Difference between revisions of "RFC4890"

Latest revision as of 18:46, 5 October 2020

Network Working Group E. Davies Request for Comments: 4890 Consultant Category: Informational J. Mohacsi

                                                      NIIF/HUNGARNET
                                                            May 2007

   Recommendations for Filtering ICMPv6 Messages in Firewalls

Status of This Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The IETF Trust (2007).

Abstract

In networks supporting IPv6, the Internet Control Message Protocol version 6 (ICMPv6) plays a fundamental role with a large number of functions, and a correspondingly large number of message types and options. ICMPv6 is essential to the functioning of IPv6, but there are a number of security risks associated with uncontrolled forwarding of ICMPv6 messages. Filtering strategies designed for the corresponding protocol, ICMP, in IPv4 networks are not directly applicable, because these strategies are intended to accommodate a useful auxiliary protocol that may not be required for correct functioning.

This document provides some recommendations for ICMPv6 firewall filter configuration that will allow propagation of ICMPv6 messages that are needed to maintain the functioning of the network but drop messages that are potential security risks.

 4.2.  Interaction of Link-Local Messages with

   4.3.3.  Traffic That Will Be Dropped Anyway -- No Special

   4.3.5.  Traffic That Should Be Dropped Unless a Good Case

 4.4.  Recommendations for ICMPv6 Local Configuration Traffic . . 18

   4.4.3.  Traffic That Will Be Dropped Anyway -- No Special

   4.4.5.  Traffic That Should Be Dropped Unless a Good Case

 A.6.  Neighbor Solicitation and Neighbor Advertisement

 A.7.  Router Solicitation and Router Advertisement Messages  . . 27

Appendix B. Example Script to Configure ICMPv6 Firewall Rules . . 30

Introduction

When a network supports IPv6 RFC2460, the Internet Control Message Protocol version 6 (ICMPv6) RFC4443 plays a fundamental role including being an essential component in establishing and maintaining communications both at the interface level and for sessions to remote nodes. This means that overly aggressive filtering of ICMPv6 by firewalls may have a detrimental effect on the establishment and maintenance of IPv6 communications. On the other hand, allowing indiscriminate passage of all ICMPv6 messages can be a major security risk. This document recommends a set of rules that seek to balance effective IPv6 communication against the needs of site security.

In a few cases, the appropriate rules will depend on whether the firewall is protecting

o an individual host,

o an end site where all ICMPv6 messages originate or terminate

  within the site, or

o a transit site such as an Internet Service Provider's site where

  some ICMPv6 messages will be passing through.

The document suggests alternative rules appropriate to each situation where it is relevant. It also notes some situations where alternative rules could be adopted according to the nature of the work being carried out on the site and consequent security policies. In general, Internet Service Providers should not filter ICMPv6 messages transiting their sites so that all the necessary communication elements are available to their customers to decide and filter according to their policy.

Readers familiar with ICMPv6 can skip to the recommended filtering rules in Section 4 and an example configuration script for Linux Netfilter in Appendix B.

ICMPv6 has a large number of functions defined in a number of sub- protocols, and there are a correspondingly large number of messages and options within these messages. The functions currently defined fall into a number of categories:

Returning Error Messages

     *  Returning error messages to the source if a packet could not
        be delivered.  Four different error messages, each with a
        number of sub-types, are specified in RFC4443.

Connection Checking

     *  Simple monitoring of connectivity through echo requests and
        responses used by the ping and traceroute utilities.  The
        Echo Request and Echo Response messages are specified in
        RFC4443.

Discovery Functions

     *  Finding neighbors (both routers and hosts) connected to the
        same link and determining their IP and link layer addresses.
        These messages are also used to check the uniqueness of any
        addresses that an interface proposes to use (Duplicate
        Address Detection - DAD).  Four messages -- Neighbor
        Solicitation (NS), Neighbor Advertisement (NA), Router
        Solicitation (RS) and Router Advertisement (RA) -- are
        specified in RFC2461.

     *  Ensuring that neighbors remain reachable using the same IP
        and link layer addresses after initial discovery (Neighbor
        Unreachability Discovery - NUD) and notifying neighbors of
        changes to link layer addresses.  Uses NS and NA RFC2461.

     *  Finding routers and determining how to obtain IP addresses
        to join the subnets supported by the routers.  Uses RS and
        RA RFC2461.

     *  If stateless autoconfiguration of hosts is enabled,
        communicating prefixes and other configuration information
        (including the link Maximum Transmission Unit (MTU) and
        suggested hop limit default) from routers to hosts.  Uses RS
        and RA RFC2462.

     *  When using SEcure Neighbor Discovery (SEND) to authenticate
        a router attached to a link, the Certificate Path
        Solicitation and Advertisement messages specified in
        RFC3971 are used by hosts to retrieve the certificates

        documenting the trust chain between a trust anchor and the
        router from the router.

     *  Determining the MTU along a path.  The Packet Too Big error
        message is essential to this function RFC1981.

     *  Providing a means to discover the IPv6 addresses associated
        with the link layer address of an interface (the inverse of
        Neighbor Discovery, where the link layer address is

        discovered given an IPv6 address).  Two messages, Inverse
        Neighbor Discovery Solicitation and Advertisement messages,
        are specified in RFC3122.

     *  Communicating which multicast groups have listeners on a
        link to the multicast capable routers connected to the link.
        Uses messages Multicast Listener Query, Multicast Listener
        Report (two versions), and Multicast Listener Done (protocol
        version 1 only) as specified in Multicast Listener Discovery
        MLDv1 RFC2710 and MLDv2 RFC3810.

     *  Discovering multicast routers attached to the local link.
        Uses messages Multicast Router Advertisement, Multicast
        Router Solicitation, and Multicast Router Termination as
        specified in Multicast Router Discovery RFC4286.

Reconfiguration Functions

     *  Redirecting packets to a more appropriate router on the
        local link for the destination address or pointing out that
        a destination is actually on the local link even if it is
        not obvious from the IP address (where a link supports
        multiple subnets).  The Redirect message is specified in
        RFC2461.

     *  Supporting renumbering of networks by allowing the prefixes
        advertised by routers to be altered.  Uses NS, NA, RS and RA
        together with the Router Renumbering message specified in
        RFC2894.

Mobile IPv6 Support

     *  Providing support for some aspects of Mobile IPv6 especially
        dealing with the IPv6 Mobile Home Agent functionality
        provided in routers and needed to support a Mobile node
        homed on the link.  The Home Agent Address Discovery Request
        and Reply and the Mobile Prefix Solicitation and
        Advertisement messages are specified in RFC3775.

Experimental Extensions

     *  An experimental extension to ICMPv6 specifies the ICMP Node
        Information Query and Response messages that can be used to
        retrieve some basic information about nodes RFC4620.

     *  The SEAmless IP MOBility (SEAMOBY) working group specified a
        pair of experimental protocols that use an ICMPv6 message
        specified in RFC4065 to help in locating an access router
        and moving the attachment point of a mobile node from one
        access router to another.

Many of these messages should only be used in a link-local context rather than end-to-end, and filters need to be concerned with the type of addresses in ICMPv6 packets as well as the specific source and destination addresses.

Compared with the corresponding IPv4 protocol, ICMP, ICMPv6 cannot be treated as an auxiliary function with packets that can be dropped in most cases without damaging the functionality of the network. This means that firewall filters for ICMPv6 have to be more carefully configured than was the case for ICMP, where typically a small set of blanket rules could be applied.

Classifying ICMPv6 Messages

Error and Informational ICMPv6 Messages

ICMPv6 messages contain an eight-bit Type field interpreted as an integer between 0 and 255. Messages with Type values less than or equal to 127 are Error messages. The remainder are Informational messages. In general terms, Error messages with well-known (standardized) Type values would normally be expected to be allowed to be sent to or pass through firewalls, and may be essential to the establishment and maintenance of communications (see Section 2.4) whereas Informational messages will generally be the subject of policy rules, and those passing through end site firewalls can, in many but by no means all cases, be dropped without damaging IPv6 communications.

Addressing of ICMPv6

ICMPv6 messages are sent using various kinds of source and destination address types and scopes. The source address is usually a unicast address, but during address autoconfiguration message exchanges, the unspecified address (::) is also used as a source address RFC2462.

Multicast Listener Discovery (MLD) Report and Done messages are sent with a link-local address as the IPv6 source address, if a valid address is available on the interface. If a valid link-local address is not available (e.g., one has not been configured), the message is sent with the unspecified address (::) as the IPv6 source address. Subsequently, the node will generate new MLD Report messages with proper link-local source address once it has been configured RFC3590.

The destination address can be either a well-known multicast address, a generated multicast address such as the solicited-node multicast address, an anycast address, or a unicast address. While many ICMPv6 messages use multicast addresses most of the time, some also use unicast addresses. For instance, the Router Advertisement messages are sent to the all-nodes multicast address when unsolicited, but can also be sent to a unicast address in response to a specific Router Solicitation, although this is rarely seen in current implementations.

Network Topology and Address Scopes

ICMPv6 messages can be classified according to whether they are meant for end-to-end communications or local communications within a link. There are also messages that we can classify as 'any-to-end', which can be sent from any point within a path back to the source; typically, these are used to announce an error in processing the original packet. For instance, the address resolution messages are solely for local communications RFC2461, whereas the Destination Unreachable messages are any-to-end in nature. Generally, end-to-end and any-to-end messages might be expected to pass through firewalls depending on policies but local communications must not.

Local communications will use link-local addresses in many cases but may also use global unicast addresses when configuring global addresses, for example. Also, some ICMPv6 messages used in local communications may contravene the usual rules requiring compatible scopes for source and destination addresses.

Role in Establishing and Maintaining Communication

Many ICMPv6 messages have a role in establishing or maintaining communications to and from the firewall and such messages have to be accepted by firewalls for local delivery. Generally, a firewall will also be acting as a router so that all the messages that might be used in configuring a router interface need to be accepted and generated. These messages should not transit through a firewall that is also acting as a router as they are normally intended for use within a link.

On the other hand, most ICMPv6 error messages traveling end-to-end or any-to-end are essential to the establishment and maintenance of communications. These messages must be passed through firewalls and might also be sent to and from firewalls to assist with establishment and maintenance of communications. For example, the Packet Too Big error message is needed to determine the MTU along a path both when a communication session is established initially and later if the path is rerouted during the session.

The remaining ICMPv6 messages that are not associated with communication establishment or maintenance will normally be legitimately attempting to pass through a firewall from inside to out or vice versa, but in most cases decisions as to whether or not to allow them to pass can be made on the basis of local policy without interfering with IPv6 communications.

The filtering rules for the various message roles will generally be different.

Security Considerations

This memo recommends filtering configurations for firewalls designed to minimize the security vulnerabilities that can arise in using the many different sub-protocols of ICMPv6 in support of IPv6 communication.

A major concern is that it is generally not possible to use IPsec or other means to authenticate the sender and validate the contents of many ICMPv6 messages. To a large extent, this is because a site can legitimately expect to receive certain error and other messages from almost any location in the wider Internet, and these messages may occur as a result of the first message sent to a destination. Establishing security associations with all possible sources of ICMPv6 messages is therefore impossible.

The inability to establish security associations to protect some messages that are needed to establish and maintain communications means that alternative means have to be used to reduce the vulnerability of sites to ICMPv6-based attacks. The most common way of doing this is to establish strict filtering policies in site firewalls to limit the unauthenticated ICMPv6 messages that can pass between the site and the wider Internet. This makes control of ICMPv6 filtering a delicate balance between protecting the site by dropping some of the ICMPv6 traffic passing through the firewall and allowing enough of the traffic through to make sure that efficient communication can be established.

SEND RFC3971 has been specified as a means to improve the security of local ICMPv6 communications. SEND sidesteps security association bootstrapping problems that would result if IPsec was used. SEND affects only link-local messages and does not limit the filtering that firewalls can apply, and its role in security is therefore not discussed further in this document.

Firewalls will normally be used to monitor ICMPv6 to control the following security concerns:

Denial-of-Service Attacks

ICMPv6 can be used to cause a denial of service (DoS) in a number of ways, including simply sending excessive numbers of ICMPv6 packets to destinations in the site and sending error messages that disrupt established communications by causing sessions to be dropped. Also, if spurious communication establishment or maintenance messages can be infiltrated onto a link, it might be possible to invalidate legitimate addresses or disable interfaces.

