mohacsi at niif
May 31, 2012, 8:08 AM
Post #7 of 9
On Thu, 31 May 2012, Seth Mos wrote:
Re: Icmp access lists on dhcp-pd deployments
[In reply to]
> Op 31-5-2012 15:58, SM schreef:
>> Hi Seth,
>> At 22:56 30-05-2012, Seth Mos wrote:
>>> As a pfSense developer I've already seen a few of our 2.1 development
>>> installs in the field on DHCP-PD connections. Be it DHCP6 on PPPoE or
>>> on ethernet.
>>> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
>>> can't actually ping the link-local address of the default gateway.
>>> Is this something that could be worked into a RFC so that users can
>>> always verify that their default gateway works? It seems highly
>>> counter intuitive to block ICMP6 for a link that you know belongs to
>>> your client and own network.
>> RFC 4890 provides some recommendations about filtering ICMPv6 messages
>> in firewalls. There is a discussion of ICMPv6 Echo in that document.
>> Does it address the above?
> I think it does, but they mention echo and reply seperate from the router
> advertisements and solicits.
> They do not explicitly cover the case of ICMP6 echo/reply on link-local
> addressing, although section 4.4 "Recommendations for ICMPv6 Local
> Configuration Traffic" says this:
> "4.4.1. Traffic That Must Not Be Dropped
> Error messages that are essential to the establishment and
> maintenance of communications:
> o Destination Unreachable (Type 1) - All codes
> o Packet Too Big (Type 2)
> o Time Exceeded (Type 3) - Code 0 only
> o Parameter Problem (Type 4) - Codes 1 and 2 only
> Connectivity checking messages:
> o Echo Request (Type 128)
> o Echo Response (Type 129)
> As discussed in Section 4.3.1,"
> I would think that covers link-local traffic, so that makes me wonder why a
> ISP would find blocking this neccesary.
Yes. You should ask the ISP.