1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
|
<pre>Network Working Group E. Davies
Request for Comments: 4890 Consultant
Category: Informational J. Mohacsi
NIIF/HUNGARNET
May 2007
<span class="h1">Recommendations for Filtering ICMPv6 Messages in Firewalls</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
In networks supporting IPv6, the Internet Control Message Protocol
version 6 (ICMPv6) plays a fundamental role with a large number of
functions, and a correspondingly large number of message types and
options. ICMPv6 is essential to the functioning of IPv6, but there
are a number of security risks associated with uncontrolled
forwarding of ICMPv6 messages. Filtering strategies designed for the
corresponding protocol, ICMP, in IPv4 networks are not directly
applicable, because these strategies are intended to accommodate a
useful auxiliary protocol that may not be required for correct
functioning.
This document provides some recommendations for ICMPv6 firewall
filter configuration that will allow propagation of ICMPv6 messages
that are needed to maintain the functioning of the network but drop
messages that are potential security risks.
<span class="grey">Davies & Mohacsi Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Classifying ICMPv6 Messages . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.1">2.1</a>. Error and Informational ICMPv6 Messages . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.2">2.2</a>. Addressing of ICMPv6 . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.3">2.3</a>. Network Topology and Address Scopes . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2.4">2.4</a>. Role in Establishing and Maintaining Communication . . . . <a href="#page-7">7</a>
<a href="#section-3">3</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3.1">3.1</a>. Denial-of-Service Attacks . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-3.2">3.2</a>. Probing . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-3.3">3.3</a>. Redirection Attacks . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-3.4">3.4</a>. Renumbering Attacks . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.5">3.5</a>. Problems Resulting from ICMPv6 Transparency . . . . . . . <a href="#page-10">10</a>
<a href="#section-4">4</a>. Filtering Recommendations . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-4.1">4.1</a>. Common Considerations . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
4.2. Interaction of Link-Local Messages with
Firewall/Routers and Firewall/Bridges . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-4.3">4.3</a>. Recommendations for ICMPv6 Transit Traffic . . . . . . . . <a href="#page-13">13</a>
<a href="#section-4.3.1">4.3.1</a>. Traffic That Must Not Be Dropped . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-4.3.2">4.3.2</a>. Traffic That Normally Should Not Be Dropped . . . . . <a href="#page-14">14</a>
4.3.3. Traffic That Will Be Dropped Anyway -- No Special
Attention Needed . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-4.3.4">4.3.4</a>. Traffic for Which a Policy Should Be Defined . . . . . <a href="#page-16">16</a>
4.3.5. Traffic That Should Be Dropped Unless a Good Case
Can Be Made . . . . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-4.4">4.4</a>. Recommendations for ICMPv6 Local Configuration Traffic . . <a href="#page-18">18</a>
<a href="#section-4.4.1">4.4.1</a>. Traffic That Must Not Be Dropped . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-4.4.2">4.4.2</a>. Traffic That Normally Should Not Be Dropped . . . . . <a href="#page-19">19</a>
4.4.3. Traffic That Will Be Dropped Anyway -- No Special
Attention Needed . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4.4.4">4.4.4</a>. Traffic for Which a Policy Should Be Defined . . . . . <a href="#page-20">20</a>
4.4.5. Traffic That Should Be Dropped Unless a Good Case
Can Be Made . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-5">5</a>. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-6">6</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-6.1">6.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-6.2">6.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#appendix-A">Appendix A</a>. Notes on Individual ICMPv6 Messages . . . . . . . . . <a href="#page-24">24</a>
<a href="#appendix-A.1">A.1</a>. Destination Unreachable Error Message . . . . . . . . . . <a href="#page-24">24</a>
<a href="#appendix-A.2">A.2</a>. Packet Too Big Error Message . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#appendix-A.3">A.3</a>. Time Exceeded Error Message . . . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#appendix-A.4">A.4</a>. Parameter Problem Error Message . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#appendix-A.5">A.5</a>. ICMPv6 Echo Request and Echo Response . . . . . . . . . . <a href="#page-26">26</a>
A.6. Neighbor Solicitation and Neighbor Advertisement
Messages . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#appendix-A.7">A.7</a>. Router Solicitation and Router Advertisement Messages . . <a href="#page-27">27</a>
<a href="#appendix-A.8">A.8</a>. Redirect Messages . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<span class="grey">Davies & Mohacsi Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<a href="#appendix-A.9">A.9</a>. SEND Certificate Path Messages . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#appendix-A.10">A.10</a>. Multicast Listener Discovery Messages . . . . . . . . . . <a href="#page-27">27</a>
<a href="#appendix-A.11">A.11</a>. Multicast Router Discovery Messages . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#appendix-A.12">A.12</a>. Router Renumbering Messages . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#appendix-A.13">A.13</a>. Node Information Query and Reply . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#appendix-A.14">A.14</a>. Mobile IPv6 Messages . . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#appendix-A.15">A.15</a>. Unused and Experimental Messages . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#appendix-B">Appendix B</a>. Example Script to Configure ICMPv6 Firewall Rules . . <a href="#page-30">30</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
When a network supports IPv6 [<a href="./rfc2460" title=""Internet Protocol, Version 6 (IPv6) Specification"">RFC2460</a>], the Internet Control Message
Protocol version 6 (ICMPv6) [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>] plays a fundamental role
including being an essential component in establishing and
maintaining communications both at the interface level and for
sessions to remote nodes. This means that overly aggressive
filtering of ICMPv6 by firewalls may have a detrimental effect on the
establishment and maintenance of IPv6 communications. On the other
hand, allowing indiscriminate passage of all ICMPv6 messages can be a
major security risk. This document recommends a set of rules that
seek to balance effective IPv6 communication against the needs of
site security.
In a few cases, the appropriate rules will depend on whether the
firewall is protecting
o an individual host,
o an end site where all ICMPv6 messages originate or terminate
within the site, or
o a transit site such as an Internet Service Provider's site where
some ICMPv6 messages will be passing through.
The document suggests alternative rules appropriate to each situation
where it is relevant. It also notes some situations where
alternative rules could be adopted according to the nature of the
work being carried out on the site and consequent security policies.
In general, Internet Service Providers should not filter ICMPv6
messages transiting their sites so that all the necessary
communication elements are available to their customers to decide and
filter according to their policy.
Readers familiar with ICMPv6 can skip to the recommended filtering
rules in <a href="#section-4">Section 4</a> and an example configuration script for Linux
Netfilter in <a href="#appendix-B">Appendix B</a>.
<span class="grey">Davies & Mohacsi Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
ICMPv6 has a large number of functions defined in a number of sub-
protocols, and there are a correspondingly large number of messages
and options within these messages. The functions currently defined
fall into a number of categories:
Returning Error Messages
* Returning error messages to the source if a packet could not
be delivered. Four different error messages, each with a
number of sub-types, are specified in [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>].
Connection Checking
* Simple monitoring of connectivity through echo requests and
responses used by the ping and traceroute utilities. The
Echo Request and Echo Response messages are specified in
[<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>].
Discovery Functions
* Finding neighbors (both routers and hosts) connected to the
same link and determining their IP and link layer addresses.
These messages are also used to check the uniqueness of any
addresses that an interface proposes to use (Duplicate
Address Detection - DAD). Four messages -- Neighbor
Solicitation (NS), Neighbor Advertisement (NA), Router
Solicitation (RS) and Router Advertisement (RA) -- are
specified in [<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>].
* Ensuring that neighbors remain reachable using the same IP
and link layer addresses after initial discovery (Neighbor
Unreachability Discovery - NUD) and notifying neighbors of
changes to link layer addresses. Uses NS and NA [<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>].
* Finding routers and determining how to obtain IP addresses
to join the subnets supported by the routers. Uses RS and
RA [<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>].
* If stateless autoconfiguration of hosts is enabled,
communicating prefixes and other configuration information
(including the link Maximum Transmission Unit (MTU) and
suggested hop limit default) from routers to hosts. Uses RS
and RA [<a href="./rfc2462" title=""IPv6 Stateless Address Autoconfiguration"">RFC2462</a>].
* When using SEcure Neighbor Discovery (SEND) to authenticate
a router attached to a link, the Certificate Path
Solicitation and Advertisement messages specified in
[<a href="./rfc3971" title=""SEcure Neighbor Discovery (SEND)"">RFC3971</a>] are used by hosts to retrieve the certificates
<span class="grey">Davies & Mohacsi Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
documenting the trust chain between a trust anchor and the
router from the router.
