Mailing List Archive: nsp: ipv6

Icmp access lists on dhcp-pd deployments

Index | Next | Previous | View Threaded

seth.mos at dds

May 30, 2012, 10:56 PM

Post #1 of 9 (443 views)
Permalink

Icmp access lists on dhcp-pd deployments

Hi,

As a pfSense developer I've already seen a few of our 2.1 development installs in the field on DHCP-PD connections. Be it DHCP6 on PPPoE or on ethernet.

What I'm seeing is that ICMP6 (echo) is allowed to the internet but I can't actually ping the link-local address of the default gateway.

Is this something that could be worked into a RFC so that users can always verify that their default gateway works? It seems highly counter intuitive to block ICMP6 for a link that you know belongs to your client and own network.

Surely it must be something as simple as a erronous acl that does allow all traffic from the registered prefix, but not the fe80::/10 which could be on any interface.

I was wondering if many more people seeing this behaviour.

On another note, I'm also seeing this on 6rd relays. For example, the Charter 6rd relay does not respond to ICMP6 and as such you don't know if it works. I mean, it can't really be their intention that we all ping6 ipv6.google.com to see if our connection works? That seems silly.

On IPv4 I have always been able to ping my default gateway on any ISP. Why block this now. Oh wait, maybe that's why pmtu doesn't work.

Cheers,

Seth

lists at quux

May 31, 2012, 12:59 AM

Post #2 of 9 (428 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

Seth Mos <seth.mos [at] dds> writes:

> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
> can't actually ping the link-local address of the default gateway.

You did specify the outgoing interface? Or do you mean there is a filter
on the provider side?

Here (Linux as Host and a Fritzbox as default gateway):

----
jens [at] pc:~$ ip -6 route show | grep default
default via fe80::be05:43ff:fea8:85ea dev eth0 proto kernel metric
1024 expires 1695sec mtu 1280 hoplimit 255
jens [at] pc:~$ ping6 -I eth0 fe80::be05:43ff:fea8:85ea
PING fe80::be05:43ff:fea8:85ea(fe80::be05:43ff:fea8:85ea) from
fe80::3e4a:92ff:fe74:4a7a eth0: 56 data bytes
64 bytes from fe80::be05:43ff:fea8:85ea: icmp_seq=1 ttl=64 time=0.409 ms
----

Jens
--
-------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink [at] guug | ------------------- |
-------------------------------------------------------------------------

seth.mos at dds

May 31, 2012, 1:25 AM

Post #3 of 9 (431 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

Op 31-5-2012 9:59, Jens Link schreef:
> Seth Mos<seth.mos [at] dds> writes:
>
>> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
>> can't actually ping the link-local address of the default gateway.

Ah, sorry for the confusion, the gateway I am referring to is the *ISP*
gateway. Not on the lan.

Why would the ISP block link-local on the link to the customer on
purpose? That just invalidates all level 1 debugging to see if the
connection works. Ehn?

> You did specify the outgoing interface? Or do you mean there is a filter
> on the provider side?

There is a filter on the provider side. I sent a message earlier about
6to4 relays not replying to ICMP6 too.

It's not limited to 6to4 though, the 6rd Relay from Charter does not
respond to the gateway address either. But you can ping ipv6.google.com.
That's just broke.

> Here (Linux as Host and a Fritzbox as default gateway):

Yeah, so far, all the other CPE I ran into just replies to icmp on the
link-local.

Regards,

Seth

mohacsi at niif

May 31, 2012, 5:38 AM

Post #4 of 9 (420 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

On Thu, 31 May 2012, Seth Mos wrote:

> Op 31-5-2012 9:59, Jens Link schreef:
>> Seth Mos<seth.mos [at] dds> writes:
>>
>>> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
>>> can't actually ping the link-local address of the default gateway.
>
> Ah, sorry for the confusion, the gateway I am referring to is the *ISP*
> gateway. Not on the lan.
>
> Why would the ISP block link-local on the link to the customer on purpose?
> That just invalidates all level 1 debugging to see if the connection works.
> Ehn?

Probably they overreacted the security problems. In my environment:

root [at] OpenWr:~# ping6 -I eth1 FE80::220:10FF:FEAB:7D00
PING FE80::224:14FF:FEAB:7D00 (fe80::224:14ff:feab:7d00): 56 data bytes
64 bytes from fe80::220:10ff:feab:7d00: seq=0 ttl=64 time=18.728 ms
64 bytes from fe80::220:10ff:feab:7d00: seq=1 ttl=64 time=10.667 ms
64 bytes from fe80::220:10ff:feab:7d00: seq=2 ttl=64 time=10.912 ms
64 bytes from fe80::220:10ff:feab:7d00: seq=3 ttl=64 time=8.662 ms
64 bytes from fe80::220:10ff:feab:7d00: seq=4 ttl=64 time=10.183 ms
64 bytes from fe80::220:10ff:feab:7d00: seq=5 ttl=64 time=19.869 ms
^C
--- FE80::220:10FF:FEAB:7D00 ping statistics ---

Best Regards,
Janos Mohacsi

sm at resistor

May 31, 2012, 6:58 AM

Post #5 of 9 (418 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

Hi Seth,
At 22:56 30-05-2012, Seth Mos wrote:
>As a pfSense developer I've already seen a few of our 2.1
>development installs in the field on DHCP-PD connections. Be it
>DHCP6 on PPPoE or on ethernet.
>
>What I'm seeing is that ICMP6 (echo) is allowed to the internet but
>I can't actually ping the link-local address of the default gateway.
>
>Is this something that could be worked into a RFC so that users can
>always verify that their default gateway works? It seems highly
>counter intuitive to block ICMP6 for a link that you know belongs to
>your client and own network.

