nanog mailing list archives
Re: IPv6 filtering
From: "Mark D. Nagel" <mnagel () willingminds com>
Date: Tue, 25 Jan 2011 21:49:12 -0800
On 1/25/2011 9:25 PM, Owen DeLong wrote:
DO NOT filter IPv6 ICMP like you filter IPv4. If you do, you will break PMTU-Discovery, Neighbor Discovery, and RA/SLAAC, all of which depend on ICMPv6.
This can bite you in unexpected ways, too. For example, on a Cisco ASA, if you add a system-level 'icmpv6 permit' line and if this does not include ND, then you break ND responses to the ASA. This is much unlike ARP, which is unaffected by 'icmp permit' statements for IPv4. And, the default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This seems so obvious in retrospect, but at the time was a bit of a head-scratcher. Mark -- Mark D. Nagel, CCIE #3177 <mnagel () willingminds com> Principal Consultant, Willing Minds LLC (http://www.willingminds.com) cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854 *** Please send support requests to support () willingminds com! ***
Current thread:
- IPv6 filtering Franck Martin (Jan 25)
- Re: IPv6 filtering Roland Dobbins (Jan 25)
- Re: IPv6 filtering Franck Martin (Jan 25)
- Re: IPv6 filtering Paul Graydon (Jan 25)
- Re: IPv6 filtering Seth Mattinen (Jan 25)
- Message not available
- Re: IPv6 filtering Hank Nussbacher (Jan 25)
- Re: IPv6 filtering Franck Martin (Jan 25)
- Re: IPv6 filtering Roland Dobbins (Jan 25)
- Re: IPv6 filtering Owen DeLong (Jan 25)
- Re: IPv6 filtering Mark D. Nagel (Jan 25)
- Re: IPv6 filtering Michael Loftis (Jan 26)
- Re: IPv6 filtering Mark D. Nagel (Jan 25)
- Re: IPv6 filtering Mikael Abrahamsson (Jan 25)
- Re: IPv6 filtering Mohacsi Janos (Jan 25)