* Determining the MTU along a path. The Packet Too Big error
message is essential to this function [<a href="./rfc1981" title=""Path MTU Discovery for IP version 6"">RFC1981</a>].
* Providing a means to discover the IPv6 addresses associated
with the link layer address of an interface (the inverse of
Neighbor Discovery, where the link layer address is
discovered given an IPv6 address). Two messages, Inverse
Neighbor Discovery Solicitation and Advertisement messages,
are specified in [<a href="./rfc3122" title=""Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification"">RFC3122</a>].
* Communicating which multicast groups have listeners on a
link to the multicast capable routers connected to the link.
Uses messages Multicast Listener Query, Multicast Listener
Report (two versions), and Multicast Listener Done (protocol
version 1 only) as specified in Multicast Listener Discovery
MLDv1 [<a href="./rfc2710" title=""Multicast Listener Discovery (MLD) for IPv6"">RFC2710</a>] and MLDv2 [<a href="./rfc3810" title=""Multicast Listener Discovery Version 2 (MLDv2) for IPv6"">RFC3810</a>].
* Discovering multicast routers attached to the local link.
Uses messages Multicast Router Advertisement, Multicast
Router Solicitation, and Multicast Router Termination as
specified in Multicast Router Discovery [<a href="./rfc4286" title=""Multicast Router Discovery"">RFC4286</a>].
Reconfiguration Functions
* Redirecting packets to a more appropriate router on the
local link for the destination address or pointing out that
a destination is actually on the local link even if it is
not obvious from the IP address (where a link supports
multiple subnets). The Redirect message is specified in
[<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>].
* Supporting renumbering of networks by allowing the prefixes
advertised by routers to be altered. Uses NS, NA, RS and RA
together with the Router Renumbering message specified in
[<a href="./rfc2894" title=""Router Renumbering for IPv6"">RFC2894</a>].
Mobile IPv6 Support
* Providing support for some aspects of Mobile IPv6 especially
dealing with the IPv6 Mobile Home Agent functionality
provided in routers and needed to support a Mobile node
homed on the link. The Home Agent Address Discovery Request
and Reply and the Mobile Prefix Solicitation and
Advertisement messages are specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
<span class="grey">Davies & Mohacsi Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Experimental Extensions
* An experimental extension to ICMPv6 specifies the ICMP Node
Information Query and Response messages that can be used to
retrieve some basic information about nodes [<a href="./rfc4620" title=""IPv6 Node Information Queries"">RFC4620</a>].
* The SEAmless IP MOBility (SEAMOBY) working group specified a
pair of experimental protocols that use an ICMPv6 message
specified in [<a href="./rfc4065" title=""Instructions for Seamoby and Experimental Mobility Protocol IANA Allocations"">RFC4065</a>] to help in locating an access router
and moving the attachment point of a mobile node from one
access router to another.
Many of these messages should only be used in a link-local context
rather than end-to-end, and filters need to be concerned with the
type of addresses in ICMPv6 packets as well as the specific source
and destination addresses.
Compared with the corresponding IPv4 protocol, ICMP, ICMPv6 cannot be
treated as an auxiliary function with packets that can be dropped in
most cases without damaging the functionality of the network. This
means that firewall filters for ICMPv6 have to be more carefully
configured than was the case for ICMP, where typically a small set of
blanket rules could be applied.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Classifying ICMPv6 Messages</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Error and Informational ICMPv6 Messages</span>
ICMPv6 messages contain an eight-bit Type field interpreted as an
integer between 0 and 255. Messages with Type values less than or
equal to 127 are Error messages. The remainder are Informational
messages. In general terms, Error messages with well-known
(standardized) Type values would normally be expected to be allowed
to be sent to or pass through firewalls, and may be essential to the
establishment and maintenance of communications (see <a href="#section-2.4">Section 2.4</a>)
whereas Informational messages will generally be the subject of
policy rules, and those passing through end site firewalls can, in
many but by no means all cases, be dropped without damaging IPv6
communications.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Addressing of ICMPv6</span>
ICMPv6 messages are sent using various kinds of source and
destination address types and scopes. The source address is usually
a unicast address, but during address autoconfiguration message
exchanges, the unspecified address (::) is also used as a source
address [<a href="./rfc2462" title=""IPv6 Stateless Address Autoconfiguration"">RFC2462</a>].
<span class="grey">Davies & Mohacsi Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Multicast Listener Discovery (MLD) Report and Done messages are sent
with a link-local address as the IPv6 source address, if a valid
address is available on the interface. If a valid link-local address
is not available (e.g., one has not been configured), the message is
sent with the unspecified address (::) as the IPv6 source address.
Subsequently, the node will generate new MLD Report messages with
proper link-local source address once it has been configured
[<a href="./rfc3590" title=""Source Address Selection for the Multicast Listener Discovery (MLD) Protocol"">RFC3590</a>].
The destination address can be either a well-known multicast address,
a generated multicast address such as the solicited-node multicast
address, an anycast address, or a unicast address. While many ICMPv6
messages use multicast addresses most of the time, some also use
unicast addresses. For instance, the Router Advertisement messages
are sent to the all-nodes multicast address when unsolicited, but can
also be sent to a unicast address in response to a specific Router
Solicitation, although this is rarely seen in current
implementations.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Network Topology and Address Scopes</span>
ICMPv6 messages can be classified according to whether they are meant
for end-to-end communications or local communications within a link.
There are also messages that we can classify as 'any-to-end', which
can be sent from any point within a path back to the source;
typically, these are used to announce an error in processing the
original packet. For instance, the address resolution messages are
solely for local communications [<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>], whereas the Destination
Unreachable messages are any-to-end in nature. Generally, end-to-end
and any-to-end messages might be expected to pass through firewalls
depending on policies but local communications must not.
Local communications will use link-local addresses in many cases but
may also use global unicast addresses when configuring global
addresses, for example. Also, some ICMPv6 messages used in local
communications may contravene the usual rules requiring compatible
scopes for source and destination addresses.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Role in Establishing and Maintaining Communication</span>
Many ICMPv6 messages have a role in establishing or maintaining
communications to and from the firewall and such messages have to be
accepted by firewalls for local delivery. Generally, a firewall will
also be acting as a router so that all the messages that might be
used in configuring a router interface need to be accepted and
generated. These messages should not transit through a firewall that
is also acting as a router as they are normally intended for use
within a link.
<span class="grey">Davies & Mohacsi Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
On the other hand, most ICMPv6 error messages traveling end-to-end or
any-to-end are essential to the establishment and maintenance of
communications. These messages must be passed through firewalls and
might also be sent to and from firewalls to assist with establishment
and maintenance of communications. For example, the Packet Too Big
error message is needed to determine the MTU along a path both when a
communication session is established initially and later if the path
is rerouted during the session.
The remaining ICMPv6 messages that are not associated with
communication establishment or maintenance will normally be
legitimately attempting to pass through a firewall from inside to out
or vice versa, but in most cases decisions as to whether or not to
allow them to pass can be made on the basis of local policy without
interfering with IPv6 communications.
The filtering rules for the various message roles will generally be
different.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Security Considerations</span>
This memo recommends filtering configurations for firewalls designed
to minimize the security vulnerabilities that can arise in using the
many different sub-protocols of ICMPv6 in support of IPv6
communication.
A major concern is that it is generally not possible to use IPsec or
other means to authenticate the sender and validate the contents of
many ICMPv6 messages. To a large extent, this is because a site can
legitimately expect to receive certain error and other messages from
almost any location in the wider Internet, and these messages may
occur as a result of the first message sent to a destination.
Establishing security associations with all possible sources of
ICMPv6 messages is therefore impossible.
The inability to establish security associations to protect some
messages that are needed to establish and maintain communications
means that alternative means have to be used to reduce the
vulnerability of sites to ICMPv6-based attacks. The most common way
of doing this is to establish strict filtering policies in site
firewalls to limit the unauthenticated ICMPv6 messages that can pass
between the site and the wider Internet. This makes control of
ICMPv6 filtering a delicate balance between protecting the site by
dropping some of the ICMPv6 traffic passing through the firewall and
allowing enough of the traffic through to make sure that efficient
communication can be established.