Probing

A major security consideration is preventing attackers from probing the site to determine the topology and identify hosts that might be vulnerable to attack. Carefully crafted but, often, malformed messages can be used to provoke ICMPv6 responses from hosts thereby informing attackers of potential targets for future attacks. However, the very large address space of IPv6 makes probing a less effective weapon as compared with IPv4 provided that addresses are not allocated in an easily guessable fashion. This subject is explored in more depth in [SCAN-IMP].

Redirection Attacks

A redirection attack could be used by a malicious sender to perform man-in-the-middle attacks or divert packets either to a malicious monitor or to cause DoS by blackholing the packets. These attacks would normally have to be carried out locally on a link using the Redirect message. Administrators need to decide if the improvement in efficiency from using Redirect messages is worth the risk of malicious use. Factors to consider include the physical security of the link and the complexity of addressing on the link. For example, on an open wireless link, redirection would be a serious hazard due to the lack of physical security. On the other hand, with a wired link in a secure building with complex addressing and redundant routers, the efficiency gains might well outweigh the small risk of a rogue node being connected.

Renumbering Attacks

Spurious Renumbering messages can lead to the disruption of a site. Although Renumbering messages are required to be authenticated with IPsec, so that it is difficult to carry out such attacks in practice, they should not be allowed through a site boundary firewall. On the other hand, a site may employ multiple "layers" of firewalls. In this case, Renumbering messages might be expected to be allowed to transit interior firewalls but not pass across the outer boundary.

Problems Resulting from ICMPv6 Transparency

Because some ICMPv6 error packets need to be passed through a firewall in both directions, malicious users can potentially use these messages to communicate between inside and outside, bypassing administrative inspection. For example, it might be possible to carry out a covert conversation through the payload of ICMPv6 error messages or tunnel inappropriate encapsulated IP packets in ICMPv6 error messages. This problem can be alleviated by filtering ICMPv6 errors using a deep packet inspection mechanism to ensure that the packet carried as a payload is associated with legitimate traffic to or from the protected network.

Filtering Recommendations

When designing firewall filtering rules for ICMPv6, the rules can be divided into two classes:

o Rules for ICMPv6 traffic transiting the firewall, with some minor

  variations for

  *  firewalls protecting end sites or individual hosts, and

  *  firewalls protecting transit sites

o Rules for ICMPv6 directed to interfaces on the firewall

Firewalls integrated with an individual host ("end host firewalls") can be treated as end site firewalls, but the special considerations discussed in Section 4.2 may be relevant because the firewall is not a router.

This section suggests some common considerations that should be borne in mind when designing filtering rules and then categorizes the rules for each class. The categories are:

o Messages that must not be dropped: usually because establishment

  or maintenance of communications will be prevented or severely
  impacted.

o Messages that should not be dropped: administrators need to have a

  very good reason for dropping this category.

o Messages that may be dropped in firewall/routers, but these

  messages may already be targeted to drop for other reasons (e.g.,
  because they are using link-local addresses) or because the
  protocol specification would cause the messages to be rejected if
  they had passed through a router.  Special considerations apply to
  transit traffic if the firewall is not a router as discussed in
  Section 4.2.

o Messages that administrators may or may not want to drop depending

  on local policy.

o Messages that administrators should consider dropping (e.g., ICMP

  node information name lookup queries).

More detailed analysis of each of the message types can be found in Appendix A.

Common Considerations

Depending on the classification of the message to be filtered (see Section 2), ICMPv6 messages should be filtered based on the ICMPv6 type of the message and the type (unicast, multicast, etc.) and scope (link-local, global unicast, etc.) of source and destination addresses. In some cases, it may be desirable to filter on the Code field of ICMPv6 error messages.

Messages that can be authenticated on delivery, probably because they contain an IPsec AH header or ESP header with authentication, may be subject to less strict policies than messages that cannot be authenticated. In the remainder of this section, we are generally considering what should be configured for unauthenticated messages. In many cases, it is not realistic to expect more than a tiny fraction of the messages to be authenticated.

Where messages are not essential to the establishment or maintenance of communications, local policy can be used to determine whether a message should be allowed or dropped.

Depending on the capabilities of the firewall being configured, it may be possible for the firewall to maintain state about packets that may result in error messages being returned or about ICMPv6 packets (e.g., Echo Requests) that are expected to receive a specific response. This state may allow the firewall to perform more precise checks based on this state, and to apply limits on the number of ICMPv6 packets accepted incoming or outgoing as a result of a packet traveling in the opposite direction. The capabilities of firewalls to perform such stateful packet inspection vary from model to model, and it is not assumed that firewalls are uniformly capable in this respect.

Firewalls that are able to perform deep packet inspection may be able to check the header fields in the start of the errored packet that is carried by ICMPv6 error messages. If the embedded packet has a source address that does not match the destination of the error message, the packet can be dropped. This provides a partial defense against some possible attacks on TCP that use spoofed ICMPv6 error messages, but the checks can also be carried out at the destination. For further information on these attacks see [ICMP-ATTACKS].

In general, the scopes of source and destination addresses of ICMPv6 messages should be matched, and packets with mismatched addresses should be dropped if they attempt to transit a router. However, some of the address configuration messages carried locally on a link may legitimately have mismatched addresses. Node implementations must accept these messages delivered locally on a link, and administrators should be aware that they can exist.

ICMPv6 messages transiting firewalls inbound to a site may be treated differently depending on whether they are addressed to a node on the site or to some other node. For end sites, packets addressed to nodes not on the site should be dropped, but would generally be forwarded by firewalls on transit sites.

Interaction of Link-Local Messages with Firewall/Routers and

  Firewall/Bridges

Firewalls can be implemented both as IP routers (firewall/routers) and as link layer bridges (e.g., Ethernet bridges) that are transparent to the IP layer although they will actually be inspecting the IP packets as they pass through (firewall/bridges).

Many of the messages used for establishment and maintenance of communications on the local link will be sent with link-local addresses for at least one of their source and destination. Routers conforming to the IPv6 standards will not forward these packets; there is no need to configure additional rules to prevent these

packets traversing a firewall/router, although administrators may wish to configure rules that would drop these packets for insurance and as a means of monitoring for attacks. Also, the specifications of ICMPv6 messages intended for use only on the local link specify various measures that would allow receivers to detect if the message had passed through a router, including:

o Requiring that the hop limit in the IPv6 header is set to 255 on

  transmission.  Receivers verify that the hop limit is still 255,
  to ensure that the packet has not passed through a router.

o Checking that the source address is a link-local unicast address.

Accordingly, it is not essential to configure firewall/router rules to drop out-of-specification packets of these types. If they have non-link-local source and destination addresses, allowing them to traverse the firewall/router, they would be rejected because of the checks performed at the destination. Again, firewall administrators may still wish to configure rules to log or drop such out-of- specification packets.

For firewall/bridges, slightly different considerations apply. The physical links on either side of the firewall/bridge are treated as a single logical link for the purposes of IP. Hence, the link local messages used for discovery functions on the link must be allowed to transit the transparent bridge. Administrators should ensures that routers and hosts attached to the link containing the firewall/bridge are built to the correct specifications so that out-of-specification packets are actually dropped as described in the earlier part of this section.

An end host firewall can generally be thought of as a special case of a firewall/bridge, but the only link-local messages that need to be allowed through are those directed to the host's interface.

Recommendations for ICMPv6 Transit Traffic

This section recommends rules that should be applied to ICMPv6 traffic attempting to transit a firewall.

Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and maintenance of communications:

o Destination Unreachable (Type 1) - All codes o Packet Too Big (Type 2) o Time Exceeded (Type 3) - Code 0 only o Parameter Problem (Type 4) - Codes 1 and 2 only

Appendix A.4 suggests some more specific checks that could be performed on Parameter Problem messages if a firewall has the necessary packet inspection capabilities.

Connectivity checking messages:

o Echo Request (Type 128) o Echo Response (Type 129)

For Teredo tunneling RFC4380 to IPv6 nodes on the site to be possible, it is essential that the connectivity checking messages are allowed through the firewall. It has been common practice in IPv4 networks to drop Echo Request messages in firewalls to minimize the risk of scanning attacks on the protected network. As discussed in Section 3.2, the risks from port scanning in an IPv6 network are much less severe, and it is not necessary to filter IPv6 Echo Request messages.

Traffic That Normally Should Not Be Dropped

Error messages other than those listed in Section 4.3.1:

o Time Exceeded (Type 3) - Code 1 o Parameter Problem (Type 4) - Code 0

Mobile IPv6 messages that are needed to assist mobility:

o Home Agent Address Discovery Request (Type 144) o Home Agent Address Discovery Reply (Type 145) o Mobile Prefix Solicitation (Type 146) o Mobile Prefix Advertisement (Type 147)

Administrators may wish to apply more selective rules as described in Appendix A.14 depending on whether the site is catering for mobile nodes that would normally be at home on the site and/or foreign mobile nodes roaming onto the site.

Traffic That Will Be Dropped Anyway -- No Special Attention

    Needed

The messages listed in this section are all involved with local management of nodes connected to the logical link on which they were initially transmitted. All these messages should never be propagated beyond the link on which they were initially transmitted. If the firewall is a firewall/bridge rather than a firewall/router, these messages should be allowed to transit the firewall as they would be intended for establishing communications between the two physical parts of the link that are bridged into a single logical link.

During normal operations, these messages will have destination addresses, mostly link local but in some cases global unicast addresses, of interfaces on the local link. No special action is needed to filter messages with link-local addresses in a firewall/ router. As discussed in Section 4.1, these messages are specified so that either the receiver is able to check that the message has not passed through a router or it will be dropped at the first router it encounters.

Administrators may also wish to consider providing rules in firewall/ routers to catch illegal packets sent with hop limit = 1 to avoid ICMPv6 Time Exceeded messages being generated for these packets.

Address Configuration and Router Selection messages (must be received with hop limit = 255):

o Router Solicitation (Type 133) o Router Advertisement (Type 134) o Neighbor Solicitation (Type 135) o Neighbor Advertisement (Type 136) o Redirect (Type 137) o Inverse Neighbor Discovery Solicitation (Type 141) o Inverse Neighbor Discovery Advertisement (Type 142)

Link-local multicast receiver notification messages (must have link- local source address):

o Listener Query (Type 130) o Listener Report (Type 131) o Listener Done (Type 132) o Listener Report v2 (Type 143)

SEND Certificate Path notification messages (must be received with hop limit = 255):

o Certificate Path Solicitation (Type 148) o Certificate Path Advertisement (Type 149)

Multicast Router Discovery messages (must have link-local source address and hop limit = 1):

o Multicast Router Advertisement (Type 151) o Multicast Router Solicitation (Type 152) o Multicast Router Termination (Type 153)

Traffic for Which a Policy Should Be Defined

The message type that the experimental Seamoby protocols are using will be expected to have to cross site boundaries in normal operation. Transit sites must allow these messages to transit the site. End site administrators should determine if they need to support these experiments and otherwise messages of this type should be dropped:

o Seamoby Experimental (Type 150)

Error messages not currently defined by IANA: o Unallocated Error messages (Types 5-99 inclusive and 102-126

  inclusive)

The base ICMPv6 specification suggests that error messages that are not explicitly known to a node should be forwarded and passed to any higher-level protocol that might be able to interpret them. There is a small risk that such messages could be used to provide a covert channel or form part of a DoS attack. Administrators of end sites should be aware of this and determine whether they wish to allow these messages through the firewall. Firewalls protecting transit sites must allow all types of error messages to transit the site but may adopt different policies for error messages addressed to nodes within the site.

All informational messages with types not explicitly assigned by IANA, currently:

o Unallocated Informational messages (Types 154-199 inclusive and

  202-254 inclusive).

Note that the base ICMPv6 specification requires that received informational messages with unknown types must be silently discarded. Transit sites must allow these messages to transit the site. End

site administrators can either adopt a policy of allowing all these messages through the firewall, relying on end hosts to drop unrecognized messages, or drop all such messages at the firewall. Different policies could be adopted for inbound and outbound messages.

If administrators choose to implement policies that drop currently unallocated error or informational messages, it is important to review the set of messages affected in case new message types are assigned by IANA.

