This RIPE Security PDF is also a good starting point:
https://www.ripe.net/media/documents/IPv6Security-Slides.pdf
<https://www.ripe.net/media/documents/IPv6Security-Slides.pdf>
It advises blocking ICMP Type 137 (Redirect) and Type 138 (Route
Renumbering). The other types should not be blocked; however, some
prefer to rate limit Echo requests/replies (Type 128 and 129). You may
want to rate limit these types of requests to your infrastructure nodes
or handle them in the control plane on your nodes.
Additionally, at the ISP level, you could implement some ingress ACLs
such as:
*
Block everything to documentation address space (RFC3849):
|deny ipv6 any 2001:db8::/32 icmp-off|
*
Block everything to benchmarking address space (RFC5180):
|deny ipv6 any 2001:2::/48 icmp-off|
*
Block everything to Automatic Multicast Tunneling (RFC7450):
|deny ipv6 any 2001:3::/32 icmp-off|
*
Block everything to deprecated ORCHID/ORCHIDv2 (RFC4843/RFC7343):
|deny ipv6 any 2001:10::/28 icmp-off|
|deny ipv6 any 2001:20::/28 icmp-off|
*
Block Router Advertisements (RAs):
|deny icmpv6 any any router-advertisement icmp-off|
*
Allow everything else from locally connected internet customers to
the IPv6 global unicast space (as a rudimentary/coarse
anti-source-IP spoofing measure):
|permit ipv6 <YOUR IPv6 space> 2000::/3|
I think there are some more you could block, but always be sure you know
what's in your filters and change them according to your network
requirements.
In addition, it's recommended to implement anti-spoofing protection at
the ISP level. Only allow traffic from your customers originating from
the IP space they were assigned via DHCPv6 or PPPoE.
Rinse
On 6-10-2024 11:28, Michiel Klaver via ipv6-wg wrote:
http://shouldiblockicmp.com/
-----Original message-----
Am 05.10.2024 um 21:11:22 Uhr schrieb Sheikh Md Seum via ipv6-wg:
While going through the deployment procedure I was not able to find
any BCP/BCOP regarding how to filter ICMPv6, what standards should be
followed.
Don't filter it at all at the ISP level for your customers.
The neighbor discovery packets can't be abused from other links because
they will be discarded when they don't have TTL of 255.
Make sure you reject RAs from the customers on your PPP links.
Although, inside a link (e.g. on a office network), filtering for
certain packages like RA is needed to avoid certain intended or
accidental stuff.
Other stuff like the destination unreachable must not be blocked at all.
ICMPv6 isn't a security risk itself.
-----
To unsubscribe from this mailing list or change your subscription options,
please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the
email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