<span class="grey">Davies & Mohacsi Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
SEND [<a href="./rfc3971" title=""SEcure Neighbor Discovery (SEND)"">RFC3971</a>] has been specified as a means to improve the security
of local ICMPv6 communications. SEND sidesteps security association
bootstrapping problems that would result if IPsec was used. SEND
affects only link-local messages and does not limit the filtering
that firewalls can apply, and its role in security is therefore not
discussed further in this document.
Firewalls will normally be used to monitor ICMPv6 to control the
following security concerns:
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Denial-of-Service Attacks</span>
ICMPv6 can be used to cause a denial of service (DoS) in a number of
ways, including simply sending excessive numbers of ICMPv6 packets to
destinations in the site and sending error messages that disrupt
established communications by causing sessions to be dropped. Also,
if spurious communication establishment or maintenance messages can
be infiltrated onto a link, it might be possible to invalidate
legitimate addresses or disable interfaces.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Probing</span>
A major security consideration is preventing attackers from probing
the site to determine the topology and identify hosts that might be
vulnerable to attack. Carefully crafted but, often, malformed
messages can be used to provoke ICMPv6 responses from hosts thereby
informing attackers of potential targets for future attacks.
However, the very large address space of IPv6 makes probing a less
effective weapon as compared with IPv4 provided that addresses are
not allocated in an easily guessable fashion. This subject is
explored in more depth in [<a href="#ref-SCAN-IMP" title=""IPv6 Implications for Network Scanning"">SCAN-IMP</a>].
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Redirection Attacks</span>
A redirection attack could be used by a malicious sender to perform
man-in-the-middle attacks or divert packets either to a malicious
monitor or to cause DoS by blackholing the packets. These attacks
would normally have to be carried out locally on a link using the
Redirect message. Administrators need to decide if the improvement
in efficiency from using Redirect messages is worth the risk of
malicious use. Factors to consider include the physical security of
the link and the complexity of addressing on the link. For example,
on an open wireless link, redirection would be a serious hazard due
to the lack of physical security. On the other hand, with a wired
link in a secure building with complex addressing and redundant
routers, the efficiency gains might well outweigh the small risk of a
rogue node being connected.
<span class="grey">Davies & Mohacsi Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Renumbering Attacks</span>
Spurious Renumbering messages can lead to the disruption of a site.
Although Renumbering messages are required to be authenticated with
IPsec, so that it is difficult to carry out such attacks in practice,
they should not be allowed through a site boundary firewall. On the
other hand, a site may employ multiple "layers" of firewalls. In
this case, Renumbering messages might be expected to be allowed to
transit interior firewalls but not pass across the outer boundary.
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Problems Resulting from ICMPv6 Transparency</span>
Because some ICMPv6 error packets need to be passed through a
firewall in both directions, malicious users can potentially use
these messages to communicate between inside and outside, bypassing
administrative inspection. For example, it might be possible to
carry out a covert conversation through the payload of ICMPv6 error
messages or tunnel inappropriate encapsulated IP packets in ICMPv6
error messages. This problem can be alleviated by filtering ICMPv6
errors using a deep packet inspection mechanism to ensure that the
packet carried as a payload is associated with legitimate traffic to
or from the protected network.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Filtering Recommendations</span>
When designing firewall filtering rules for ICMPv6, the rules can be
divided into two classes:
o Rules for ICMPv6 traffic transiting the firewall, with some minor
variations for
* firewalls protecting end sites or individual hosts, and
* firewalls protecting transit sites
o Rules for ICMPv6 directed to interfaces on the firewall
Firewalls integrated with an individual host ("end host firewalls")
can be treated as end site firewalls, but the special considerations
discussed in <a href="#section-4.2">Section 4.2</a> may be relevant because the firewall is not
a router.
<span class="grey">Davies & Mohacsi Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
This section suggests some common considerations that should be borne
in mind when designing filtering rules and then categorizes the rules
for each class. The categories are:
o Messages that must not be dropped: usually because establishment
or maintenance of communications will be prevented or severely
impacted.
o Messages that should not be dropped: administrators need to have a
very good reason for dropping this category.
o Messages that may be dropped in firewall/routers, but these
messages may already be targeted to drop for other reasons (e.g.,
because they are using link-local addresses) or because the
protocol specification would cause the messages to be rejected if
they had passed through a router. Special considerations apply to
transit traffic if the firewall is not a router as discussed in
<a href="#section-4.2">Section 4.2</a>.
o Messages that administrators may or may not want to drop depending
on local policy.
o Messages that administrators should consider dropping (e.g., ICMP
node information name lookup queries).
More detailed analysis of each of the message types can be found in
<a href="#appendix-A">Appendix A</a>.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Common Considerations</span>
Depending on the classification of the message to be filtered (see
<a href="#section-2">Section 2</a>), ICMPv6 messages should be filtered based on the ICMPv6
type of the message and the type (unicast, multicast, etc.) and scope
(link-local, global unicast, etc.) of source and destination
addresses. In some cases, it may be desirable to filter on the Code
field of ICMPv6 error messages.
Messages that can be authenticated on delivery, probably because they
contain an IPsec AH header or ESP header with authentication, may be
subject to less strict policies than messages that cannot be
authenticated. In the remainder of this section, we are generally
considering what should be configured for unauthenticated messages.
In many cases, it is not realistic to expect more than a tiny
fraction of the messages to be authenticated.
Where messages are not essential to the establishment or maintenance
of communications, local policy can be used to determine whether a
message should be allowed or dropped.
<span class="grey">Davies & Mohacsi Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Depending on the capabilities of the firewall being configured, it
may be possible for the firewall to maintain state about packets that
may result in error messages being returned or about ICMPv6 packets
(e.g., Echo Requests) that are expected to receive a specific
response. This state may allow the firewall to perform more precise
checks based on this state, and to apply limits on the number of
ICMPv6 packets accepted incoming or outgoing as a result of a packet
traveling in the opposite direction. The capabilities of firewalls
to perform such stateful packet inspection vary from model to model,
and it is not assumed that firewalls are uniformly capable in this
respect.
Firewalls that are able to perform deep packet inspection may be able
to check the header fields in the start of the errored packet that is
carried by ICMPv6 error messages. If the embedded packet has a
source address that does not match the destination of the error
message, the packet can be dropped. This provides a partial defense
against some possible attacks on TCP that use spoofed ICMPv6 error
messages, but the checks can also be carried out at the destination.
For further information on these attacks see [<a href="#ref-ICMP-ATTACKS" title=""ICMP attacks against TCP"">ICMP-ATTACKS</a>].
In general, the scopes of source and destination addresses of ICMPv6
messages should be matched, and packets with mismatched addresses
should be dropped if they attempt to transit a router. However, some
of the address configuration messages carried locally on a link may
legitimately have mismatched addresses. Node implementations must
accept these messages delivered locally on a link, and administrators
should be aware that they can exist.
ICMPv6 messages transiting firewalls inbound to a site may be treated
differently depending on whether they are addressed to a node on the
site or to some other node. For end sites, packets addressed to
nodes not on the site should be dropped, but would generally be
forwarded by firewalls on transit sites.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Interaction of Link-Local Messages with Firewall/Routers and</span>
<span class="h3"> Firewall/Bridges</span>
Firewalls can be implemented both as IP routers (firewall/routers)
and as link layer bridges (e.g., Ethernet bridges) that are
transparent to the IP layer although they will actually be inspecting
the IP packets as they pass through (firewall/bridges).
Many of the messages used for establishment and maintenance of
communications on the local link will be sent with link-local
addresses for at least one of their source and destination. Routers
conforming to the IPv6 standards will not forward these packets;
there is no need to configure additional rules to prevent these
<span class="grey">Davies & Mohacsi Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
packets traversing a firewall/router, although administrators may
wish to configure rules that would drop these packets for insurance
and as a means of monitoring for attacks. Also, the specifications
of ICMPv6 messages intended for use only on the local link specify
various measures that would allow receivers to detect if the message
had passed through a router, including:
o Requiring that the hop limit in the IPv6 header is set to 255 on
transmission. Receivers verify that the hop limit is still 255,
to ensure that the packet has not passed through a router.
o Checking that the source address is a link-local unicast address.
Accordingly, it is not essential to configure firewall/router rules
to drop out-of-specification packets of these types. If they have
non-link-local source and destination addresses, allowing them to
traverse the firewall/router, they would be rejected because of the
checks performed at the destination. Again, firewall administrators
may still wish to configure rules to log or drop such out-of-
specification packets.