Traffic That Should Be Dropped Unless a Good Case Can Be Made

Node Information enquiry messages should generally not be forwarded across site boundaries. Some of these messages will be using non- link-local unicast addresses so that they will not necessarily be dropped by address scope limiting rules:

o Node Information Query (Type 139) o Node Information Response (Type 140)

Router Renumbering messages should not be forwarded across site boundaries. As originally specified, these messages may use a site scope multicast address or a site local unicast address. They should be caught by standard rules that are intended to stop any packet with a multicast site scope or site local destination being forwarded across a site boundary provided these are correctly configured. Since site local addresses have now been deprecated, it seems likely that changes may be made to allow the use of unique local addresses or global unicast addresses. Should this happen, it will be essential to explicitly filter these messages at site boundaries. If a site has internal as well as boundary firewalls, individual policies should be established for the internal firewalls depending on whether or not the site wishes to use Router Renumbering:

o Router Renumbering (Type 138)

Messages with types in the experimental allocations:

o Types 100, 101, 200, and 201.

Messages using the extension type numbers until such time as ICMPv6 needs to use such extensions:

o Types 127 and 255.

Recommendations for ICMPv6 Local Configuration Traffic

This section recommends filtering rules for ICMPv6 traffic addressed to an interface on a firewall. For a small number of messages, the desired behavior may differ between interfaces on the site or private side of the firewall and the those on the public Internet side of the firewall.

Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and maintenance of communications:

o Destination Unreachable (Type 1) - All codes o Packet Too Big (Type 2) o Time Exceeded (Type 3) - Code 0 only o Parameter Problem (Type 4) - Codes 1 and 2 only

Connectivity checking messages:

o Echo Request (Type 128) o Echo Response (Type 129)

As discussed in Section 4.3.1, dropping connectivity checking messages will prevent the firewall being the destination of a Teredo tunnel and it is not considered necessary to disable connectivity checking in IPv6 networks because port scanning is less of a security risk.

There are a number of other sets of messages that play a role in configuring the node and maintaining unicast and multicast communications through the interfaces of a node. These messages must not be dropped if the node is to successfully participate in an IPv6 network. The exception to this is the Redirect message for which an explicit policy decision should be taken (see Section 4.4.4).

Address Configuration and Router Selection messages:

o Router Solicitation (Type 133) o Router Advertisement (Type 134) o Neighbor Solicitation (Type 135) o Neighbor Advertisement (Type 136) o Inverse Neighbor Discovery Solicitation (Type 141) o Inverse Neighbor Discovery Advertisement (Type 142)

Link-Local Multicast Receiver Notification messages:

o Listener Query (Type 130) o Listener Report (Type 131) o Listener Done (Type 132) o Listener Report v2 (Type 143)

SEND Certificate Path Notification messages:

o Certificate Path Solicitation (Type 148) o Certificate Path Advertisement (Type 149)

Multicast Router Discovery messages:

o Multicast Router Advertisement (Type 151) o Multicast Router Solicitation (Type 152) o Multicast Router Termination (Type 153)

Traffic That Normally Should Not Be Dropped

Error messages other than those listed in Section 4.4.1:

o Time Exceeded (Type 3) - Code 1 o Parameter Problem (Type 4) - Code 0

Traffic That Will Be Dropped Anyway -- No Special Attention

    Needed

Router Renumbering messages must be authenticated using IPsec, so it is not essential to filter these messages even if they are not allowed at the firewall/router:

o Router Renumbering (Type 138)

Mobile IPv6 messages that are needed to assist mobility:

o Home Agent Address Discovery Request (Type 144) o Home Agent Address Discovery Reply (Type 145) o Mobile Prefix Solicitation (Type 146) o Mobile Prefix Advertisement (Type 147)

It may be desirable to drop these messages, especially on public interfaces, if the firewall is not also providing mobile home agent services, but they will be ignored otherwise.

The message used by the experimental Seamoby protocols may be dropped but will be ignored if the service is not implemented:

o Seamoby Experimental (Type 150)

Traffic for Which a Policy Should Be Defined

Redirect messages provide a significant security risk, and administrators should take a case-by-case approach to whether firewalls, routers in general, and other nodes should accept these messages:

o Redirect (Type 137)

Conformant nodes must provide configuration controls that allow nodes to control their behavior with respect to Redirect messages so that it should only be necessary to install specific filtering rules under special circumstances, such as if Redirect messages are accepted on private interfaces but not public ones.

If a node implements the experimental Node Information service, the administrator needs to make an explicit decision as to whether the node should respond to or accept Node Information messages on each interface:

o Node Information Query (Type 139) o Node Information Response (Type 140)

It may be possible to disable the service on the node if it is not wanted, in which case these messages will be ignored and no filtering is necessary.

Error messages not currently defined by IANA:

o Unallocated Error messages (Types 5-99 inclusive and 102-126

  inclusive)

The base ICMPv6 specification suggests that error messages that are not explicitly known to a node should be forwarded and passed to any higher-level protocol that might be able to interpret them. There is a small risk that such messages could be used to provide a covert channel or form part of a DoS attack. Administrators should be aware of this and determine whether they wish to allow these messages to be sent to the firewall.

Traffic That Should Be Dropped Unless a Good Case Can Be Made

Messages with types in the experimental allocations:

o Types 100, 101, 200, and 201.

Messages using the extension type numbers until such time as ICMPv6 needs to use such extensions:

o Types 127 and 255.

All informational messages with types not explicitly assigned by IANA, currently:

o Types 154-199 inclusive and 202-254 inclusive.

Note that the base ICMPv6 specification requires that received informational messages with unknown types must be silently discarded.

Acknowledgements

Pekka Savola created the original IPv6 Security Overview document, which contained suggestions for ICMPv6 filter setups. This information has been incorporated into this document. He has also provided important comments. Some analysis of the classification of ICMPv6 messages and the term 'any-to-end' were used by Jari Arkko in a document relating to ICMPv6 and IKE.

The Netfilter configuration script in Appendix B was contributed by Suresh Krishnan.

References

Normative References

RFC1981 McCann, J., Deering, S., and J. Mogul, "Path MTU

               Discovery for IP version 6", RFC 1981, August 1996.

RFC2460 Deering, S. and R. Hinden, "Internet Protocol,

               Version 6 (IPv6) Specification", RFC 2460,
               December 1998.

RFC2461 Narten, T., Nordmark, E., and W. Simpson, "Neighbor

               Discovery for IP Version 6 (IPv6)", RFC 2461,
               December 1998.

RFC2462 Thomson, S. and T. Narten, "IPv6 Stateless Address

               Autoconfiguration", RFC 2462, December 1998.

RFC2710 Deering, S., Fenner, W., and B. Haberman, "Multicast

               Listener Discovery (MLD) for IPv6", RFC 2710,
               October 1999.

RFC2894 Crawford, M., "Router Renumbering for IPv6",

               RFC 2894, August 2000.

RFC3122 Conta, A., "Extensions to IPv6 Neighbor Discovery for

               Inverse Discovery Specification", RFC 3122,
               June 2001.

RFC3590 Haberman, B., "Source Address Selection for the

               Multicast Listener Discovery (MLD) Protocol",
               RFC 3590, September 2003.

RFC3775 Johnson, D., Perkins, C., and J. Arkko, "Mobility

               Support in IPv6", RFC 3775, June 2004.

RFC3810 Vida, R. and L. Costa, "Multicast Listener Discovery

               Version 2 (MLDv2) for IPv6", RFC 3810, June 2004.

RFC3971 Arkko, J., Kempf, J., Zill, B., and P. Nikander,

               "SEcure Neighbor Discovery (SEND)", RFC 3971,
               March 2005.

RFC4065 Kempf, J., "Instructions for Seamoby and Experimental

               Mobility Protocol IANA Allocations", RFC 4065,
               July 2005.

RFC4286 Haberman, B. and J. Martin, "Multicast Router

               Discovery", RFC 4286, December 2005.

RFC4443 Conta, A., Deering, S., and M. Gupta, "Internet

               Control Message Protocol (ICMPv6) for the Internet
               Protocol Version 6 (IPv6) Specification", RFC 4443,
               March 2006.

RFC4620 Crawford, M. and B. Haberman, "IPv6 Node Information

               Queries", RFC 4620, August 2006.

Informative References

[ICMP-ATTACKS] Gont, F., "ICMP attacks against TCP", Work

               in Progress, October 2006.

RFC3041 Narten, T. and R. Draves, "Privacy Extensions for

               Stateless Address Autoconfiguration in IPv6",
               RFC 3041, January 2001.

RFC4380 Huitema, C., "Teredo: Tunneling IPv6 over UDP through

               Network Address Translations (NATs)", RFC 4380,
               February 2006.

[SCAN-IMP] Chown, T., "IPv6 Implications for Network Scanning",

               Work in Progress, March 2007.

[netfilter] netfilter.org, "The netfilter.org project",

               Firewalling, NAT and Packet Mangling for Linux ,
               2006, <http://www.netfilter.org/>.

Appendix A. Notes on Individual ICMPv6 Messages

A.1. Destination Unreachable Error Message

Destination Unreachable (Type 1) error messages RFC4443 are sent any-to-end between unicast addresses. The message can be generated from any node that a packet traverses when the node is unable to forward the packet for any reason except congestion.

Destination Unreachable messages are useful for debugging, but are also important to speed up cycling through possible addresses, as they can avoid the need to wait through timeouts and hence can be part of the process of establishing or maintaining communications. It is a common practice in IPv4 to refrain from generating ICMP Destination Unreachable messages in an attempt to hide the networking topology and/or service structure. The same idea could be applied to IPv6, but this can slow down connection if a host has multiple addresses, some of which are deprecated, as they may be when using privacy addresses RFC3041. If policy allows the generation of ICMPv6 Destination Unreachable messages, it is important that nodes provide the correct reason code, one of: no route to destination, administratively prohibited, beyond scope of source address, address unreachable, port unreachable, source address failed ingress/egress policy, or reject route to destination.

A.2. Packet Too Big Error Message

Packet Too Big (Type 2) error messages RFC4443 are sent any-to-end between unicast addresses. The message can be generated from any node that a packet traverses on the path when the node is unable to forward the packet because the packet is too large for the MTU of the next link. This message is vital to the correct functioning of Path MTU Discovery and hence is part of the establishment and maintenance of communications. Since routers are not allowed to fragment packets, informing sources of the need to fragment large packets is more important than for IPv4. If these messages are not generated when appropriate, hosts will continue to send packets that are too large or may assume that the route is congested. Effectively, parts of the Internet will become inaccessible.

If a network chooses to generate packets that are no larger than the Guaranteed Minimum MTU (1280 octets) and the site's links to the wider Internet have corresponding MTUs, Packet Too Big messages should not be expected at the firewall and could be dropped if they arrive.

A.3. Time Exceeded Error Message

Time Exceeded (Type 3) error messages RFC4443 can occur in two contexts:

o Code 0 are generated at any node on the path being taken by the

  packet and sent, any-to-end between unicast addresses, if the Hop
  Limit value is decremented to zero at that node.

o Code 1 messages are generated at the destination node and sent

  end-to-end between unicast addresses if all the segments of a
  fragmented message are not received within the reassembly time
  limit.

Code 0 messages can be needed as part of the establishment of communications if the path to a particular destination requires an unusually large number of hops.

Code 1 messages will generally only result from congestion in the network, and it is less essential to propagate these messages.

A.4. Parameter Problem Error Message

The great majority of Parameter Problem (Type 4) error messages will be generated by the destination node when processing destination options and other extension headers, and hence are sent end-to-end between unicast addresses. Exceptionally, these messages might be generated by any node on the path if a faulty or unrecognized hop-by- hop option is included or from any routing waypoint if there are faulty or unrecognized destination options associated with a Type 0 routing header. In these cases, the message will be sent any-to-end using unicast source and destination addresses.

Parameter Problem Code 1 (Unrecognized Next Header) and Code 2 (Unrecognized IPv6 Option) messages may result if a node on the path (usually the destination) is unable to process a correctly formed extension header or option. If these messages are not returned to the source, communication cannot be established, as the source would need to adapt its choice of options probably because the destination does not implement these capabilities. Hence, these messages need to be generated and allowed for effective IPv6 communications.

Code 0 (Erroneous Header) messages indicate a malformed extension header generally as a result of incorrectly generated packets. Hence, these messages are useful for debugging purposes, but it is unlikely that a node generating such packets could establish communications without human intervention to correct the problem.

Code 2 messages, only, can be generated for packets with multicast destination addresses.

