At 18:20 26/01/2011 +1300, Franck Martin wrote:
Content-Transfer-Encoding: 7bit
Well we filter icmp due to exploits, if no exploits, then we can let the
whole of icmpv6 through. Or is there something terribly dangerous in
icmpv6 already?
Ever since Cisco came out with "IPv6 Routing Header Vulnerability" in 2007
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml
I have had the following enabled:
On the protected interface:
ipv6 traffic-filter filter-rh in
ipv6 access-list filter-rh
deny ipv6 any any log routing
permit ipv6 any any
and have stopped many pkts that way. I still occasionally see hits in our
log from all sorts of newbies who continue to try old bugs.
-Hank