For firewall/bridges, slightly different considerations apply. The
physical links on either side of the firewall/bridge are treated as a
single logical link for the purposes of IP. Hence, the link local
messages used for discovery functions on the link must be allowed to
transit the transparent bridge. Administrators should ensures that
routers and hosts attached to the link containing the firewall/bridge
are built to the correct specifications so that out-of-specification
packets are actually dropped as described in the earlier part of this
section.
An end host firewall can generally be thought of as a special case of
a firewall/bridge, but the only link-local messages that need to be
allowed through are those directed to the host's interface.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Recommendations for ICMPv6 Transit Traffic</span>
This section recommends rules that should be applied to ICMPv6
traffic attempting to transit a firewall.
<span class="grey">Davies & Mohacsi Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h4"><a class="selflink" id="section-4.3.1" href="#section-4.3.1">4.3.1</a>. Traffic That Must Not Be Dropped</span>
Error messages that are essential to the establishment and
maintenance of communications:
o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only
<a href="#appendix-A.4">Appendix A.4</a> suggests some more specific checks that could be
performed on Parameter Problem messages if a firewall has the
necessary packet inspection capabilities.
Connectivity checking messages:
o Echo Request (Type 128)
o Echo Response (Type 129)
For Teredo tunneling [<a href="./rfc4380" title=""Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)"">RFC4380</a>] to IPv6 nodes on the site to be
possible, it is essential that the connectivity checking messages are
allowed through the firewall. It has been common practice in IPv4
networks to drop Echo Request messages in firewalls to minimize the
risk of scanning attacks on the protected network. As discussed in
<a href="#section-3.2">Section 3.2</a>, the risks from port scanning in an IPv6 network are much
less severe, and it is not necessary to filter IPv6 Echo Request
messages.
<span class="h4"><a class="selflink" id="section-4.3.2" href="#section-4.3.2">4.3.2</a>. Traffic That Normally Should Not Be Dropped</span>
Error messages other than those listed in <a href="#section-4.3.1">Section 4.3.1</a>:
o Time Exceeded (Type 3) - Code 1
o Parameter Problem (Type 4) - Code 0
Mobile IPv6 messages that are needed to assist mobility:
o Home Agent Address Discovery Request (Type 144)
o Home Agent Address Discovery Reply (Type 145)
o Mobile Prefix Solicitation (Type 146)
o Mobile Prefix Advertisement (Type 147)
Administrators may wish to apply more selective rules as described in
<a href="#appendix-A.14">Appendix A.14</a> depending on whether the site is catering for mobile
nodes that would normally be at home on the site and/or foreign
mobile nodes roaming onto the site.
<span class="grey">Davies & Mohacsi Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h4"><a class="selflink" id="section-4.3.3" href="#section-4.3.3">4.3.3</a>. Traffic That Will Be Dropped Anyway -- No Special Attention</span>
<span class="h4"> Needed</span>
The messages listed in this section are all involved with local
management of nodes connected to the logical link on which they were
initially transmitted. All these messages should never be propagated
beyond the link on which they were initially transmitted. If the
firewall is a firewall/bridge rather than a firewall/router, these
messages should be allowed to transit the firewall as they would be
intended for establishing communications between the two physical
parts of the link that are bridged into a single logical link.
During normal operations, these messages will have destination
addresses, mostly link local but in some cases global unicast
addresses, of interfaces on the local link. No special action is
needed to filter messages with link-local addresses in a firewall/
router. As discussed in <a href="#section-4.1">Section 4.1</a>, these messages are specified so
that either the receiver is able to check that the message has not
passed through a router or it will be dropped at the first router it
encounters.
Administrators may also wish to consider providing rules in firewall/
routers to catch illegal packets sent with hop limit = 1 to avoid
ICMPv6 Time Exceeded messages being generated for these packets.
Address Configuration and Router Selection messages (must be received
with hop limit = 255):
o Router Solicitation (Type 133)
o Router Advertisement (Type 134)
o Neighbor Solicitation (Type 135)
o Neighbor Advertisement (Type 136)
o Redirect (Type 137)
o Inverse Neighbor Discovery Solicitation (Type 141)
o Inverse Neighbor Discovery Advertisement (Type 142)
Link-local multicast receiver notification messages (must have link-
local source address):
o Listener Query (Type 130)
o Listener Report (Type 131)
o Listener Done (Type 132)
o Listener Report v2 (Type 143)
<span class="grey">Davies & Mohacsi Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
SEND Certificate Path notification messages (must be received with
hop limit = 255):
o Certificate Path Solicitation (Type 148)
o Certificate Path Advertisement (Type 149)
Multicast Router Discovery messages (must have link-local source
address and hop limit = 1):
o Multicast Router Advertisement (Type 151)
o Multicast Router Solicitation (Type 152)
o Multicast Router Termination (Type 153)
<span class="h4"><a class="selflink" id="section-4.3.4" href="#section-4.3.4">4.3.4</a>. Traffic for Which a Policy Should Be Defined</span>
The message type that the experimental Seamoby protocols are using
will be expected to have to cross site boundaries in normal
operation. Transit sites must allow these messages to transit the
site. End site administrators should determine if they need to
support these experiments and otherwise messages of this type should
be dropped:
o Seamoby Experimental (Type 150)
Error messages not currently defined by IANA:
o Unallocated Error messages (Types 5-99 inclusive and 102-126
inclusive)
The base ICMPv6 specification suggests that error messages that are
not explicitly known to a node should be forwarded and passed to any
higher-level protocol that might be able to interpret them. There is
a small risk that such messages could be used to provide a covert
channel or form part of a DoS attack. Administrators of end sites
should be aware of this and determine whether they wish to allow
these messages through the firewall. Firewalls protecting transit
sites must allow all types of error messages to transit the site but
may adopt different policies for error messages addressed to nodes
within the site.
All informational messages with types not explicitly assigned by
IANA, currently:
o Unallocated Informational messages (Types 154-199 inclusive and
202-254 inclusive).
Note that the base ICMPv6 specification requires that received
informational messages with unknown types must be silently discarded.
Transit sites must allow these messages to transit the site. End
<span class="grey">Davies & Mohacsi Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
site administrators can either adopt a policy of allowing all these
messages through the firewall, relying on end hosts to drop
unrecognized messages, or drop all such messages at the firewall.
Different policies could be adopted for inbound and outbound
messages.
If administrators choose to implement policies that drop currently
unallocated error or informational messages, it is important to
review the set of messages affected in case new message types are
assigned by IANA.
<span class="h4"><a class="selflink" id="section-4.3.5" href="#section-4.3.5">4.3.5</a>. Traffic That Should Be Dropped Unless a Good Case Can Be Made</span>
Node Information enquiry messages should generally not be forwarded
across site boundaries. Some of these messages will be using non-
link-local unicast addresses so that they will not necessarily be
dropped by address scope limiting rules:
o Node Information Query (Type 139)
o Node Information Response (Type 140)
Router Renumbering messages should not be forwarded across site
boundaries. As originally specified, these messages may use a site
scope multicast address or a site local unicast address. They should
be caught by standard rules that are intended to stop any packet with
a multicast site scope or site local destination being forwarded
across a site boundary provided these are correctly configured.
Since site local addresses have now been deprecated, it seems likely
that changes may be made to allow the use of unique local addresses
or global unicast addresses. Should this happen, it will be
essential to explicitly filter these messages at site boundaries. If
a site has internal as well as boundary firewalls, individual
policies should be established for the internal firewalls depending
on whether or not the site wishes to use Router Renumbering:
o Router Renumbering (Type 138)
Messages with types in the experimental allocations:
o Types 100, 101, 200, and 201.
Messages using the extension type numbers until such time as ICMPv6
needs to use such extensions:
o Types 127 and 255.
<span class="grey">Davies & Mohacsi Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Recommendations for ICMPv6 Local Configuration Traffic</span>
This section recommends filtering rules for ICMPv6 traffic addressed
to an interface on a firewall. For a small number of messages, the
desired behavior may differ between interfaces on the site or private
side of the firewall and the those on the public Internet side of the
firewall.