It is possible that attackers may seek to probe or scan a network by deliberately generating packets with unknown extension headers or options or with faulty headers. If nodes generate Parameter Problem error messages in all cases and these outgoing messages are allowed through firewalls, the attacker may be able to identify active addresses that can be probed further or learn about the network topology. The vulnerability could be mitigated whilst helping to establish communications if the firewall was able to examine such error messages in depth and was configured to only allow Parameter Problem messages for headers that had been standardized but were not supported in the protected network. If the network administrator believes that all nodes in the network support all legitimate extension headers, then it would be reasonable to drop all outgoing Parameter Problem messages. Note that this is not a major vulnerability in a well-designed IPv6 network because of the difficulties of performing scanning attacks (see Section 3.2).

A.5. ICMPv6 Echo Request and Echo Response

Echo Request (Type 128) uses unicast addresses as source addresses, but may be sent to any legal IPv6 address, including multicast and anycast addresses RFC4443. Echo Requests travel end-to-end. Similarly, Echo Responses (Type 129) travel end-to-end and would have a unicast address as destination and either a unicast or anycast address as source. They are mainly used in combination for monitoring and debugging connectivity. Their only role in establishing communication is that they are required when verifying connectivity through Teredo tunnels RFC4380: Teredo tunneling to IPv6 nodes on the site will not be possible if these messages are blocked. It is not thought that there is a significant risk from scanning attacks on a well-designed IPv6 network (see Section 3.2), and so connectivity checks should be allowed by default.

A.6. Neighbor Solicitation and Neighbor Advertisement Messages

ICMPv6 Neighbor Solicitation and Neighbor Advertisement (Type 135 and 136) messages are essential to the establishment and maintenance of communications on the local link. Firewalls need to generate and accept these messages to allow them to establish and maintain interfaces onto their connected links.

Note that the address scopes of the source and destination addresses on Neighbor Solicitations and Neighbor Advertisements may not match. The exact functions that these messages will be carrying out depends on the mechanism being used to configure IPv6 addresses on the link (Stateless, Stateful, or Static configuration).

A.7. Router Solicitation and Router Advertisement Messages

ICMPv6 Router Solicitation and Router Advertisement (Type 133 and 134) messages are essential to the establishment and maintenance of communications on the local link. Firewalls need to generate (since the firewall will generally be behaving as a router) and accept these messages to allow them to establish and maintain interfaces onto their connected links.

A.8. Redirect Messages

ICMPv6 Redirect Messages (Type 137) are used on the local link to indicate that nodes are actually link-local and communications need not go via a router, or to indicate a more appropriate first-hop router. Although they can be used to make communications more efficient, they are not essential to the establishment of communications and may be a security vulnerability, particularly if a link is not physically secured. Conformant nodes are required to provide configuration controls that suppress the generation of Redirect messages and allow them to be ignored on reception. Using Redirect messages on, for example, a wireless link without link level encryption/authentication is particularly hazardous because the link is open to eavesdropping and packet injection.

A.9. SEND Certificate Path Messages

SEND RFC3971 uses two messages (Certificate Path Solicitation and Advertisement - Types 148 and 149) sent from nodes to supposed routers on the same local link to obtain a certificate path that will allow the node to authenticate the router's claim to provide routing services for certain prefixes. If a link connected to a firewall/ router is using SEND, the firewall must be able to exchange these messages with nodes on the link that will use its routing services.

A.10. Multicast Listener Discovery Messages

Multicast Listener Discovery (MLD) version 1 RFC2710 (Listener Query, Listener Report, and Listener Done - Types 130, 131, and 132) and version 2 RFC3810 (Listener Query and Listener Report version 2 - Types 130 and 143) messages are sent on the local link to communicate between multicast-capable routers and nodes that wish to join or leave specific multicast groups. Firewalls need to be able

to generate Listener messages in order to establish communications and may generate all the messages if they also provide multicast routing services.

A.11. Multicast Router Discovery Messages

Multicast Router Discovery RFC4286 (Router Advertisement, Router Solicitation, and Router Termination - Types 151, 152, and 153) messages are sent by nodes on the local link to discover multicast- capable routers on the link, and by multicast-capable routers to notify other nodes of their existence or change of state. Firewalls that also act as multicast routers need to process these messages on their interfaces.

A.12. Router Renumbering Messages

ICMPv6 Router Renumbering (Type 138) command messages can be received and results messages sent by routers to change the prefixes that they advertise as part of Stateless Address Configuration RFC2461, RFC2462. These messages are sent end-to-end to either the all- routers multicast address (site or local scope) or specific unicast addresses from a unicast address.

Router Renumbering messages are required to be protected by IPsec authentication since they could be readily misused by attackers to disrupt or divert site communications. Renumbering messages should generally be confined to sites for this reason.

A.13. Node Information Query and Reply

ICMPv6 Node Information Query and Reply (Type 139 and 140) messages defined in RFC4620 are sent end-to-end between unicast addresses, and they can also be sent to link-local multicast addresses. They can, in theory, be sent from any node to any other, but it would generally not be desirable for nodes outside the local site to be able to send queries to nodes within the site. Also, these messages are not required to be authenticated.

A.14. Mobile IPv6 Messages

Mobile IPv6 RFC3775 defines four ICMPv6 messages that are used to support mobile operations: Home Agent Address Discovery Request, Home Agent Address Discovery Reply, Mobile Prefix Solicitation, and ICMP Mobile Prefix Advertisement (Type 144, 145, 146, and 147) messages. These messages are sent end-to-end between unicast addresses of a mobile node and its home agent. They must be expected to be sent from outside a site and must traverse site-boundary firewalls to reach the home agent in order for Mobile IPv6 to function. The two

Mobile prefix messages should be protected by the use of IPsec authentication.

o If the site provides home agents for mobile nodes, the firewall

  must allow incoming Home Agent Address Discovery Request and
  Mobile Prefix Solicitation messages, and outgoing Home Agent
  Address Discovery Reply and ICMP Mobile Prefix Advertisement
  messages.  It may be desirable to limit the destination addresses
  for the incoming messages to links that are known to support home
  agents.

o If the site is prepared to host roaming mobile nodes, the firewall

  must allow outgoing Home Agent Address Discovery Request and
  Mobile Prefix Solicitation messages, and incoming Home Agent
  Address Discovery Reply and ICMP Mobile Prefix Advertisement
  messages.

o Administrators may find it desirable to prevent static nodes that

  are normally resident on the site from behaving as mobile nodes by
  dropping Mobile IPv6 messages from these nodes.

A.15. Unused and Experimental Messages

A large number of ICMPv6 Type values are currently unused. These values have not had a specific function registered with IANA. This section describes how to treat messages that attempt to use these Type values in a way of which the network administrator (and hence the firewall) is not aware.

RFC4443 defines a number of experimental Type values for ICMPv6 Error and Informational messages, which could be used in site- specific ways. These messages should be dropped by transit networks and at site edges. They should also not be propagated within sites unless the network administrator is explicitly made aware of usage.

The codes reserved for future extension of the ICMPv6 Type space should currently be dropped as this functionality is as yet undefined.

Any ICMPv6 Informational messages of which the firewall is not aware should be allowed to transit through the firewall but should not be accepted for local delivery on any of its interfaces.

Unknown ICMPv6 Error messages should be allowed to pass through transit networks. At end site boundaries any incoming ICMPv6 Error messages of which the firewall is not aware may be allowed through the firewall in line with the specification in RFC4443, which requests delivery of unknown error messages to higher-layer protocol

processes. However, administrators may wish to disallow forwarding of these incoming messages as a potential security risk. Unknown outgoing Error messages should be dropped as the administrator should be aware of all messages that could be generated on the site.

Also, the SEAMOBY working group has had an ICMPv6 message (Type 150) allocated for experimental use in two protocols. This message is sent end-to-end and may need to pass through firewalls on sites that are supporting the experimental protocols.

Appendix B. Example Script to Configure ICMPv6 Firewall Rules

This appendix contains an example script to implement most of the rules suggested in this document when using the Netfilter packet filtering system for Linux [netfilter]. When used with IPv6, the 'ip6tables' command is used to configure packet filtering rules for the Netfilter system. The script is targeted at a simple enterprise site that may or may not support Mobile IPv6.

!/bin/bash
Set of prefixes on the trusted ("inner") side of the firewall

export INNER_PREFIXES="2001:DB8:85::/60"

Set of hosts providing services so that they can be made pingable

export PINGABLE_HOSTS="2001:DB8:85::/64"

Configuration option: Change this to 1 if errors allowed only for
existing sessions

export STATE_ENABLED=0

Configuration option: Change this to 1 if messages to/from link
local addresses should be filtered.
Do not use this if the firewall is a bridge.
Optional for firewalls that are routers.

export FILTER_LINK_LOCAL_ADDRS=0

Configuration option: Change this to 0 if the site does not support
Mobile IPv6 Home Agents - see Appendix A.14

export HOME_AGENTS_PRESENT=1

Configuration option: Change this to 0 if the site does not support
Mobile IPv6 mobile nodes being present on the site -
see Appendix A.14

export MOBILE_NODES_PRESENT=1

ip6tables -N icmpv6-filter ip6tables -A FORWARD -p icmpv6 -j icmpv6-filter

Match scope of src and dest else deny
This capability is not provided for in base ip6tables functionality
An extension (agr) exists which may support it.
@TODO@

ECHO REQUESTS AND RESPONSES
===========================

Allow outbound echo requests from prefixes which belong to the site

for inner_prefix in $INNER_PREFIXES do

 ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
       --icmpv6-type echo-request -j ACCEPT

done

Allow inbound echo requests towards only predetermined hosts

for pingable_host in $PINGABLE_HOSTS do

 ip6tables -A icmpv6-filter -p icmpv6 -d $pingable_host \
       --icmpv6-type echo-request -j ACCEPT

done

if [ "$STATE_ENABLED" -eq "1" ] then

 # Allow incoming and outgoing echo reply messages
 # only for existing sessions
 ip6tables -A icmpv6-filter -m state -p icmpv6 \
       --state ESTABLISHED,RELATED --icmpv6-type \
     echo-reply -j ACCEPT

else

 # Allow both incoming and outgoing echo replies
 for pingable_host in $PINGABLE_HOSTS
 do
   # Outgoing echo replies from pingable hosts
   ip6tables -A icmpv6-filter -p icmpv6 -s $pingable_host \
       --icmpv6-type echo-reply -j ACCEPT
 done
 # Incoming echo replies to prefixes which belong to the site
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
       --icmpv6-type echo-reply -j ACCEPT
 done

fi

Deny icmps to/from link local addresses
If the firewall is a router:
These rules should be redundant as routers should not forward
link local addresses but to be sure...
DO NOT ENABLE these rules if the firewall is a bridge

if [ "$FILTER_LINK_LOCAL_ADDRS" -eq "1" ] then

 ip6tables -A icmpv6-filter -p icmpv6 -d fe80::/10 -j DROP

 ip6tables -A icmpv6-filter -p icmpv6 -s fe80::/10 -j DROP

fi

Drop echo replies which have a multicast address as a
destination

ip6tables -A icmpv6-filter -p icmpv6 -d ff00::/8 \

       --icmpv6-type echo-reply -j DROP

DESTINATION UNREACHABLE ERROR MESSAGES
======================================

if [ "$STATE_ENABLED" -eq "1" ] then

 # Allow incoming destination unreachable messages
 # only for existing sessions
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -m state -p icmpv6 \
        -d $inner_prefix \
        --state ESTABLISHED,RELATED --icmpv6-type \
        destination-unreachable -j ACCEPT
 done

else

 # Allow incoming destination unreachable messages
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
        --icmpv6-type destination-unreachable -j ACCEPT
 done

fi

Allow outgoing destination unreachable messages

for inner_prefix in $INNER_PREFIXES do

 ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type destination-unreachable -j ACCEPT

done

PACKET TOO BIG ERROR MESSAGES
=============================

if [ "$STATE_ENABLED" -eq "1" ] then

 # Allow incoming Packet Too Big messages
 # only for existing sessions
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -m state -p icmpv6 \

