Hi, On Sun, Oct 06, 2024 at 11:28:26AM +0200, Michiel Klaver via ipv6-wg wrote: > > http://shouldiblockicmp.com/ > > > -----Original message----- > Am 05.10.2024 um 21:11:22 Uhr schrieb Sheikh Md Seum via ipv6-wg: > > > While going through the deployment procedure I was not able to find > > any BCP/BCOP regarding how to filter ICMPv6, what standards should be > > followed. > > Don't filter it at all at the ISP level for your customers.
+1 > > The neighbor discovery packets can't be abused from other links because > they will be discarded when they don't have TTL of 255. > Make sure you reject RAs from the customers on your PPP links. > > Although, inside a link (e.g. on a office network), filtering for > certain packages like RA is needed to avoid certain intended or > accidental stuff. > > Other stuff like the destination unreachable must not be blocked at all. > > ICMPv6 isn't a security risk itself. Well, (in contrast to IPv4, unfortunately) it is. Else RFC 6105, RFC 6980 et al. wouldn't exist. Some guidance on filtering ICMPv6 in specific situations here: https://labs.ripe.net/author/enno_rey/local-packet-filtering-with-ipv6/ https://theinternetprotocolblog.wordpress.com/2020/11/28/ipv6-security-best-practices/ cheers Enno > > -- > Gruß > Marco > > Send unsolicited bulk mail to [email protected] > > ----- > To unsubscribe from this mailing list or change your subscription options, > please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ > As we have migrated to Mailman 3, you will need to create an account with the > email matching your subscription before you can change your settings. > More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ -- Enno Rey Cell: +49 173 6745902 Twitter: @Enno_Insinuator IPv6 Blog: https://theinternetprotocolblog.wordpress.com ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