<span class="h4"><a class="selflink" id="section-4.4.1" href="#section-4.4.1">4.4.1</a>. Traffic That Must Not Be Dropped</span>
Error messages that are essential to the establishment and
maintenance of communications:
o Destination Unreachable (Type 1) - All codes
o Packet Too Big (Type 2)
o Time Exceeded (Type 3) - Code 0 only
o Parameter Problem (Type 4) - Codes 1 and 2 only
Connectivity checking messages:
o Echo Request (Type 128)
o Echo Response (Type 129)
As discussed in <a href="#section-4.3.1">Section 4.3.1</a>, dropping connectivity checking
messages will prevent the firewall being the destination of a Teredo
tunnel and it is not considered necessary to disable connectivity
checking in IPv6 networks because port scanning is less of a security
risk.
There are a number of other sets of messages that play a role in
configuring the node and maintaining unicast and multicast
communications through the interfaces of a node. These messages must
not be dropped if the node is to successfully participate in an IPv6
network. The exception to this is the Redirect message for which an
explicit policy decision should be taken (see <a href="#section-4.4.4">Section 4.4.4</a>).
Address Configuration and Router Selection messages:
o Router Solicitation (Type 133)
o Router Advertisement (Type 134)
o Neighbor Solicitation (Type 135)
o Neighbor Advertisement (Type 136)
o Inverse Neighbor Discovery Solicitation (Type 141)
o Inverse Neighbor Discovery Advertisement (Type 142)
<span class="grey">Davies & Mohacsi Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Link-Local Multicast Receiver Notification messages:
o Listener Query (Type 130)
o Listener Report (Type 131)
o Listener Done (Type 132)
o Listener Report v2 (Type 143)
SEND Certificate Path Notification messages:
o Certificate Path Solicitation (Type 148)
o Certificate Path Advertisement (Type 149)
Multicast Router Discovery messages:
o Multicast Router Advertisement (Type 151)
o Multicast Router Solicitation (Type 152)
o Multicast Router Termination (Type 153)
<span class="h4"><a class="selflink" id="section-4.4.2" href="#section-4.4.2">4.4.2</a>. Traffic That Normally Should Not Be Dropped</span>
Error messages other than those listed in <a href="#section-4.4.1">Section 4.4.1</a>:
o Time Exceeded (Type 3) - Code 1
o Parameter Problem (Type 4) - Code 0
<span class="h4"><a class="selflink" id="section-4.4.3" href="#section-4.4.3">4.4.3</a>. Traffic That Will Be Dropped Anyway -- No Special Attention</span>
<span class="h4"> Needed</span>
Router Renumbering messages must be authenticated using IPsec, so it
is not essential to filter these messages even if they are not
allowed at the firewall/router:
o Router Renumbering (Type 138)
Mobile IPv6 messages that are needed to assist mobility:
o Home Agent Address Discovery Request (Type 144)
o Home Agent Address Discovery Reply (Type 145)
o Mobile Prefix Solicitation (Type 146)
o Mobile Prefix Advertisement (Type 147)
It may be desirable to drop these messages, especially on public
interfaces, if the firewall is not also providing mobile home agent
services, but they will be ignored otherwise.
<span class="grey">Davies & Mohacsi Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
The message used by the experimental Seamoby protocols may be dropped
but will be ignored if the service is not implemented:
o Seamoby Experimental (Type 150)
<span class="h4"><a class="selflink" id="section-4.4.4" href="#section-4.4.4">4.4.4</a>. Traffic for Which a Policy Should Be Defined</span>
Redirect messages provide a significant security risk, and
administrators should take a case-by-case approach to whether
firewalls, routers in general, and other nodes should accept these
messages:
o Redirect (Type 137)
Conformant nodes must provide configuration controls that allow nodes
to control their behavior with respect to Redirect messages so that
it should only be necessary to install specific filtering rules under
special circumstances, such as if Redirect messages are accepted on
private interfaces but not public ones.
If a node implements the experimental Node Information service, the
administrator needs to make an explicit decision as to whether the
node should respond to or accept Node Information messages on each
interface:
o Node Information Query (Type 139)
o Node Information Response (Type 140)
It may be possible to disable the service on the node if it is not
wanted, in which case these messages will be ignored and no filtering
is necessary.
Error messages not currently defined by IANA:
o Unallocated Error messages (Types 5-99 inclusive and 102-126
inclusive)
The base ICMPv6 specification suggests that error messages that are
not explicitly known to a node should be forwarded and passed to any
higher-level protocol that might be able to interpret them. There is
a small risk that such messages could be used to provide a covert
channel or form part of a DoS attack. Administrators should be aware
of this and determine whether they wish to allow these messages to be
sent to the firewall.
<span class="grey">Davies & Mohacsi Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h4"><a class="selflink" id="section-4.4.5" href="#section-4.4.5">4.4.5</a>. Traffic That Should Be Dropped Unless a Good Case Can Be Made</span>
Messages with types in the experimental allocations:
o Types 100, 101, 200, and 201.
Messages using the extension type numbers until such time as ICMPv6
needs to use such extensions:
o Types 127 and 255.
All informational messages with types not explicitly assigned by
IANA, currently:
o Types 154-199 inclusive and 202-254 inclusive.
Note that the base ICMPv6 specification requires that received
informational messages with unknown types must be silently discarded.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Acknowledgements</span>
Pekka Savola created the original IPv6 Security Overview document,
which contained suggestions for ICMPv6 filter setups. This
information has been incorporated into this document. He has also
provided important comments. Some analysis of the classification of
ICMPv6 messages and the term 'any-to-end' were used by Jari Arkko in
a document relating to ICMPv6 and IKE.
The Netfilter configuration script in <a href="#appendix-B">Appendix B</a> was contributed by
Suresh Krishnan.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. References</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Normative References</span>
[<a id="ref-RFC1981">RFC1981</a>] McCann, J., Deering, S., and J. Mogul, "Path MTU
Discovery for IP version 6", <a href="./rfc1981">RFC 1981</a>, August 1996.
[<a id="ref-RFC2460">RFC2460</a>] Deering, S. and R. Hinden, "Internet Protocol,
Version 6 (IPv6) Specification", <a href="./rfc2460">RFC 2460</a>,
December 1998.
[<a id="ref-RFC2461">RFC2461</a>] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
Discovery for IP Version 6 (IPv6)", <a href="./rfc2461">RFC 2461</a>,
December 1998.
[<a id="ref-RFC2462">RFC2462</a>] Thomson, S. and T. Narten, "IPv6 Stateless Address
Autoconfiguration", <a href="./rfc2462">RFC 2462</a>, December 1998.
<span class="grey">Davies & Mohacsi Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
[<a id="ref-RFC2710">RFC2710</a>] Deering, S., Fenner, W., and B. Haberman, "Multicast
Listener Discovery (MLD) for IPv6", <a href="./rfc2710">RFC 2710</a>,
October 1999.
[<a id="ref-RFC2894">RFC2894</a>] Crawford, M., "Router Renumbering for IPv6",
<a href="./rfc2894">RFC 2894</a>, August 2000.
[<a id="ref-RFC3122">RFC3122</a>] Conta, A., "Extensions to IPv6 Neighbor Discovery for
Inverse Discovery Specification", <a href="./rfc3122">RFC 3122</a>,
June 2001.
[<a id="ref-RFC3590">RFC3590</a>] Haberman, B., "Source Address Selection for the
Multicast Listener Discovery (MLD) Protocol",
<a href="./rfc3590">RFC 3590</a>, September 2003.
[<a id="ref-RFC3775">RFC3775</a>] Johnson, D., Perkins, C., and J. Arkko, "Mobility
Support in IPv6", <a href="./rfc3775">RFC 3775</a>, June 2004.
[<a id="ref-RFC3810">RFC3810</a>] Vida, R. and L. Costa, "Multicast Listener Discovery
Version 2 (MLDv2) for IPv6", <a href="./rfc3810">RFC 3810</a>, June 2004.
[<a id="ref-RFC3971">RFC3971</a>] Arkko, J., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", <a href="./rfc3971">RFC 3971</a>,
March 2005.
[<a id="ref-RFC4065">RFC4065</a>] Kempf, J., "Instructions for Seamoby and Experimental
Mobility Protocol IANA Allocations", <a href="./rfc4065">RFC 4065</a>,
July 2005.
[<a id="ref-RFC4286">RFC4286</a>] Haberman, B. and J. Martin, "Multicast Router
Discovery", <a href="./rfc4286">RFC 4286</a>, December 2005.
[<a id="ref-RFC4443">RFC4443</a>] Conta, A., Deering, S., and M. Gupta, "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", <a href="./rfc4443">RFC 4443</a>,
March 2006.