        -d $inner_prefix \
        --state ESTABLISHED,RELATED \
        --icmpv6-type packet-too-big \
        -j ACCEPT
 done

else

 # Allow incoming Packet Too Big messages
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
        --icmpv6-type packet-too-big -j ACCEPT
 done

fi

Allow outgoing Packet Too Big messages

for inner_prefix in $INNER_PREFIXES do

 ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type packet-too-big -j ACCEPT

done

TIME EXCEEDED ERROR MESSAGES
============================

if [ "$STATE_ENABLED" -eq "1" ] then

 # Allow incoming time exceeded code 0 messages
 # only for existing sessions
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -m state -p icmpv6 \
        -d $inner_prefix \
        --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
        -j ACCEPT
 done

else

 # Allow incoming time exceeded code 0 messages
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
        --icmpv6-type ttl-zero-during-transit -j ACCEPT
 done

fi

@POLICY@
Allow incoming time exceeded code 1 messages

for inner_prefix in $INNER_PREFIXES do

ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \

        --icmpv6-type ttl-zero-during-reassembly -j ACCEPT

done

Allow outgoing time exceeded code 0 messages

for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \

        --icmpv6-type ttl-zero-during-transit -j ACCEPT

done

@POLICY@
Allow outgoing time exceeded code 1 messages

for inner_prefix in $INNER_PREFIXES do ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \

        --icmpv6-type ttl-zero-during-reassembly -j ACCEPT

done

PARAMETER PROBLEM ERROR MESSAGES
================================

if [ "$STATE_ENABLED" -eq "1" ] then

 # Allow incoming parameter problem code 1 and 2 messages
 # for an existing session
 for inner_prefix in $INNER_PREFIXES
 do
   ip6tables -A icmpv6-filter -m state -p icmpv6 \
        -d $inner_prefix \
        --state ESTABLISHED,RELATED --icmpv6-type \
        unknown-header-type \
        -j ACCEPT
   ip6tables -A icmpv6-filter -m state -p icmpv6 \
        -d $inner_prefix \
        --state ESTABLISHED,RELATED \
        --icmpv6-type unknown-option \
        -j ACCEPT
 done

fi

Allow outgoing parameter problem code 1 and code 2 messages

for inner_prefix in $INNER_PREFIXES do

 ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type unknown-header-type -j ACCEPT
 ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \

        --icmpv6-type unknown-option -j ACCEPT

done

@POLICY@
Allow incoming and outgoing parameter
problem code 0 messages

for inner_prefix in $INNER_PREFIXES do

 ip6tables -A icmpv6-filter -p icmpv6 \
        --icmpv6-type bad-header \
        -j ACCEPT

done

NEIGHBOR DISCOVERY MESSAGES
===========================

Drop NS/NA messages both incoming and outgoing

ip6tables -A icmpv6-filter -p icmpv6 \

        --icmpv6-type neighbor-solicitation -j DROP

ip6tables -A icmpv6-filter -p icmpv6 \

        --icmpv6-type neighbor-advertisement -j DROP

Drop RS/RA messages both incoming and outgoing

ip6tables -A icmpv6-filter -p icmpv6 \

        --icmpv6-type router-solicitation -j DROP

ip6tables -A icmpv6-filter -p icmpv6 \

        --icmpv6-type router-advertisement -j DROP

Drop Redirect messages both incoming and outgoing

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type redirect -j DROP

MLD MESSAGES
============

Drop incoming and outgoing
Multicast Listener queries (MLDv1 and MLDv2)

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 130 -j DROP

Drop incoming and outgoing Multicast Listener reports (MLDv1)

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 131 -j DROP

Drop incoming and outgoing Multicast Listener Done messages (MLDv1)

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 132 -j DROP

Drop incoming and outgoing Multicast Listener reports (MLDv2)

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 143 -j DROP

ROUTER RENUMBERING MESSAGES

===========================

Drop router renumbering messages

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 138 -j DROP

NODE INFORMATION QUERIES
========================

Drop node information queries (139) and replies (140)

ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 139 -j DROP ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 140 -j DROP

MOBILE IPv6 MESSAGES
====================

If there are mobile ipv6 home agents present on the
trusted side allow

if [ "$HOME_AGENTS_PRESENT" -eq "1" ] then

 for inner_prefix in $INNER_PREFIXES
 do
   #incoming Home Agent address discovery request
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
        --icmpv6-type 144 -j ACCEPT
   #outgoing Home Agent address discovery reply
   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type 145 -j ACCEPT
   #incoming Mobile prefix solicitation
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
        --icmpv6-type 146 -j ACCEPT
   #outgoing Mobile prefix advertisement
   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type 147 -j ACCEPT
 done

fi

If there are roaming mobile nodes present on the
trusted side allow

if [ "$MOBILE_NODES_PRESENT" -eq "1" ] then

 for inner_prefix in $INNER_PREFIXES
 do
   #outgoing Home Agent address discovery request
   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type 144 -j ACCEPT
   #incoming Home Agent address discovery reply
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \

        --icmpv6-type 145 -j ACCEPT
   #outgoing Mobile prefix solicitation
   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
        --icmpv6-type 146 -j ACCEPT
   #incoming Mobile prefix advertisement
   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
        --icmpv6-type 147 -j ACCEPT
 done

fi

DROP EVERYTHING ELSE
====================

ip6tables -A icmpv6-filter -p icmpv6 -j DROP

    Example Netfilter Configuration Script for ICMPv6 Filtering

Authors' Addresses

Elwyn B. Davies Consultant Soham, Cambs UK

Phone: +44 7889 488 335 EMail: [email protected]

Janos Mohacsi NIIF/HUNGARNET Victor Hugo u. 18-22 Budapest, H-1132 Hungary

Phone: +36 1 4503070 EMail: [email protected]

Full Copyright Statement

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at [email protected].

Acknowledgement

Funding for the RFC Editor function is currently provided by the Internet Society.

