With IPv6 traffic is mainly regulated through ICMP6, whereas in IPv4 it was a mess of different protocols. Therefor it should be carefully configured and secured, to garantee a smooth functioning network environment.
The recommendations for ICMPv6 firewall filtering are based on RFC 4890. These recommendations allow propagation of ICMPv6 messages needed to maintain functionality of the network but drop messages posing potential security risks. Many ICMPv6 messages should only be used in a link-local context, rather than end-to-end, and filters need to be concerned with the types of addresses in ICMPv6 packets as well as the specific source address, destination addresses, and ICMPv6 Type. RFC 4890 classifies ICMPv6 messages according to whether they are designed for end-to-end communications (traffic to transit a firewall) or local communications within a link (local traffic addressed to an interface on a firewall). All experimental and undefined ICMPv6 messages should be dropped. ACLs should permit only those ICMPv6 messages that are required, based on specific local needs and policies; all others should be dropped.
|
|
Must Not Drop
|
Should Not Drop
|
|
Message (Type)
|
Transit
|
Local
|
Transit
|
Local
|
|
Maintenande of Communication: Allow non-local when associated with allowed connections
|
|
Destination Unreachable (1) – All codes
|
X
|
X
|
|
|
|
Packet Too Big (2)
|
X
|
X
|
|
|
|
Time Exceeded (3) – Code 0 only
|
X
|
X
|
|
|
|
Parameter Problem (4) – Codes 1 and 2 only
|
X
|
X
|
|
|
|
Connectivity Checking: Allow/disallow non-localvbased on topology/information concealment policy
|
|
Echo Request (128)
|
X
|
X
|
|
|
|
Echo Response (129)
|
X
|
X
|
|
|
|
Address Configuration and Router Selection: Allow in link-local only
|
|
Router Solicitation (133)
|
|
X
|
|
|
|
Router Advertisement (134)
|
|
X
|
|
|
|
Neighbor Solicitation (135)
|
|
X
|
|
|
|
Neighbor Advertisement (136)
|
|
X
|
|
|
|
Inverse Neighbor Discovery Solicitation (141)
|
|
X
|
|
|
|
Inverse Neighbor Discovery Advertisement (142)
|
|
X
|
|
|
|
Link-local Multicast Receiver
Notification: Allow in link-local only
|
|
Listener Query (130)
|
|
X
|
|
|
|
Listener Report (131)
|
|
X
|
|
|
|
Listener Done (132)
|
|
X
|
|
|
|
Listener Report v2 (143)
|
|
X
|
|
|
|
SEND Certification Path Notification: Allow in link-local traffic only
|
|
Certification Path Solicitation (148)
|
|
X
|
|
|
|
Certification Path Advertisement (149)
|
|
X
|
|
|
|
Multicast Router
Discovery: Allow in link-local traffic only
|
|
Multicast Router Advertisement (151)
|
|
X
|
|
|
|
Multicast Router Solicitation (152)
|
|
X
|
|
|
|
Multicast Router Termination (153)
|
|
X
|
|
|
|
Error
Messages: Allow non-local when associated with allowed connections
|
|
Time Exceeded (3) – Code 1
|
|
|
X
|
X
|
|
Parameter Problem (4) – Code 0
|
|
|
X
|
x
|
|
Mobile IPv6: Allow non-local for predefined endpoints
|
|
Home Agent Address Discovery Request (144)
|
|
|
x
|
|
|
Home Agent Address Discovery Reply (145)
|
|
|
X
|
|
|
Mobile Prefix Solicitation (146)
|
|
|
x
|
|
|
Mobile Prefix Advertisement (147)
|
|
|
X
|
|
Source – Guidelines for the Secure Deployment of IPv6 (NIST)
Loading ...