[<a id="ref-RFC4620">RFC4620</a>] Crawford, M. and B. Haberman, "IPv6 Node Information
Queries", <a href="./rfc4620">RFC 4620</a>, August 2006.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Informative References</span>
[<a id="ref-ICMP-ATTACKS">ICMP-ATTACKS</a>] Gont, F., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22ICMP+attacks+against+TCP%22'>"ICMP attacks against TCP"</a>, Work
in Progress, October 2006.
[<a id="ref-RFC3041">RFC3041</a>] Narten, T. and R. Draves, "Privacy Extensions for
Stateless Address Autoconfiguration in IPv6",
<a href="./rfc3041">RFC 3041</a>, January 2001.
<span class="grey">Davies & Mohacsi Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
[<a id="ref-RFC4380">RFC4380</a>] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)", <a href="./rfc4380">RFC 4380</a>,
February 2006.
[<a id="ref-SCAN-IMP">SCAN-IMP</a>] Chown, T., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22IPv6+Implications+for+Network+Scanning%22'>"IPv6 Implications for Network Scanning"</a>,
Work in Progress, March 2007.
[<a id="ref-netfilter">netfilter</a>] netfilter.org, "The netfilter.org project",
Firewalling, NAT and Packet Mangling for Linux ,
2006, <<a href="http://www.netfilter.org/">http://www.netfilter.org/</a>>.
<span class="grey">Davies & Mohacsi Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Notes on Individual ICMPv6 Messages</span>
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. Destination Unreachable Error Message</span>
Destination Unreachable (Type 1) error messages [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>] are sent
any-to-end between unicast addresses. The message can be generated
from any node that a packet traverses when the node is unable to
forward the packet for any reason except congestion.
Destination Unreachable messages are useful for debugging, but are
also important to speed up cycling through possible addresses, as
they can avoid the need to wait through timeouts and hence can be
part of the process of establishing or maintaining communications.
It is a common practice in IPv4 to refrain from generating ICMP
Destination Unreachable messages in an attempt to hide the networking
topology and/or service structure. The same idea could be applied to
IPv6, but this can slow down connection if a host has multiple
addresses, some of which are deprecated, as they may be when using
privacy addresses [<a href="./rfc3041" title=""Privacy Extensions for Stateless Address Autoconfiguration in IPv6"">RFC3041</a>]. If policy allows the generation of
ICMPv6 Destination Unreachable messages, it is important that nodes
provide the correct reason code, one of: no route to destination,
administratively prohibited, beyond scope of source address, address
unreachable, port unreachable, source address failed ingress/egress
policy, or reject route to destination.
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. Packet Too Big Error Message</span>
Packet Too Big (Type 2) error messages [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>] are sent any-to-end
between unicast addresses. The message can be generated from any
node that a packet traverses on the path when the node is unable to
forward the packet because the packet is too large for the MTU of the
next link. This message is vital to the correct functioning of Path
MTU Discovery and hence is part of the establishment and maintenance
of communications. Since routers are not allowed to fragment
packets, informing sources of the need to fragment large packets is
more important than for IPv4. If these messages are not generated
when appropriate, hosts will continue to send packets that are too
large or may assume that the route is congested. Effectively, parts
of the Internet will become inaccessible.
If a network chooses to generate packets that are no larger than the
Guaranteed Minimum MTU (1280 octets) and the site's links to the
wider Internet have corresponding MTUs, Packet Too Big messages
should not be expected at the firewall and could be dropped if they
arrive.
<span class="grey">Davies & Mohacsi Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
<span class="h3"><a class="selflink" id="appendix-A.3" href="#appendix-A.3">A.3</a>. Time Exceeded Error Message</span>
Time Exceeded (Type 3) error messages [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>] can occur in two
contexts:
o Code 0 are generated at any node on the path being taken by the
packet and sent, any-to-end between unicast addresses, if the Hop
Limit value is decremented to zero at that node.
o Code 1 messages are generated at the destination node and sent
end-to-end between unicast addresses if all the segments of a
fragmented message are not received within the reassembly time
limit.
Code 0 messages can be needed as part of the establishment of
communications if the path to a particular destination requires an
unusually large number of hops.
Code 1 messages will generally only result from congestion in the
network, and it is less essential to propagate these messages.
<span class="h3"><a class="selflink" id="appendix-A.4" href="#appendix-A.4">A.4</a>. Parameter Problem Error Message</span>
The great majority of Parameter Problem (Type 4) error messages will
be generated by the destination node when processing destination
options and other extension headers, and hence are sent end-to-end
between unicast addresses. Exceptionally, these messages might be
generated by any node on the path if a faulty or unrecognized hop-by-
hop option is included or from any routing waypoint if there are
faulty or unrecognized destination options associated with a Type 0
routing header. In these cases, the message will be sent any-to-end
using unicast source and destination addresses.
Parameter Problem Code 1 (Unrecognized Next Header) and Code 2
(Unrecognized IPv6 Option) messages may result if a node on the path
(usually the destination) is unable to process a correctly formed
extension header or option. If these messages are not returned to
the source, communication cannot be established, as the source would
need to adapt its choice of options probably because the destination
does not implement these capabilities. Hence, these messages need to
be generated and allowed for effective IPv6 communications.
Code 0 (Erroneous Header) messages indicate a malformed extension
header generally as a result of incorrectly generated packets.
Hence, these messages are useful for debugging purposes, but it is
unlikely that a node generating such packets could establish
communications without human intervention to correct the problem.
<span class="grey">Davies & Mohacsi Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Code 2 messages, only, can be generated for packets with multicast
destination addresses.
It is possible that attackers may seek to probe or scan a network by
deliberately generating packets with unknown extension headers or
options or with faulty headers. If nodes generate Parameter Problem
error messages in all cases and these outgoing messages are allowed
through firewalls, the attacker may be able to identify active
addresses that can be probed further or learn about the network
topology. The vulnerability could be mitigated whilst helping to
establish communications if the firewall was able to examine such
error messages in depth and was configured to only allow Parameter
Problem messages for headers that had been standardized but were not
supported in the protected network. If the network administrator
believes that all nodes in the network support all legitimate
extension headers, then it would be reasonable to drop all outgoing
Parameter Problem messages. Note that this is not a major
vulnerability in a well-designed IPv6 network because of the
difficulties of performing scanning attacks (see <a href="#section-3.2">Section 3.2</a>).
<span class="h3"><a class="selflink" id="appendix-A.5" href="#appendix-A.5">A.5</a>. ICMPv6 Echo Request and Echo Response</span>
Echo Request (Type 128) uses unicast addresses as source addresses,
but may be sent to any legal IPv6 address, including multicast and
anycast addresses [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>]. Echo Requests travel end-to-end.
Similarly, Echo Responses (Type 129) travel end-to-end and would have
a unicast address as destination and either a unicast or anycast
address as source. They are mainly used in combination for
monitoring and debugging connectivity. Their only role in
establishing communication is that they are required when verifying
connectivity through Teredo tunnels [<a href="./rfc4380" title=""Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)"">RFC4380</a>]: Teredo tunneling to
IPv6 nodes on the site will not be possible if these messages are
blocked. It is not thought that there is a significant risk from
scanning attacks on a well-designed IPv6 network (see <a href="#section-3.2">Section 3.2</a>),
and so connectivity checks should be allowed by default.
<span class="h3"><a class="selflink" id="appendix-A.6" href="#appendix-A.6">A.6</a>. Neighbor Solicitation and Neighbor Advertisement Messages</span>
ICMPv6 Neighbor Solicitation and Neighbor Advertisement (Type 135 and
136) messages are essential to the establishment and maintenance of
communications on the local link. Firewalls need to generate and
accept these messages to allow them to establish and maintain
interfaces onto their connected links.
<span class="grey">Davies & Mohacsi Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Note that the address scopes of the source and destination addresses
on Neighbor Solicitations and Neighbor Advertisements may not match.
The exact functions that these messages will be carrying out depends
on the mechanism being used to configure IPv6 addresses on the link
(Stateless, Stateful, or Static configuration).
<span class="h3"><a class="selflink" id="appendix-A.7" href="#appendix-A.7">A.7</a>. Router Solicitation and Router Advertisement Messages</span>
ICMPv6 Router Solicitation and Router Advertisement (Type 133 and
134) messages are essential to the establishment and maintenance of
communications on the local link. Firewalls need to generate (since
the firewall will generally be behaving as a router) and accept these
messages to allow them to establish and maintain interfaces onto
their connected links.