RFC 4890 provides some recommendations about filtering ICMPv6
messages in firewalls. There is a discussion of ICMPv6 Echo in that
document. Does it address the above?

Regards,
-sm

seth.mos at dds

May 31, 2012, 7:29 AM

Post #6 of 9 (414 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

Op 31-5-2012 15:58, SM schreef:
> Hi Seth,
> At 22:56 30-05-2012, Seth Mos wrote:
>> As a pfSense developer I've already seen a few of our 2.1 development
>> installs in the field on DHCP-PD connections. Be it DHCP6 on PPPoE or
>> on ethernet.
>>
>> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
>> can't actually ping the link-local address of the default gateway.
>>
>> Is this something that could be worked into a RFC so that users can
>> always verify that their default gateway works? It seems highly
>> counter intuitive to block ICMP6 for a link that you know belongs to
>> your client and own network.
>
> RFC 4890 provides some recommendations about filtering ICMPv6 messages
> in firewalls. There is a discussion of ICMPv6 Echo in that document.
> Does it address the above?

I think it does, but they mention echo and reply seperate from the
router advertisements and solicits.

They do not explicitly cover the case of ICMP6 echo/reply on link-local
addressing, although section 4.4 "Recommendations for ICMPv6 Local
Configuration Traffic" says this:

"4.4.1. Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and
maintenance of communications:

o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only

Connectivity checking messages:

o Echo Request (Type 128)
o Echo Response (Type 129)

As discussed in Section 4.3.1,"

I would think that covers link-local traffic, so that makes me wonder
why a ISP would find blocking this neccesary.

Regards,

Seth

mohacsi at niif

May 31, 2012, 8:08 AM

Post #7 of 9 (413 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

On Thu, 31 May 2012, Seth Mos wrote:

> Op 31-5-2012 15:58, SM schreef:
>> Hi Seth,
>> At 22:56 30-05-2012, Seth Mos wrote:
>>> As a pfSense developer I've already seen a few of our 2.1 development
>>> installs in the field on DHCP-PD connections. Be it DHCP6 on PPPoE or
>>> on ethernet.
>>>
>>> What I'm seeing is that ICMP6 (echo) is allowed to the internet but I
>>> can't actually ping the link-local address of the default gateway.
>>>
>>> Is this something that could be worked into a RFC so that users can
>>> always verify that their default gateway works? It seems highly
>>> counter intuitive to block ICMP6 for a link that you know belongs to
>>> your client and own network.
>>
>> RFC 4890 provides some recommendations about filtering ICMPv6 messages
>> in firewalls. There is a discussion of ICMPv6 Echo in that document.
>> Does it address the above?
>
> I think it does, but they mention echo and reply seperate from the router
> advertisements and solicits.
>
> They do not explicitly cover the case of ICMP6 echo/reply on link-local
> addressing, although section 4.4 "Recommendations for ICMPv6 Local
> Configuration Traffic" says this:
>
> "4.4.1. Traffic That Must Not Be Dropped
>
> Error messages that are essential to the establishment and
> maintenance of communications:
>
> o Destination Unreachable (Type 1) - All codes
> o Packet Too Big (Type 2)
> o Time Exceeded (Type 3) - Code 0 only
> o Parameter Problem (Type 4) - Codes 1 and 2 only
>
> Connectivity checking messages:
>
> o Echo Request (Type 128)
> o Echo Response (Type 129)
>
> As discussed in Section 4.3.1,"
>
> I would think that covers link-local traffic, so that makes me wonder why a
> ISP would find blocking this neccesary.

Yes. You should ask the ISP.
Best Regards,
Janos Mohacsi

sm at resistor

May 31, 2012, 9:02 AM

Post #8 of 9 (423 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

At 07:29 31-05-2012, Seth Mos wrote:
>They do not explicitly cover the case of ICMP6 echo/reply on
>link-local addressing, although section 4.4 "Recommendations for
>ICMPv6 Local Configuration Traffic" says this:

[snip]

>I would think that covers link-local traffic, so that makes me
>wonder why a ISP would find blocking this neccesary.

From man(8) iptables:

"This target is used to overcome criminally braindead ISPs or servers
which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
packets."

Maybe the blocking is an oversight or some default ACL being
applied. It is, as you said, counter intuitive.

Regards,
-sm

mjl at luckie

May 31, 2012, 9:02 AM

Post #9 of 9 (417 views)
Permalink

Re: Icmp access lists on dhcp-pd deployments [In reply to]

> What I'm seeing is that ICMP6 (echo) is allowed to the internet but
> I can't actually ping the link-local address of the default gateway.

I have seen something similar, which maybe the root cause. Some
systems do not reply to a neighbour solicitation if it is directed to
a link-local address on the system.

http://www.ietf.org/mail-archive/web/ipv6/current/msg15927.html

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads