filter
Click on the red underlined text to get to the source
... sessions to remote nodes. This means that overly aggressive
filtering of ICMPv6 by firewalls may have a detrimental effect on the
...
... security policies.
In general, Internet Service Providers should not filter ICMPv6
messages transiting their sites so that all the necessary
communication elements ...
... elements are available to their customers to decide and
filter according to their policy.
Readers familiar with ICMPv6 ...
...
Readers familiar with ICMPv6 can skip to the recommended filtering
rules in Section 4 and an example configuration script for Linux
Netfilter in Appendix B.
...
... context
rather than end-to-end, and filters need to be concerned with the
type of addresses in ICMPv6 ...
... network. This
means that firewall filters for ICMPv6 have to be more carefully
configured than was the case for ICMP ...
... IPv6 communications.
The filtering rules for the various message roles will generally be
different.
...
...
This memo recommends filtering configurations for firewalls designed
to minimize the security vulnerabilities ...
... ICMPv6-based attacks. The most common way
of doing this is to establish strict filtering policies in site
firewalls to limit the unauthenticated ICMPv6 messages ...
... Internet. This makes control of
ICMPv6 filtering a delicate balance between protecting the site by
dropping some of the ICMPv6 traffic ...
... SEND
affects only link-local messages and does not limit the filtering
that firewalls can apply, and its role ...
... encapsulated IP packets in ICMPv6
error messages. This problem can be alleviated by filtering ICMPv6
errors using a deep packet inspection mechanism to ensure that the
packet carried as a payload ...
... Filtering Recommendations ...
...
When designing firewall filtering rules for ICMPv6, the rules can be
divided into two classes ...
...
This section suggests some common considerations that should be borne
in mind when designing filtering rules and then categorizes the rules
for each class. The categories are:
...
... link-local, global unicast, etc.) of source and destination
addresses. In some cases, it may be desirable to filter on the Code
field of ICMPv6 error messages.
...
... port scanning in an IPv6 network are much
less severe, and it is not necessary to filter IPv6 Echo Request
...
... interfaces on the local link. No special action is
needed to filter messages with link-local addresses in a firewall/
...
... global unicast addresses. Should this happen, it will be
essential to explicitly filter these messages at site boundaries. If
a site has internal as well as boundary firewalls ...
... authenticated using IPsec, so it
is not essential to filter these messages even if they are not
allowed at the firewall/router ...
... to control their behavior with respect to Redirect messages so that
it should only be necessary to install specific filtering rules under
special circumstances, such as if Redirect messages are accepted on
...
... service on the node if it is not
wanted, in which case these messages will be ignored and no filtering
is necessary.
...
... Security Overview document,
which contained suggestions for ICMPv6 filter setups. This
information has been incorporated into this document. He has also
provided important comments. Some analysis of the classification of
...
... This appendix contains an example script to implement most of the
rules suggested in this document when using the Netfilter packet
filtering system for Linux [netfilter]. When used with IPv6 ...
... netfilter]. When used with IPv6, the
'ip6tables' command is used to configure packet filtering rules for
the Netfilter system. The script is targeted at a simple enterprise
site that may or may not support Mobile IPv6 ...
... firewalls that are routers.
export FILTER_LINK_LOCAL_ADDRS=0
# Configuration option: Change this to 0 if the site does not support
...
... Redirect messages both incoming and outgoing
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type redirect -j DROP
...
... queries (139) and replies (140)
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 139 -j DROP
...