<span class="h3"><a class="selflink" id="appendix-A.8" href="#appendix-A.8">A.8</a>. Redirect Messages</span>
ICMPv6 Redirect Messages (Type 137) are used on the local link to
indicate that nodes are actually link-local and communications need
not go via a router, or to indicate a more appropriate first-hop
router. Although they can be used to make communications more
efficient, they are not essential to the establishment of
communications and may be a security vulnerability, particularly if a
link is not physically secured. Conformant nodes are required to
provide configuration controls that suppress the generation of
Redirect messages and allow them to be ignored on reception. Using
Redirect messages on, for example, a wireless link without link level
encryption/authentication is particularly hazardous because the link
is open to eavesdropping and packet injection.
<span class="h3"><a class="selflink" id="appendix-A.9" href="#appendix-A.9">A.9</a>. SEND Certificate Path Messages</span>
SEND [<a href="./rfc3971" title=""SEcure Neighbor Discovery (SEND)"">RFC3971</a>] uses two messages (Certificate Path Solicitation and
Advertisement - Types 148 and 149) sent from nodes to supposed
routers on the same local link to obtain a certificate path that will
allow the node to authenticate the router's claim to provide routing
services for certain prefixes. If a link connected to a firewall/
router is using SEND, the firewall must be able to exchange these
messages with nodes on the link that will use its routing services.
<span class="h3"><a class="selflink" id="appendix-A.10" href="#appendix-A.10">A.10</a>. Multicast Listener Discovery Messages</span>
Multicast Listener Discovery (MLD) version 1 [<a href="./rfc2710" title=""Multicast Listener Discovery (MLD) for IPv6"">RFC2710</a>] (Listener
Query, Listener Report, and Listener Done - Types 130, 131, and 132)
and version 2 [<a href="./rfc3810" title=""Multicast Listener Discovery Version 2 (MLDv2) for IPv6"">RFC3810</a>] (Listener Query and Listener Report version 2
- Types 130 and 143) messages are sent on the local link to
communicate between multicast-capable routers and nodes that wish to
join or leave specific multicast groups. Firewalls need to be able
<span class="grey">Davies & Mohacsi Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
to generate Listener messages in order to establish communications
and may generate all the messages if they also provide multicast
routing services.
<span class="h3"><a class="selflink" id="appendix-A.11" href="#appendix-A.11">A.11</a>. Multicast Router Discovery Messages</span>
Multicast Router Discovery [<a href="./rfc4286" title=""Multicast Router Discovery"">RFC4286</a>] (Router Advertisement, Router
Solicitation, and Router Termination - Types 151, 152, and 153)
messages are sent by nodes on the local link to discover multicast-
capable routers on the link, and by multicast-capable routers to
notify other nodes of their existence or change of state. Firewalls
that also act as multicast routers need to process these messages on
their interfaces.
<span class="h3"><a class="selflink" id="appendix-A.12" href="#appendix-A.12">A.12</a>. Router Renumbering Messages</span>
ICMPv6 Router Renumbering (Type 138) command messages can be received
and results messages sent by routers to change the prefixes that they
advertise as part of Stateless Address Configuration [<a href="./rfc2461" title=""Neighbor Discovery for IP Version 6 (IPv6)"">RFC2461</a>],
[<a href="./rfc2462" title=""IPv6 Stateless Address Autoconfiguration"">RFC2462</a>]. These messages are sent end-to-end to either the all-
routers multicast address (site or local scope) or specific unicast
addresses from a unicast address.
Router Renumbering messages are required to be protected by IPsec
authentication since they could be readily misused by attackers to
disrupt or divert site communications. Renumbering messages should
generally be confined to sites for this reason.
<span class="h3"><a class="selflink" id="appendix-A.13" href="#appendix-A.13">A.13</a>. Node Information Query and Reply</span>
ICMPv6 Node Information Query and Reply (Type 139 and 140) messages
defined in [<a href="./rfc4620" title=""IPv6 Node Information Queries"">RFC4620</a>] are sent end-to-end between unicast addresses,
and they can also be sent to link-local multicast addresses. They
can, in theory, be sent from any node to any other, but it would
generally not be desirable for nodes outside the local site to be
able to send queries to nodes within the site. Also, these messages
are not required to be authenticated.
<span class="h3"><a class="selflink" id="appendix-A.14" href="#appendix-A.14">A.14</a>. Mobile IPv6 Messages</span>
Mobile IPv6 [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] defines four ICMPv6 messages that are used to
support mobile operations: Home Agent Address Discovery Request, Home
Agent Address Discovery Reply, Mobile Prefix Solicitation, and ICMP
Mobile Prefix Advertisement (Type 144, 145, 146, and 147) messages.
These messages are sent end-to-end between unicast addresses of a
mobile node and its home agent. They must be expected to be sent
from outside a site and must traverse site-boundary firewalls to
reach the home agent in order for Mobile IPv6 to function. The two
<span class="grey">Davies & Mohacsi Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Mobile prefix messages should be protected by the use of IPsec
authentication.
o If the site provides home agents for mobile nodes, the firewall
must allow incoming Home Agent Address Discovery Request and
Mobile Prefix Solicitation messages, and outgoing Home Agent
Address Discovery Reply and ICMP Mobile Prefix Advertisement
messages. It may be desirable to limit the destination addresses
for the incoming messages to links that are known to support home
agents.
o If the site is prepared to host roaming mobile nodes, the firewall
must allow outgoing Home Agent Address Discovery Request and
Mobile Prefix Solicitation messages, and incoming Home Agent
Address Discovery Reply and ICMP Mobile Prefix Advertisement
messages.
o Administrators may find it desirable to prevent static nodes that
are normally resident on the site from behaving as mobile nodes by
dropping Mobile IPv6 messages from these nodes.
<span class="h3"><a class="selflink" id="appendix-A.15" href="#appendix-A.15">A.15</a>. Unused and Experimental Messages</span>
A large number of ICMPv6 Type values are currently unused. These
values have not had a specific function registered with IANA. This
section describes how to treat messages that attempt to use these
Type values in a way of which the network administrator (and hence
the firewall) is not aware.
[<a id="ref-RFC4443">RFC4443</a>] defines a number of experimental Type values for ICMPv6
Error and Informational messages, which could be used in site-
specific ways. These messages should be dropped by transit networks
and at site edges. They should also not be propagated within sites
unless the network administrator is explicitly made aware of usage.
The codes reserved for future extension of the ICMPv6 Type space
should currently be dropped as this functionality is as yet
undefined.
Any ICMPv6 Informational messages of which the firewall is not aware
should be allowed to transit through the firewall but should not be
accepted for local delivery on any of its interfaces.
Unknown ICMPv6 Error messages should be allowed to pass through
transit networks. At end site boundaries any incoming ICMPv6 Error
messages of which the firewall is not aware may be allowed through
the firewall in line with the specification in [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>], which
requests delivery of unknown error messages to higher-layer protocol
<span class="grey">Davies & Mohacsi Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
processes. However, administrators may wish to disallow forwarding
of these incoming messages as a potential security risk. Unknown
outgoing Error messages should be dropped as the administrator should
be aware of all messages that could be generated on the site.
Also, the SEAMOBY working group has had an ICMPv6 message (Type 150)
allocated for experimental use in two protocols. This message is
sent end-to-end and may need to pass through firewalls on sites that
are supporting the experimental protocols.
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. Example Script to Configure ICMPv6 Firewall Rules</span>
This appendix contains an example script to implement most of the
rules suggested in this document when using the Netfilter packet
filtering system for Linux [<a href="#ref-netfilter" title=""The netfilter.org project"">netfilter</a>]. When used with IPv6, the
'ip6tables' command is used to configure packet filtering rules for
the Netfilter system. The script is targeted at a simple enterprise
site that may or may not support Mobile IPv6.
