nanog mailing list archives
Re: G root servers unreachable via ICMP(v6)
From: William Herrin <bill () herrin us>
Date: Mon, 15 May 2023 21:41:48 -0700
On Mon, May 15, 2023 at 8:38 PM Willy Manga <mangawilly () gmail com> wrote:
Side question: even if it was by design, is it a good practice to completely restrict ICMP(v6)?
Answering only your side question: there's a difference between completely restricting ICMPv6 and restricting echo-request. Restricting echo-request is more or less harmless. You deny troubleshooters insight into your system, but that's a wash because you deny hackers the same thing. And if you're popular enough to be a target for "am I connected to the Internet right now" probes and don't want to be, restricting it is not the worst idea. Restricting all ICMPv6 is disastrous. Similar to IPv4, machines running IPv6 require ICMPv6 packet-too-big messages to successfully implement path MTU discovery. Without them, many protocols do not work reliably. This includes TCP. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- G root servers unreachable via ICMP(v6) Willy Manga (May 15)
- Re: G root servers unreachable via ICMP(v6) William Herrin (May 15)
- Re: G root servers unreachable via ICMP(v6) Robert Kisteleki (May 16)
- Re: G root servers unreachable via ICMP(v6) Lukas Tribus (May 16)
- Re: G root servers unreachable via ICMP(v6) borg (May 16)
- Re: G root servers unreachable via ICMP(v6) Christopher Morrow (May 16)
- Re: G root servers unreachable via ICMP(v6) William Herrin (May 16)
- Re: G root servers unreachable via ICMP(v6) Christopher Morrow (May 16)
- Re: G root servers unreachable via ICMP(v6) William Herrin (May 16)
- Re: G root servers unreachable via ICMP(v6) Christopher Morrow (May 16)
- Re: G root servers unreachable via ICMP(v6) Christopher Morrow (May 16)
- Re: G root servers unreachable via ICMP(v6) Steve Sullivan (May 16)