@@ Line 1: / Line 1: @@
+Network Working Group                                          E. Davies
+Request for Comments: 4890                                    Consultant
+Category: Informational                                      J. Mohacsi
+                                                      NIIF/HUNGARNET
+                                                            May 2007
+    Recommendations for Filtering ICMPv6 Messages in Firewalls
+'''Status of This Memo'''
-Network Working Group                                          E. DaviesRequest for Comments: 4890                                    ConsultantCategory: Informational                                      J. Mohacsi                                                      NIIF/HUNGARNET                                                            May 2007
-    Recommendations for Filtering ICMPv6 Messages in Firewalls
-Status of This Memo
 This memo provides information for the Internet community.  It does
@@ Line 14: / Line 13: @@
 memo is unlimited.
-Copyright Notice
+'''Copyright Notice'''
 Copyright (C) The IETF Trust (2007).
-Abstract
+'''Abstract'''
 In networks supporting IPv6, the Internet Control Message Protocol
@@ Line 36: / Line 35: @@
 messages that are potential security risks.
+.2.  Interaction of Link-Local Messages with
+.3.3.  Traffic That Will Be Dropped Anyway -- No Special
+.3.5.  Traffic That Should Be Dropped Unless a Good Case
+.4.  Recommendations for ICMPv6 Local Configuration Traffic . . 18
+.4.3.  Traffic That Will Be Dropped Anyway -- No Special
+.4.5.  Traffic That Should Be Dropped Unless a Good Case
+  A.6.  Neighbor Solicitation and Neighbor Advertisement
+  A.7.  Router Solicitation and Router Advertisement Messages  . . 27
+Appendix B.  Example Script to Configure ICMPv6 Firewall Rules . . 30
 == Introduction ==
-When a network supports IPv6 [RFC2460], the Internet Control Message
+When a network supports IPv6 [[RFC2460]], the Internet Control Message
-Protocol version 6 (ICMPv6) [RFC4443] plays a fundamental role
+Protocol version 6 (ICMPv6) [[RFC4443]] plays a fundamental role
 including being an essential component in establishing and
 maintaining communications both at the interface level and for
@@ Line 89: / Line 90: @@
 rules in Section 4 and an example configuration script for Linux
 Netfilter in Appendix B.
 ICMPv6 has a large number of functions defined in a number of sub-
@@ Line 105: / Line 100: @@
        *  Returning error messages to the source if a packet could not
          be delivered.  Four different error messages, each with a
-         number of sub-types, are specified in [RFC4443].
+         number of sub-types, are specified in [[RFC4443]].
 Connection Checking
@@ Line 112: / Line 107: @@
          responses used by the ping and traceroute utilities.  The
          Echo Request and Echo Response messages are specified in
-         [RFC4443].
+         [[RFC4443]].
 Discovery Functions
@@ Line 123: / Line 118: @@
          Solicitation (NS), Neighbor Advertisement (NA), Router
          Solicitation (RS) and Router Advertisement (RA) -- are
-         specified in [RFC2461].
+         specified in [[RFC2461]].
        *  Ensuring that neighbors remain reachable using the same IP
          and link layer addresses after initial discovery (Neighbor
          Unreachability Discovery - NUD) and notifying neighbors of
-         changes to link layer addresses.  Uses NS and NA [RFC2461].
+         changes to link layer addresses.  Uses NS and NA [[RFC2461]].
        *  Finding routers and determining how to obtain IP addresses
          to join the subnets supported by the routers.  Uses RS and
-         RA [RFC2461].
+         RA [[RFC2461]].
        *  If stateless autoconfiguration of hosts is enabled,
@@ Line 138: / Line 133: @@
          (including the link Maximum Transmission Unit (MTU) and
          suggested hop limit default) from routers to hosts.  Uses RS
-         and RA [RFC2462].
+         and RA [[RFC2462]].
        *  When using SEcure Neighbor Discovery (SEND) to authenticate
          a router attached to a link, the Certificate Path
          Solicitation and Advertisement messages specified in
-         [RFC3971] are used by hosts to retrieve the certificates
+         [[RFC3971]] are used by hosts to retrieve the certificates
          documenting the trust chain between a trust anchor and the
@@ Line 153: / Line 144: @@
        *  Determining the MTU along a path.  The Packet Too Big error
-         message is essential to this function [RFC1981].
+         message is essential to this function [[RFC1981]].
        *  Providing a means to discover the IPv6 addresses associated
@@ Line 161: / Line 152: @@
          discovered given an IPv6 address).  Two messages, Inverse
          Neighbor Discovery Solicitation and Advertisement messages,
-         are specified in [RFC3122].
+         are specified in [[RFC3122]].
        *  Communicating which multicast groups have listeners on a
@@ Line 168: / Line 159: @@
          Report (two versions), and Multicast Listener Done (protocol
          version 1 only) as specified in Multicast Listener Discovery
-         MLDv1 [RFC2710] and MLDv2 [RFC3810].
+         MLDv1 [[RFC2710]] and MLDv2 [[RFC3810]].
        *  Discovering multicast routers attached to the local link.
          Uses messages Multicast Router Advertisement, Multicast
          Router Solicitation, and Multicast Router Termination as
-         specified in Multicast Router Discovery [RFC4286].
+         specified in Multicast Router Discovery [[RFC4286]].
 Reconfiguration Functions
@@ Line 182: / Line 173: @@
          not obvious from the IP address (where a link supports
          multiple subnets).  The Redirect message is specified in
-         [RFC2461].
+         [[RFC2461]].
        *  Supporting renumbering of networks by allowing the prefixes
          advertised by routers to be altered.  Uses NS, NA, RS and RA
          together with the Router Renumbering message specified in
-         [RFC2894].
+         [[RFC2894]].
 Mobile IPv6 Support
@@ Line 196: / Line 187: @@
          homed on the link.  The Home Agent Address Discovery Request
          and Reply and the Mobile Prefix Solicitation and
-         Advertisement messages are specified in [RFC3775].
+         Advertisement messages are specified in [[RFC3775]].
 Experimental Extensions
@@ Line 206: / Line 193: @@
        *  An experimental extension to ICMPv6 specifies the ICMP Node
          Information Query and Response messages that can be used to
-         retrieve some basic information about nodes [RFC4620].
+         retrieve some basic information about nodes [[RFC4620]].
        *  The SEAmless IP MOBility (SEAMOBY) working group specified a
          pair of experimental protocols that use an ICMPv6 message
-         specified in [RFC4065] to help in locating an access router
+         specified in [[RFC4065]] to help in locating an access router
          and moving the attachment point of a mobile node from one
          access router to another.
@@ Line 248: / Line 235: @@
 a unicast address, but during address autoconfiguration message
 exchanges, the unspecified address (::) is also used as a source
-address [RFC2462].
+address [[RFC2462]].
 Multicast Listener Discovery (MLD) Report and Done messages are sent
@@ Line 262: / Line 244: @@
 Subsequently, the node will generate new MLD Report messages with
 proper link-local source address once it has been configured
-[RFC3590].
+[[RFC3590]].
 The destination address can be either a well-known multicast address,
@@ Line 282: / Line 264: @@
 typically, these are used to announce an error in processing the
 original packet.  For instance, the address resolution messages are
-solely for local communications [RFC2461], whereas the Destination
+solely for local communications [[RFC2461]], whereas the Destination
 Unreachable messages are any-to-end in nature.  Generally, end-to-end
 and any-to-end messages might be expected to pass through firewalls
@@ Line 303: / Line 285: @@
 is also acting as a router as they are normally intended for use
 within a link.
 On the other hand, most ICMPv6 error messages traveling end-to-end or
@@ Line 355: / Line 333: @@
 communication can be established.
+SEND [[RFC3971]] has been specified as a means to improve the security
-SEND [RFC3971] has been specified as a means to improve the security
 of local ICMPv6 communications.  SEND sidesteps security association
 bootstrapping problems that would result if IPsec was used.  SEND
@@ Line 408: / Line 380: @@
 routers, the efficiency gains might well outweigh the small risk of a
 rogue node being connected.
 === Renumbering Attacks ===
@@ Line 455: / Line 422: @@
 discussed in Section 4.2 may be relevant because the firewall is not
 a router.
 This section suggests some common considerations that should be borne
@@ Line 515: / Line 471: @@
 of communications, local policy can be used to determine whether a
 message should be allowed or dropped.
 Depending on the capabilities of the firewall being configured, it
@@ Line 568: / Line 520: @@
 conforming to the IPv6 standards will not forward these packets;
 there is no need to configure additional rules to prevent these
 packets traversing a firewall/router, although administrators may
@@ Line 612: / Line 560: @@
 This section recommends rules that should be applied to ICMPv6
 traffic attempting to transit a firewall.
 ==== Traffic That Must Not Be Dropped ====
@@ Line 645: / Line 580: @@
 o  Echo Response (Type 129)
-For Teredo tunneling [RFC4380] to IPv6 nodes on the site to be
+For Teredo tunneling [[RFC4380]] to IPv6 nodes on the site to be
 possible, it is essential that the connectivity checking messages are
 allowed through the firewall.  It has been common practice in IPv4
@@ Line 672: / Line 607: @@
 nodes that would normally be at home on the site and/or foreign
 mobile nodes roaming onto the site.
 ==== Traffic That Will Be Dropped Anyway -- No Special Attention ====
@@ Line 722: / Line 651: @@
 o  Listener Done (Type 132)
 o  Listener Report v2 (Type 143)
 SEND Certificate Path notification messages (must be received with
@@ Line 780: / Line 700: @@
 informational messages with unknown types must be silently discarded.
 Transit sites must allow these messages to transit the site.  End
 site administrators can either adopt a policy of allowing all these
@@ Line 830: / Line 746: @@
 o  Types 127 and 255.
 === Recommendations for ICMPv6 Local Configuration Traffic ===
@@ Line 882: / Line 791: @@
 o  Inverse Neighbor Discovery Solicitation (Type 141)
 o  Inverse Neighbor Discovery Advertisement (Type 142)
 Link-Local Multicast Receiver Notification messages:
@@ Line 935: / Line 836: @@
 interfaces, if the firewall is not also providing mobile home agent
 services, but they will be ignored otherwise.
 The message used by the experimental Seamoby protocols may be dropped
@@ Line 988: / Line 881: @@
 of this and determine whether they wish to allow these messages to be
 sent to the firewall.
 ==== Traffic That Should Be Dropped Unless a Good Case Can Be Made ====
@@ Line 1,032: / Line 917: @@
 === Normative References ===
-[RFC1981]      McCann, J., Deering, S., and J. Mogul, "Path MTU               Discovery for IP version 6", [[RFC1981|RFC 1981]], August 1996.
+[[RFC1981]]      McCann, J., Deering, S., and J. Mogul, "Path MTU
-[RFC2460]      Deering, S. and R. Hinden, "Internet Protocol,                Version 6 (IPv6) Specification", [[RFC2460|RFC 2460]],                December 1998.
+                Discovery for IP version 6", [[RFC1981|RFC 1981]], August 1996.
-[RFC2461]      Narten, T., Nordmark, E., and W. Simpson, "Neighbor                Discovery for IP Version 6 (IPv6)", [[RFC2461|RFC 2461]],                December 1998.
-[RFC2462]      Thomson, S. and T. Narten, "IPv6 Stateless Address                Autoconfiguration", [[RFC2462|RFC 2462]], December 1998.
+[[RFC2460]]      Deering, S. and R. Hinden, "Internet Protocol,
+                Version 6 (IPv6) Specification", [[RFC2460|RFC 2460]],
+                December 1998.
+[[RFC2461]]      Narten, T., Nordmark, E., and W. Simpson, "Neighbor
+                Discovery for IP Version 6 (IPv6)", [[RFC2461|RFC 2461]],
+                December 1998.
+[[RFC2462]]      Thomson, S. and T. Narten, "IPv6 Stateless Address
+                Autoconfiguration", [[RFC2462|RFC 2462]], December 1998.
-[RFC2710]      Deering, S., Fenner, W., and B. Haberman, "Multicast               Listener Discovery (MLD) for IPv6", [[RFC2710|RFC 2710]],               October 1999.
+[[RFC2710]]      Deering, S., Fenner, W., and B. Haberman, "Multicast
-[RFC2894]      Crawford, M., "Router Renumbering for IPv6",                [[RFC2894|RFC 2894]], August 2000.
+                Listener Discovery (MLD) for IPv6", [[RFC2710|RFC 2710]],
-[RFC3122]      Conta, A., "Extensions to IPv6 Neighbor Discovery for                Inverse Discovery Specification", [[RFC3122|RFC 3122]],                June 2001.
+                October 1999.
-[RFC3590]      Haberman, B., "Source Address Selection for the                Multicast Listener Discovery (MLD) Protocol",                [[RFC3590|RFC 3590]], September 2003.
-[RFC3775]      Johnson, D., Perkins, C., and J. Arkko, "Mobility                Support in IPv6", [[RFC3775|RFC 3775]], June 2004.
-[RFC3810]      Vida, R. and L. Costa, "Multicast Listener Discovery                Version 2 (MLDv2) for IPv6", [[RFC3810|RFC 3810]], June 2004.
-[RFC3971]      Arkko, J., Kempf, J., Zill, B., and P. Nikander,                "SEcure Neighbor Discovery (SEND)", [[RFC3971|RFC 3971]],                March 2005.
-[RFC4065]      Kempf, J., "Instructions for Seamoby and Experimental                Mobility Protocol IANA Allocations", [[RFC4065|RFC 4065]],                July 2005.
-[RFC4286]      Haberman, B. and J. Martin, "Multicast Router                Discovery", [[RFC4286|RFC 4286]], December 2005.
-[RFC4443]      Conta, A., Deering, S., and M. Gupta, "Internet                Control Message Protocol (ICMPv6) for the Internet                Protocol Version 6 (IPv6) Specification", [[RFC4443|RFC 4443]],                March 2006.
-[RFC4620]      Crawford, M. and B. Haberman, "IPv6 Node Information                Queries", [[RFC4620|RFC 4620]], August 2006.
-=== Informative References ===
-[ICMP-ATTACKS]  Gont, F., "ICMP attacks against TCP", Work                in Progress, October 2006.
+[[RFC2894]]      Crawford, M., "Router Renumbering for IPv6",
-[RFC3041]      Narten, T. and R. Draves, "Privacy Extensions for               Stateless Address Autoconfiguration in IPv6",               [[RFC3041|RFC 3041]], January 2001.
+                [[RFC2894|RFC 2894]], August 2000.
+[[RFC3122]]      Conta, A., "Extensions to IPv6 Neighbor Discovery for
+                Inverse Discovery Specification", [[RFC3122|RFC 3122]],
+                June 2001.
+[[RFC3590]]      Haberman, B., "Source Address Selection for the
+                Multicast Listener Discovery (MLD) Protocol",
+                [[RFC3590|RFC 3590]], September 2003.
+[[RFC3775]]      Johnson, D., Perkins, C., and J. Arkko, "Mobility
+                Support in IPv6", [[RFC3775|RFC 3775]], June 2004.
-[RFC4380]      Huitema, C., "Teredo: Tunneling IPv6 over UDP through                Network Address Translations (NATs)", [[RFC4380|RFC 4380]],               February 2006.
+[[RFC3810]]      Vida, R. and L. Costa, "Multicast Listener Discovery
-[SCAN-IMP]      Chown, T., "IPv6 Implications for Network Scanning",                Work in Progress, March 2007.
+                Version 2 (MLDv2) for IPv6", [[RFC3810|RFC 3810]], June 2004.
-[netfilter]    netfilter.org, "The netfilter.org project",                Firewalling, NAT and Packet Mangling for Linux ,                2006, <http://www.netfilter.org/>.
+[[RFC3971]]      Arkko, J., Kempf, J., Zill, B., and P. Nikander,
