ICMP Mobile Prefix Advertisement messages. It may be desirable to limit the destination addresses for the incoming messages to links that are known to support home agents ...


8. Appendix B. Example Script to Configure ICMPv6 Firewall Rules
... echo replies which have a multicast address as a # destination ip6tables -A icmpv6-filter ...
... echo-reply -j DROP # DESTINATION UNREACHABLE ERROR MESSAGES # ====================================== ...
... STATE_ENABLED" -eq "1"] then # Allow incoming destination unreachable messages # only for existing sessions ...
... state ESTABLISHED,RELATED --icmpv6-type \ destination-unreachable -j ACCEPT done else ...
... done else # Allow incoming destination unreachable messages for inner_prefix in $INNER_PREFIXES ...
... prefix \ --icmpv6-type destination-unreachable -j ACCEPT done fi ...
... fi # Allow outgoing destination unreachable messages for inner_prefix in $INNER_PREFIXES ...
... prefix \ --icmpv6-type destination-unreachable -j ACCEPT done ...

1 - A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - Q - R - S - T - U - V - W

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org