RE: [EXTERNAL]:Re: IPv6 filtering at network edge?

: NANOG On Behalf Of Saku Ytti Sent: Tuesday, March 16, 2021 6:16 PM To: Pete Ashdown Cc: nanog@nanog.org Subject: [EXTERNAL]:Re: IPv6 filtering at network edge? Hey, > I'm tightening up some network-edge filters, and in the process of > testing filtering with IPv6, I found that ther

Re: IPv6 filtering at network edge?

On 3/16/21 17:15, Saku Ytti wrote: Dunno, ff02::1 would be very necessary (i.e. ND), ff02:: I have no idea. But you should do yourself favor, before you drop ICMP packets, allow ND: Not that you should see it over an exchange point, but LDPv6 runs over ff02::2. In case that's your style, b

Re: IPv6 filtering at network edge?

Hey, > I'm tightening up some network-edge filters, and in the process of > testing filtering with IPv6, I found that there is a lot of ICMP > link-local (fe80::) to ff02:: activity at an IX. Is any of this > necessary? I am wary of over-filtering that cuts down functionality and Dunno, ff02::1

IPv6 filtering at network edge?

I'm tightening up some network-edge filters, and in the process of testing filtering with IPv6, I found that there is a lot of ICMP link-local (fe80::) to ff02:: activity at an IX.  Is any of this necessary?  I am wary of over-filtering that cuts down functionality and doesn't increase security

Re: IPv6 filtering

On Tue, Jan 25, 2011 at 10:49 PM, Mark D. Nagel wrote: > This can bite you in unexpected ways, too.  For example, on a Cisco ASA, > if you add a system-level 'icmpv6 permit' line and if this does not > include ND, then you break ND responses to the ASA.  This is much unlike > ARP, which is unaffe

Re: IPv6 filtering

On Wed, 26 Jan 2011, Franck Martin wrote: ? ipv6 41 IPv6 # IPv6 ? ipv6-route 43 IPv6-Route # Routing Header for IPv6 ? ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 ? ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 ? ipv6-auth 51 IPv6-Auth # Authentication Header for

Re: IPv6 filtering

On Wed, 26 Jan 2011, Franck Martin wrote: But what about the others, should they be blocked, restricted? "Recommendations for Filtering ICMPv6 Messages in Firewalls" -- Mikael Abrahamssonemail: swm...@swm.pp.se

Re: IPv6 filtering

On 1/25/2011 9:25 PM, Owen DeLong wrote: > > DO NOT filter IPv6 ICMP like you filter IPv4. > > If you do, you will break PMTU-Discovery, Neighbor Discovery, > and RA/SLAAC, all of which depend on ICMPv6. > This can bite you in unexpected ways, too. For example, on a Cisco ASA, if you add a system

Re: IPv6 filtering

At 18:20 26/01/2011 +1300, Franck Martin wrote: Content-Transfer-Encoding: 7bit Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already? Ever since Cisco came out with "IPv6 Routing Header Vu

Re: IPv6 filtering

, Franck Martin wrote: Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already? - Original Message - From: "Roland Dobbins" To: "nanog group" Sent: Wednesday, 26 January

Re: IPv6 filtering

On Jan 25, 2011, at 9:03 PM, Franck Martin wrote: > >• ipv6 41 IPv6 # IPv6 >• ipv6-route 43 IPv6-Route # Routing Header for IPv6 >• ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 >• ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 >• ipv6-auth 51 IPv6-Auth # Authe

Re: IPv6 filtering

On 1/25/11 9:13 PM, Roland Dobbins wrote: > > On Jan 26, 2011, at 12:03 PM, Franck Martin wrote: > >> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. > > Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be > filtered, what to filter, and where to filter it is

Re: IPv6 filtering

Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already? - Original Message - From: "Roland Dobbins" To: "nanog group" Sent: Wednesday, 26 January, 2011 6:13:26

Re: IPv6 filtering

On Jan 26, 2011, at 12:03 PM, Franck Martin wrote: > Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given

IPv6 filtering

• ipv6 41 IPv6 # IPv6 • ipv6-route 43 IPv6-Route # Routing Header for IPv6 • ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 • ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 • ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 • ipv6-icmp 58 IPv6-ICMP icm

IPv6 filtering practices (Was: IPv6, multihoming, and customer allocations)

Rick Ernst wrote: [..] > I haven't seen anything on the general feel for prefix filtering. I've seen > discussions from /48 down to /54. Any feel for what the "standard" (widely > deployed) IPv6 prefix filter size will be? There have been a lot of discussions on this before. (See also http://lis

Re: IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

Matthew Petach wrote: > > As I understand it, (and Cisco's documentation seems to support this, > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/M1.html#wpxref54198 > as an example), if you put a /128 in an ACL, you cannot specify any L4 port > information f

Re: IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

On Mon, Oct 12, 2009 at 2:44 PM, Seth Mattinen wrote: > Marco Hogewoning wrote: > > > > As this thread has drifted off topic any way, would it for instance be a > > good idea to simply not accept mail from hosts that clearly use > > autoconfig ie reject all smtp from EUI-64 addresses. Of course n

Re: IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

Marco Hogewoning wrote: > > As this thread has drifted off topic any way, would it for instance be a > good idea to simply not accept mail from hosts that clearly use > autoconfig ie reject all smtp from EUI-64 addresses. Of course not a > wise idea for your own outbound relays which should handle

Re: IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

Marco Hogewoning wrote: > > On Oct 12, 2009, at 9:40 PM, Jeroen Massar wrote: > >> Marco Hogewoning wrote: >> [..] >>> As this thread has drifted off topic any way, would it for instance be a >>> good idea to simply not accept mail from hosts that clearly use >>> autoconfig ie reject all smtp fro

Re: IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

On Oct 12, 2009, at 9:40 PM, Jeroen Massar wrote: Marco Hogewoning wrote: [..] As this thread has drifted off topic any way, would it for instance be a good idea to simply not accept mail from hosts that clearly use autoconfig ie reject all smtp from EUI-64 addresses Can you please *NOT* s

Re: IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

Marco Hogewoning wrote: [..] > As this thread has drifted off topic any way, would it for instance be a > good idea to simply not accept mail from hosts that clearly use > autoconfig ie reject all smtp from EUI-64 addresses Can you please *NOT* suggest people *STUPID* ideas like filtering on arbit

IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

On Oct 12, 2009, at 9:14 PM, Jack Bates wrote: Dan White wrote: Reputation lists will just be on the /64, /56 and /48 boundaries, rather than IPv4 /32. And then people will scream because someone setup a layout that hands out /128 addresses within a /64 pool. There is that chance yes