#!/bin/bash
# Set of prefixes on the trusted ("inner") side of the firewall
export INNER_PREFIXES="2001:DB8:85::/60"
# Set of hosts providing services so that they can be made pingable
export PINGABLE_HOSTS="2001:DB8:85::/64"
# Configuration option: Change this to 1 if errors allowed only for
# existing sessions
export STATE_ENABLED=0
# Configuration option: Change this to 1 if messages to/from link
# local addresses should be filtered.
# Do not use this if the firewall is a bridge.
# Optional for firewalls that are routers.
export FILTER_LINK_LOCAL_ADDRS=0
# Configuration option: Change this to 0 if the site does not support
# Mobile IPv6 Home Agents - see <a href="#appendix-A.14">Appendix A.14</a>
export HOME_AGENTS_PRESENT=1
# Configuration option: Change this to 0 if the site does not support
# Mobile IPv6 mobile nodes being present on the site -
# see <a href="#appendix-A.14">Appendix A.14</a>
export MOBILE_NODES_PRESENT=1
ip6tables -N icmpv6-filter
ip6tables -A FORWARD -p icmpv6 -j icmpv6-filter
# Match scope of src and dest else deny
# This capability is not provided for in base ip6tables functionality
# An extension (agr) exists which may support it.
#@TODO@
<span class="grey">Davies & Mohacsi Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
# ECHO REQUESTS AND RESPONSES
# ===========================
# Allow outbound echo requests from prefixes which belong to the site
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type echo-request -j ACCEPT
done
# Allow inbound echo requests towards only predetermined hosts
for pingable_host in $PINGABLE_HOSTS
do
ip6tables -A icmpv6-filter -p icmpv6 -d $pingable_host \
--icmpv6-type echo-request -j ACCEPT
done
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming and outgoing echo reply messages
# only for existing sessions
ip6tables -A icmpv6-filter -m state -p icmpv6 \
--state ESTABLISHED,RELATED --icmpv6-type \
echo-reply -j ACCEPT
else
# Allow both incoming and outgoing echo replies
for pingable_host in $PINGABLE_HOSTS
do
# Outgoing echo replies from pingable hosts
ip6tables -A icmpv6-filter -p icmpv6 -s $pingable_host \
--icmpv6-type echo-reply -j ACCEPT
done
# Incoming echo replies to prefixes which belong to the site
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type echo-reply -j ACCEPT
done
fi
# Deny icmps to/from link local addresses
# If the firewall is a router:
# These rules should be redundant as routers should not forward
# link local addresses but to be sure...
# DO NOT ENABLE these rules if the firewall is a bridge
if [ "$FILTER_LINK_LOCAL_ADDRS" -eq "1" ]
then
ip6tables -A icmpv6-filter -p icmpv6 -d fe80::/10 -j DROP
<span class="grey">Davies & Mohacsi Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
ip6tables -A icmpv6-filter -p icmpv6 -s fe80::/10 -j DROP
fi
# Drop echo replies which have a multicast address as a
# destination
ip6tables -A icmpv6-filter -p icmpv6 -d ff00::/8 \
--icmpv6-type echo-reply -j DROP
# DESTINATION UNREACHABLE ERROR MESSAGES
# ======================================
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming destination unreachable messages
# only for existing sessions
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED --icmpv6-type \
destination-unreachable -j ACCEPT
done
else
# Allow incoming destination unreachable messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type destination-unreachable -j ACCEPT
done
fi
# Allow outgoing destination unreachable messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type destination-unreachable -j ACCEPT
done
# PACKET TOO BIG ERROR MESSAGES
# =============================
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming Packet Too Big messages
# only for existing sessions
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
<span class="grey">Davies & Mohacsi Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
-d $inner_prefix \
--state ESTABLISHED,RELATED \
--icmpv6-type packet-too-big \
-j ACCEPT
done
else
# Allow incoming Packet Too Big messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type packet-too-big -j ACCEPT
done
fi
# Allow outgoing Packet Too Big messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type packet-too-big -j ACCEPT
done
# TIME EXCEEDED ERROR MESSAGES
# ============================
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming time exceeded code 0 messages
# only for existing sessions
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
-j ACCEPT
done
else
# Allow incoming time exceeded code 0 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type ttl-zero-during-transit -j ACCEPT
done
fi
#@POLICY@
# Allow incoming time exceeded code 1 messages
for inner_prefix in $INNER_PREFIXES
do
<span class="grey">Davies & Mohacsi Informational [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type ttl-zero-during-reassembly -j ACCEPT
done
# Allow outgoing time exceeded code 0 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type ttl-zero-during-transit -j ACCEPT
done
#@POLICY@
# Allow outgoing time exceeded code 1 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type ttl-zero-during-reassembly -j ACCEPT
done
# PARAMETER PROBLEM ERROR MESSAGES
# ================================
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming parameter problem code 1 and 2 messages
# for an existing session
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED --icmpv6-type \
unknown-header-type \
-j ACCEPT
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED \
--icmpv6-type unknown-option \
-j ACCEPT
done
fi
# Allow outgoing parameter problem code 1 and code 2 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type unknown-header-type -j ACCEPT
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
<span class="grey">Davies & Mohacsi Informational [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
--icmpv6-type unknown-option -j ACCEPT
done
#@POLICY@
# Allow incoming and outgoing parameter
# problem code 0 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 \
--icmpv6-type bad-header \
-j ACCEPT
done
# NEIGHBOR DISCOVERY MESSAGES
# ===========================
# Drop NS/NA messages both incoming and outgoing
ip6tables -A icmpv6-filter -p icmpv6 \
--icmpv6-type neighbor-solicitation -j DROP
ip6tables -A icmpv6-filter -p icmpv6 \
--icmpv6-type neighbor-advertisement -j DROP
# Drop RS/RA messages both incoming and outgoing
ip6tables -A icmpv6-filter -p icmpv6 \
--icmpv6-type router-solicitation -j DROP
ip6tables -A icmpv6-filter -p icmpv6 \
--icmpv6-type router-advertisement -j DROP
# Drop Redirect messages both incoming and outgoing
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type redirect -j DROP
# MLD MESSAGES
# ============
# Drop incoming and outgoing
# Multicast Listener queries (MLDv1 and MLDv2)
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 130 -j DROP
# Drop incoming and outgoing Multicast Listener reports (MLDv1)
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 131 -j DROP
# Drop incoming and outgoing Multicast Listener Done messages (MLDv1)
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 132 -j DROP
# Drop incoming and outgoing Multicast Listener reports (MLDv2)
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 143 -j DROP
# ROUTER RENUMBERING MESSAGES
<span class="grey">Davies & Mohacsi Informational [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
# ===========================
# Drop router renumbering messages
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 138 -j DROP
# NODE INFORMATION QUERIES
# ========================
# Drop node information queries (139) and replies (140)
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 139 -j DROP
ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 140 -j DROP
# MOBILE IPv6 MESSAGES
# ====================
# If there are mobile ipv6 home agents present on the
# trusted side allow
if [ "$HOME_AGENTS_PRESENT" -eq "1" ]
then
for inner_prefix in $INNER_PREFIXES
do
#incoming Home Agent address discovery request
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type 144 -j ACCEPT
#outgoing Home Agent address discovery reply
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type 145 -j ACCEPT
#incoming Mobile prefix solicitation
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type 146 -j ACCEPT
#outgoing Mobile prefix advertisement
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type 147 -j ACCEPT
done
fi
# If there are roaming mobile nodes present on the
# trusted side allow
if [ "$MOBILE_NODES_PRESENT" -eq "1" ]
then
for inner_prefix in $INNER_PREFIXES
do
#outgoing Home Agent address discovery request
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type 144 -j ACCEPT
#incoming Home Agent address discovery reply
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
<span class="grey">Davies & Mohacsi Informational [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
--icmpv6-type 145 -j ACCEPT
#outgoing Mobile prefix solicitation
ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
--icmpv6-type 146 -j ACCEPT
#incoming Mobile prefix advertisement
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type 147 -j ACCEPT
done
fi
# DROP EVERYTHING ELSE
# ====================
ip6tables -A icmpv6-filter -p icmpv6 -j DROP
Example Netfilter Configuration Script for ICMPv6 Filtering
Authors' Addresses
Elwyn B. Davies
Consultant
Soham, Cambs
UK
Phone: +44 7889 488 335
EMail: elwynd@dial.pipex.com
Janos Mohacsi
NIIF/HUNGARNET
Victor Hugo u. 18-22
Budapest, H-1132
Hungary
Phone: +36 1 4503070
EMail: mohacsi@niif.hu
<span class="grey">Davies & Mohacsi Informational [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc4890">RFC 4890</a> ICMPv6 Filtering Recommendations May 2007</span>
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Davies & Mohacsi Informational [Page 38]
</pre>
|
