security
Click on the red underlined text to get to the source
... hand, allowing indiscriminate passage of all ICMPv6 messages can be a
major security risk. This document recommends a set of rules that
seek to balance effective IPv6 communication against the needs of
...
... seek to balance effective IPv6 communication against the needs of
site security.
In a few cases, the appropriate rules will depend on whether the
...
... where it is relevant. It also notes some situations where
alternative rules could be adopted according to the nature of the
work being carried out on the site and consequent security policies.
In general, Internet Service Providers should not filter ...
... Security Considerations ...
... filtering configurations for firewalls designed
to minimize the security vulnerabilities that can arise in using the
many different sub-protocols of ICMPv6 in support of IPv6
communication ...
... occur as a result of the first message sent to a destination.
Establishing security associations with all possible sources of
ICMPv6 messages is therefore impossible.
...
... ICMPv6 messages is therefore impossible.
The inability to establish security associations to protect some
messages that are needed to establish and maintain communications
means that alternative means have to be used to reduce the
...
... SEND [RFC3971] has been specified as a means to improve the security
of local ICMPv6 communications. SEND ...
... of local ICMPv6 communications. SEND sidesteps security association
bootstrapping problems that would result if IPsec was used. SEND ...
... that firewalls can apply, and its role in security is therefore not
discussed further in this document.
...
... Firewalls will normally be used to monitor ICMPv6 to control the
following security concerns:
...
...
A major security consideration is preventing attackers from probing
the site to determine the topology ...
... Redirect messages is worth the risk of
malicious use. Factors to consider include the physical security of
the link and the complexity of addressing ...
... wireless link, redirection would be a serious hazard due
to the lack of physical security. On the other hand, with a wired
link in a secure building with complex addressing ...
... checking in IPv6 networks because port scanning is less of a security
risk.
There are a number of other sets of messages that play a role ...
...
Redirect messages provide a significant security risk, and
administrators should take a case-by-case approach to whether
...
... Pekka Savola created the original IPv6 Security Overview document,
which contained suggestions for ICMPv6 filter ...
... router. Although they can be used to make communications more
efficient, they are not essential to the establishment of
communications and may be a security vulnerability, particularly if a
link is not physically secured. Conformant nodes ...
... processes. However, administrators may wish to disallow forwarding
of these incoming messages as a potential security risk. Unknown
outgoing Error messages should be dropped as the administrator ...