+                "SEcure Neighbor Discovery (SEND)", [[RFC3971|RFC 3971]],
+                March 2005.
+[[RFC4065]]      Kempf, J., "Instructions for Seamoby and Experimental
+                Mobility Protocol IANA Allocations", [[RFC4065|RFC 4065]],
+                July 2005.
+[[RFC4286]]      Haberman, B. and J. Martin, "Multicast Router
+                Discovery", [[RFC4286|RFC 4286]], December 2005.
+[[RFC4443]]      Conta, A., Deering, S., and M. Gupta, "Internet
+                Control Message Protocol (ICMPv6) for the Internet
+                Protocol Version 6 (IPv6) Specification", [[RFC4443|RFC 4443]],
+                March 2006.
+[[RFC4620]]      Crawford, M. and B. Haberman, "IPv6 Node Information
+                Queries", [[RFC4620|RFC 4620]], August 2006.
+=== Informative References ===
+[ICMP-ATTACKS]  Gont, F., "ICMP attacks against TCP", Work
+                in Progress, October 2006.
+[[RFC3041]]      Narten, T. and R. Draves, "Privacy Extensions for
+                Stateless Address Autoconfiguration in IPv6",
+                [[RFC3041|RFC 3041]], January 2001.
+[[RFC4380]]      Huitema, C., "Teredo: Tunneling IPv6 over UDP through
+                Network Address Translations (NATs)", [[RFC4380|RFC 4380]],
+                February 2006.
+[SCAN-IMP]      Chown, T., "IPv6 Implications for Network Scanning",
+                Work in Progress, March 2007.
+[netfilter]    netfilter.org, "The netfilter.org project",
+                Firewalling, NAT and Packet Mangling for Linux ,
+, <http://www.netfilter.org/>.
+Appendix A.  Notes on Individual ICMPv6 Messages
+A.1.  Destination Unreachable Error Message
+Destination Unreachable (Type 1) error messages [[RFC4443]] are sent
+any-to-end between unicast addresses.  The message can be generated
+from any node that a packet traverses when the node is unable to
+forward the packet for any reason except congestion.
+Destination Unreachable messages are useful for debugging, but are
+also important to speed up cycling through possible addresses, as
+they can avoid the need to wait through timeouts and hence can be
+part of the process of establishing or maintaining communications.
+It is a common practice in IPv4 to refrain from generating ICMP
+Destination Unreachable messages in an attempt to hide the networking
+topology and/or service structure.  The same idea could be applied to
+IPv6, but this can slow down connection if a host has multiple
+addresses, some of which are deprecated, as they may be when using
+privacy addresses [[RFC3041]].  If policy allows the generation of
+ICMPv6 Destination Unreachable messages, it is important that nodes
+provide the correct reason code, one of: no route to destination,
+administratively prohibited, beyond scope of source address, address
+unreachable, port unreachable, source address failed ingress/egress
+policy, or reject route to destination.
+A.2.  Packet Too Big Error Message
+Packet Too Big (Type 2) error messages [[RFC4443]] are sent any-to-end
+between unicast addresses.  The message can be generated from any
+node that a packet traverses on the path when the node is unable to
+forward the packet because the packet is too large for the MTU of the
+next link.  This message is vital to the correct functioning of Path
+MTU Discovery and hence is part of the establishment and maintenance
+of communications.  Since routers are not allowed to fragment
+packets, informing sources of the need to fragment large packets is
+more important than for IPv4.  If these messages are not generated
+when appropriate, hosts will continue to send packets that are too
+large or may assume that the route is congested.  Effectively, parts
+of the Internet will become inaccessible.
+If a network chooses to generate packets that are no larger than the
+Guaranteed Minimum MTU (1280 octets) and the site's links to the
+wider Internet have corresponding MTUs, Packet Too Big messages
+should not be expected at the firewall and could be dropped if they
+arrive.
+A.3.  Time Exceeded Error Message
+Time Exceeded (Type 3) error messages [[RFC4443]] can occur in two
+contexts:
+o  Code 0 are generated at any node on the path being taken by the
+  packet and sent, any-to-end between unicast addresses, if the Hop
+  Limit value is decremented to zero at that node.
+o  Code 1 messages are generated at the destination node and sent
+  end-to-end between unicast addresses if all the segments of a
+  fragmented message are not received within the reassembly time
+  limit.
+Code 0 messages can be needed as part of the establishment of
+communications if the path to a particular destination requires an
+unusually large number of hops.
+Code 1 messages will generally only result from congestion in the
+network, and it is less essential to propagate these messages.
+A.4.  Parameter Problem Error Message
+The great majority of Parameter Problem (Type 4) error messages will
+be generated by the destination node when processing destination
+options and other extension headers, and hence are sent end-to-end
+between unicast addresses.  Exceptionally, these messages might be
+generated by any node on the path if a faulty or unrecognized hop-by-
+hop option is included or from any routing waypoint if there are
+faulty or unrecognized destination options associated with a Type 0
+routing header.  In these cases, the message will be sent any-to-end
+using unicast source and destination addresses.
+Parameter Problem Code 1 (Unrecognized Next Header) and Code 2
+(Unrecognized IPv6 Option) messages may result if a node on the path
+(usually the destination) is unable to process a correctly formed
+extension header or option.  If these messages are not returned to
+the source, communication cannot be established, as the source would
+need to adapt its choice of options probably because the destination
+does not implement these capabilities.  Hence, these messages need to
+be generated and allowed for effective IPv6 communications.
+Code 0 (Erroneous Header) messages indicate a malformed extension
+header generally as a result of incorrectly generated packets.
+Hence, these messages are useful for debugging purposes, but it is
+unlikely that a node generating such packets could establish
+communications without human intervention to correct the problem.
+Code 2 messages, only, can be generated for packets with multicast
+destination addresses.
+It is possible that attackers may seek to probe or scan a network by
+deliberately generating packets with unknown extension headers or
+options or with faulty headers.  If nodes generate Parameter Problem
+error messages in all cases and these outgoing messages are allowed
+through firewalls, the attacker may be able to identify active
+addresses that can be probed further or learn about the network
+topology.  The vulnerability could be mitigated whilst helping to
+establish communications if the firewall was able to examine such
+error messages in depth and was configured to only allow Parameter
+Problem messages for headers that had been standardized but were not
+supported in the protected network.  If the network administrator
+believes that all nodes in the network support all legitimate
+extension headers, then it would be reasonable to drop all outgoing
+Parameter Problem messages.  Note that this is not a major
+vulnerability in a well-designed IPv6 network because of the
+difficulties of performing scanning attacks (see Section 3.2).
+A.5.  ICMPv6 Echo Request and Echo Response
+Echo Request (Type 128) uses unicast addresses as source addresses,
+but may be sent to any legal IPv6 address, including multicast and
+anycast addresses [[RFC4443]].  Echo Requests travel end-to-end.
+Similarly, Echo Responses (Type 129) travel end-to-end and would have
+a unicast address as destination and either a unicast or anycast
+address as source.  They are mainly used in combination for
+monitoring and debugging connectivity.  Their only role in
+establishing communication is that they are required when verifying
+connectivity through Teredo tunnels [[RFC4380]]: Teredo tunneling to
+IPv6 nodes on the site will not be possible if these messages are
+blocked.  It is not thought that there is a significant risk from
+scanning attacks on a well-designed IPv6 network (see Section 3.2),
+and so connectivity checks should be allowed by default.
+A.6.  Neighbor Solicitation and Neighbor Advertisement Messages
+ICMPv6 Neighbor Solicitation and Neighbor Advertisement (Type 135 and
+) messages are essential to the establishment and maintenance of
+communications on the local link.  Firewalls need to generate and
+accept these messages to allow them to establish and maintain
+interfaces onto their connected links.
+Note that the address scopes of the source and destination addresses
+on Neighbor Solicitations and Neighbor Advertisements may not match.
+The exact functions that these messages will be carrying out depends
+on the mechanism being used to configure IPv6 addresses on the link
+(Stateless, Stateful, or Static configuration).
+A.7.  Router Solicitation and Router Advertisement Messages
+ICMPv6 Router Solicitation and Router Advertisement (Type 133 and
+) messages are essential to the establishment and maintenance of
+communications on the local link.  Firewalls need to generate (since
+the firewall will generally be behaving as a router) and accept these
+messages to allow them to establish and maintain interfaces onto
+their connected links.
+A.8.  Redirect Messages
+ICMPv6 Redirect Messages (Type 137) are used on the local link to
+indicate that nodes are actually link-local and communications need
+not go via a router, or to indicate a more appropriate first-hop
+router.  Although they can be used to make communications more
+efficient, they are not essential to the establishment of
+communications and may be a security vulnerability, particularly if a
+link is not physically secured.  Conformant nodes are required to
+provide configuration controls that suppress the generation of
+Redirect messages and allow them to be ignored on reception.  Using
+Redirect messages on, for example, a wireless link without link level
+encryption/authentication is particularly hazardous because the link
+is open to eavesdropping and packet injection.
+A.9.  SEND Certificate Path Messages
+SEND [[RFC3971]] uses two messages (Certificate Path Solicitation and
+Advertisement - Types 148 and 149) sent from nodes to supposed
+routers on the same local link to obtain a certificate path that will
+allow the node to authenticate the router's claim to provide routing
+services for certain prefixes.  If a link connected to a firewall/
+router is using SEND, the firewall must be able to exchange these
+messages with nodes on the link that will use its routing services.
+A.10.  Multicast Listener Discovery Messages
+Multicast Listener Discovery (MLD) version 1 [[RFC2710]] (Listener
+Query, Listener Report, and Listener Done - Types 130, 131, and 132)
+and version 2 [[RFC3810]] (Listener Query and Listener Report version 2
+- Types 130 and 143) messages are sent on the local link to
+communicate between multicast-capable routers and nodes that wish to
+join or leave specific multicast groups.  Firewalls need to be able
+to generate Listener messages in order to establish communications
+and may generate all the messages if they also provide multicast
+routing services.
+A.11.  Multicast Router Discovery Messages
+Multicast Router Discovery [[RFC4286]] (Router Advertisement, Router
+Solicitation, and Router Termination - Types 151, 152, and 153)
+messages are sent by nodes on the local link to discover multicast-
+capable routers on the link, and by multicast-capable routers to
+notify other nodes of their existence or change of state.  Firewalls
+that also act as multicast routers need to process these messages on
+their interfaces.
+A.12.  Router Renumbering Messages
+ICMPv6 Router Renumbering (Type 138) command messages can be received
+and results messages sent by routers to change the prefixes that they
+advertise as part of Stateless Address Configuration [[RFC2461]],
+[[RFC2462]].  These messages are sent end-to-end to either the all-
+routers multicast address (site or local scope) or specific unicast
+addresses from a unicast address.
+Router Renumbering messages are required to be protected by IPsec
+authentication since they could be readily misused by attackers to
+disrupt or divert site communications.  Renumbering messages should
+generally be confined to sites for this reason.
-Appendix A.  Notes on Individual ICMPv6 Messages
+A.13.  Node Information Query and Reply
-A.1.  Destination Unreachable Error Message
-Destination Unreachable (Type 1) error messages [RFC4443] are sentany-to-end between unicast addresses.  The message can be generatedfrom any node that a packet traverses when the node is unable toforward the packet for any reason except congestion.
-Destination Unreachable messages are useful for debugging, but arealso important to speed up cycling through possible addresses, asthey can avoid the need to wait through timeouts and hence can bepart of the process of establishing or maintaining communications.It is a common practice in IPv4 to refrain from generating ICMPDestination Unreachable messages in an attempt to hide the networkingtopology and/or service structure.  The same idea could be applied toIPv6, but this can slow down connection if a host has multipleaddresses, some of which are deprecated, as they may be when usingprivacy addresses [RFC3041].  If policy allows the generation ofICMPv6 Destination Unreachable messages, it is important that nodesprovide the correct reason code, one of: no route to destination,administratively prohibited, beyond scope of source address, addressunreachable, port unreachable, source address failed ingress/egresspolicy, or reject route to destination.
-A.2.  Packet Too Big Error Message
-Packet Too Big (Type 2) error messages [RFC4443] are sent any-to-endbetween unicast addresses.  The message can be generated from anynode that a packet traverses on the path when the node is unable toforward the packet because the packet is too large for the MTU of thenext link.  This message is vital to the correct functioning of PathMTU Discovery and hence is part of the establishment and maintenanceof communications.  Since routers are not allowed to fragmentpackets, informing sources of the need to fragment large packets ismore important than for IPv4.  If these messages are not generatedwhen appropriate, hosts will continue to send packets that are toolarge or may assume that the route is congested.  Effectively, partsof the Internet will become inaccessible.
-If a network chooses to generate packets that are no larger than theGuaranteed Minimum MTU (1280 octets) and the site's links to thewider Internet have corresponding MTUs, Packet Too Big messagesshould not be expected at the firewall and could be dropped if theyarrive.
+ICMPv6 Node Information Query and Reply (Type 139 and 140) messages
+defined in [[RFC4620]] are sent end-to-end between unicast addresses,
+and they can also be sent to link-local multicast addresses.  They
+can, in theory, be sent from any node to any other, but it would
+generally not be desirable for nodes outside the local site to be
+able to send queries to nodes within the site.  Also, these messages
+are not required to be authenticated.
+A.14.  Mobile IPv6 Messages
+Mobile IPv6 [[RFC3775]] defines four ICMPv6 messages that are used to
+support mobile operations: Home Agent Address Discovery Request, Home
+Agent Address Discovery Reply, Mobile Prefix Solicitation, and ICMP
+Mobile Prefix Advertisement (Type 144, 145, 146, and 147) messages.
+These messages are sent end-to-end between unicast addresses of a
+mobile node and its home agent.  They must be expected to be sent
+from outside a site and must traverse site-boundary firewalls to
+reach the home agent in order for Mobile IPv6 to function.  The two
+Mobile prefix messages should be protected by the use of IPsec
+authentication.
+o  If the site provides home agents for mobile nodes, the firewall
+  must allow incoming Home Agent Address Discovery Request and
+  Mobile Prefix Solicitation messages, and outgoing Home Agent
+  Address Discovery Reply and ICMP Mobile Prefix Advertisement
+  messages.  It may be desirable to limit the destination addresses
+  for the incoming messages to links that are known to support home
+  agents.
+o  If the site is prepared to host roaming mobile nodes, the firewall
+  must allow outgoing Home Agent Address Discovery Request and
+  Mobile Prefix Solicitation messages, and incoming Home Agent
+  Address Discovery Reply and ICMP Mobile Prefix Advertisement
+  messages.
-A.3.  Time Exceeded Error Message
+o  Administrators may find it desirable to prevent static nodes that
-Time Exceeded (Type 3) error messages [RFC4443] can occur in twocontexts:
+  are normally resident on the site from behaving as mobile nodes by
-o  Code 0 are generated at any node on the path being taken by the  packet and sent, any-to-end between unicast addresses, if the Hop  Limit value is decremented to zero at that node.
+  dropping Mobile IPv6 messages from these nodes.
-o  Code 1 messages are generated at the destination node and sent  end-to-end between unicast addresses if all the segments of a  fragmented message are not received within the reassembly time  limit.
-Code 0 messages can be needed as part of the establishment ofcommunications if the path to a particular destination requires anunusually large number of hops.
-Code 1 messages will generally only result from congestion in thenetwork, and it is less essential to propagate these messages.
-A.4.  Parameter Problem Error Message
-The great majority of Parameter Problem (Type 4) error messages willbe generated by the destination node when processing destinationoptions and other extension headers, and hence are sent end-to-endbetween unicast addresses.  Exceptionally, these messages might begenerated by any node on the path if a faulty or unrecognized hop-by-hop option is included or from any routing waypoint if there arefaulty or unrecognized destination options associated with a Type 0routing header.  In these cases, the message will be sent any-to-endusing unicast source and destination addresses.
-Parameter Problem Code 1 (Unrecognized Next Header) and Code 2(Unrecognized IPv6 Option) messages may result if a node on the path(usually the destination) is unable to process a correctly formedextension header or option.  If these messages are not returned tothe source, communication cannot be established, as the source wouldneed to adapt its choice of options probably because the destinationdoes not implement these capabilities.  Hence, these messages need tobe generated and allowed for effective IPv6 communications.
-Code 0 (Erroneous Header) messages indicate a malformed extensionheader generally as a result of incorrectly generated packets.Hence, these messages are useful for debugging purposes, but it isunlikely that a node generating such packets could establishcommunications without human intervention to correct the problem.
+A.15.  Unused and Experimental Messages
+A large number of ICMPv6 Type values are currently unused.  These
+values have not had a specific function registered with IANA.  This
+section describes how to treat messages that attempt to use these
+Type values in a way of which the network administrator (and hence
+the firewall) is not aware.
+[[RFC4443]] defines a number of experimental Type values for ICMPv6
+Error and Informational messages, which could be used in site-
+specific ways.  These messages should be dropped by transit networks
+and at site edges.  They should also not be propagated within sites
+unless the network administrator is explicitly made aware of usage.
+The codes reserved for future extension of the ICMPv6 Type space
+should currently be dropped as this functionality is as yet
+undefined.
-Code 2 messages, only, can be generated for packets with multicastdestination addresses.
+Any ICMPv6 Informational messages of which the firewall is not aware
-It is possible that attackers may seek to probe or scan a network bydeliberately generating packets with unknown extension headers oroptions or with faulty headers.  If nodes generate Parameter Problemerror messages in all cases and these outgoing messages are allowedthrough firewalls, the attacker may be able to identify activeaddresses that can be probed further or learn about the networktopology.  The vulnerability could be mitigated whilst helping toestablish communications if the firewall was able to examine sucherror messages in depth and was configured to only allow ParameterProblem messages for headers that had been standardized but were notsupported in the protected network.  If the network administratorbelieves that all nodes in the network support all legitimateextension headers, then it would be reasonable to drop all outgoingParameter Problem messages.  Note that this is not a majorvulnerability in a well-designed IPv6 network because of thedifficulties of performing scanning attacks (see Section 3.2).
+should be allowed to transit through the firewall but should not be
-A.5.  ICMPv6 Echo Request and Echo Response
+accepted for local delivery on any of its interfaces.
-Echo Request (Type 128) uses unicast addresses as source addresses,but may be sent to any legal IPv6 address, including multicast andanycast addresses [RFC4443].  Echo Requests travel end-to-end.Similarly, Echo Responses (Type 129) travel end-to-end and would havea unicast address as destination and either a unicast or anycastaddress as source.  They are mainly used in combination formonitoring and debugging connectivity.  Their only role inestablishing communication is that they are required when verifyingconnectivity through Teredo tunnels [RFC4380]: Teredo tunneling toIPv6 nodes on the site will not be possible if these messages areblocked.  It is not thought that there is a significant risk fromscanning attacks on a well-designed IPv6 network (see Section 3.2),and so connectivity checks should be allowed by default.
-A.6.  Neighbor Solicitation and Neighbor Advertisement Messages
-ICMPv6 Neighbor Solicitation and Neighbor Advertisement (Type 135 and136) messages are essential to the establishment and maintenance ofcommunications on the local link.  Firewalls need to generate andaccept these messages to allow them to establish and maintaininterfaces onto their connected links.
+Unknown ICMPv6 Error messages should be allowed to pass through
+transit networks.  At end site boundaries any incoming ICMPv6 Error
+messages of which the firewall is not aware may be allowed through
+the firewall in line with the specification in [[RFC4443]], which
+requests delivery of unknown error messages to higher-layer protocol
+processes.  However, administrators may wish to disallow forwarding
+of these incoming messages as a potential security risk.  Unknown
+outgoing Error messages should be dropped as the administrator should
+be aware of all messages that could be generated on the site.
+Also, the SEAMOBY working group has had an ICMPv6 message (Type 150)
+allocated for experimental use in two protocols.  This message is
+sent end-to-end and may need to pass through firewalls on sites that
+are supporting the experimental protocols.
+Appendix B.  Example Script to Configure ICMPv6 Firewall Rules
+This appendix contains an example script to implement most of the
+rules suggested in this document when using the Netfilter packet
+filtering system for Linux [netfilter].  When used with IPv6, the
+'ip6tables' command is used to configure packet filtering rules for
+the Netfilter system.  The script is targeted at a simple enterprise
+site that may or may not support Mobile IPv6.
+#!/bin/bash
+# Set of prefixes on the trusted ("inner") side of the firewall
+export INNER_PREFIXES="2001:DB8:85::/60"
+# Set of hosts providing services so that they can be made pingable
+export PINGABLE_HOSTS="2001:DB8:85::/64"
+# Configuration option: Change this to 1 if errors allowed only for
+# existing sessions
+export STATE_ENABLED=0
+# Configuration option: Change this to 1 if messages to/from link
+# local addresses should be filtered.
+# Do not use this if the firewall is a bridge.
+# Optional for firewalls that are routers.
+export FILTER_LINK_LOCAL_ADDRS=0
+# Configuration option: Change this to 0 if the site does not support
+# Mobile IPv6 Home Agents - see Appendix A.14
+export HOME_AGENTS_PRESENT=1
+# Configuration option: Change this to 0 if the site does not support
+# Mobile IPv6 mobile nodes being present on the site -
+# see Appendix A.14
+export MOBILE_NODES_PRESENT=1
+ip6tables -N icmpv6-filter
+ip6tables -A FORWARD -p icmpv6 -j icmpv6-filter
+# Match scope of src and dest else deny
+# This capability is not provided for in base ip6tables functionality
+# An extension (agr) exists which may support it.
+#@TODO@
-Note that the address scopes of the source and destination addresseson Neighbor Solicitations and Neighbor Advertisements may not match.The exact functions that these messages will be carrying out dependson the mechanism being used to configure IPv6 addresses on the link(Stateless, Stateful, or Static configuration).
+# ECHO REQUESTS AND RESPONSES
-A.7.  Router Solicitation and Router Advertisement Messages
+# ===========================
-ICMPv6 Router Solicitation and Router Advertisement (Type 133 and134) messages are essential to the establishment and maintenance ofcommunications on the local link.  Firewalls need to generate (sincethe firewall will generally be behaving as a router) and accept thesemessages to allow them to establish and maintain interfaces ontotheir connected links.
-A.8.  Redirect Messages
-ICMPv6 Redirect Messages (Type 137) are used on the local link toindicate that nodes are actually link-local and communications neednot go via a router, or to indicate a more appropriate first-hoprouter.  Although they can be used to make communications moreefficient, they are not essential to the establishment ofcommunications and may be a security vulnerability, particularly if alink is not physically secured.  Conformant nodes are required toprovide configuration controls that suppress the generation ofRedirect messages and allow them to be ignored on reception.  UsingRedirect messages on, for example, a wireless link without link levelencryption/authentication is particularly hazardous because the linkis open to eavesdropping and packet injection.
-A.9.  SEND Certificate Path Messages
-SEND [RFC3971] uses two messages (Certificate Path Solicitation andAdvertisement - Types 148 and 149) sent from nodes to supposedrouters on the same local link to obtain a certificate path that willallow the node to authenticate the router's claim to provide routingservices for certain prefixes.  If a link connected to a firewall/router is using SEND, the firewall must be able to exchange thesemessages with nodes on the link that will use its routing services.
-A.10.  Multicast Listener Discovery Messages
-Multicast Listener Discovery (MLD) version 1 [RFC2710] (ListenerQuery, Listener Report, and Listener Done - Types 130, 131, and 132)and version 2 [RFC3810] (Listener Query and Listener Report version 2- Types 130 and 143) messages are sent on the local link tocommunicate between multicast-capable routers and nodes that wish tojoin or leave specific multicast groups.  Firewalls need to be able
+# Allow outbound echo requests from prefixes which belong to the site
+for inner_prefix in $INNER_PREFIXES
+do
+  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type echo-request -j ACCEPT
+done
+# Allow inbound echo requests towards only predetermined hosts
+for pingable_host in $PINGABLE_HOSTS
+do
+  ip6tables -A icmpv6-filter -p icmpv6 -d $pingable_host \
+        --icmpv6-type echo-request -j ACCEPT
+done
+if [ "$STATE_ENABLED" -eq "1" ]
+then
+  # Allow incoming and outgoing echo reply messages
+  # only for existing sessions
+  ip6tables -A icmpv6-filter -m state -p icmpv6 \
+        --state ESTABLISHED,RELATED --icmpv6-type \
+      echo-reply -j ACCEPT
+else
+  # Allow both incoming and outgoing echo replies
+  for pingable_host in $PINGABLE_HOSTS
+  do
+    # Outgoing echo replies from pingable hosts
+    ip6tables -A icmpv6-filter -p icmpv6 -s $pingable_host \
+        --icmpv6-type echo-reply -j ACCEPT
+  done
+  # Incoming echo replies to prefixes which belong to the site
+  for inner_prefix in $INNER_PREFIXES
+  do
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type echo-reply -j ACCEPT
+  done
+fi
-to generate Listener messages in order to establish communicationsand may generate all the messages if they also provide multicastrouting services.
+# Deny icmps to/from link local addresses
-A.11.  Multicast Router Discovery Messages
+# If the firewall is a router:
-Multicast Router Discovery [RFC4286] (Router Advertisement, RouterSolicitation, and Router Termination - Types 151, 152, and 153)messages are sent by nodes on the local link to discover multicast-capable routers on the link, and by multicast-capable routers tonotify other nodes of their existence or change of state.  Firewallsthat also act as multicast routers need to process these messages ontheir interfaces.
+#    These rules should be redundant as routers should not forward
-A.12.  Router Renumbering Messages
+#    link local addresses but to be sure...
-ICMPv6 Router Renumbering (Type 138) command messages can be receivedand results messages sent by routers to change the prefixes that theyadvertise as part of Stateless Address Configuration [RFC2461],[RFC2462].  These messages are sent end-to-end to either the all-routers multicast address (site or local scope) or specific unicastaddresses from a unicast address.
+# DO NOT ENABLE these rules if the firewall is a bridge
-Router Renumbering messages are required to be protected by IPsecauthentication since they could be readily misused by attackers todisrupt or divert site communications.  Renumbering messages shouldgenerally be confined to sites for this reason.
+if [ "$FILTER_LINK_LOCAL_ADDRS" -eq "1" ]
-A.13.  Node Information Query and Reply
+then
-ICMPv6 Node Information Query and Reply (Type 139 and 140) messagesdefined in [RFC4620] are sent end-to-end between unicast addresses,and they can also be sent to link-local multicast addresses.  Theycan, in theory, be sent from any node to any other, but it wouldgenerally not be desirable for nodes outside the local site to beable to send queries to nodes within the site.  Also, these messagesare not required to be authenticated.
+  ip6tables -A icmpv6-filter -p icmpv6 -d fe80::/10 -j DROP
-A.14.  Mobile IPv6 Messages
-Mobile IPv6 [RFC3775] defines four ICMPv6 messages that are used tosupport mobile operations: Home Agent Address Discovery Request, HomeAgent Address Discovery Reply, Mobile Prefix Solicitation, and ICMPMobile Prefix Advertisement (Type 144, 145, 146, and 147) messages.These messages are sent end-to-end between unicast addresses of amobile node and its home agent.  They must be expected to be sentfrom outside a site and must traverse site-boundary firewalls toreach the home agent in order for Mobile IPv6 to function.  The two
+  ip6tables -A icmpv6-filter -p icmpv6 -s fe80::/10 -j DROP
+fi
+# Drop echo replies which have a multicast address as a
+# destination
+ip6tables -A icmpv6-filter -p icmpv6 -d ff00::/8 \
+        --icmpv6-type echo-reply -j DROP
+# DESTINATION UNREACHABLE ERROR MESSAGES
+# ======================================
-Mobile prefix messages should be protected by the use of IPsecauthentication.
+if [ "$STATE_ENABLED" -eq "1" ]
-o  If the site provides home agents for mobile nodes, the firewall   must allow incoming Home Agent Address Discovery Request and  Mobile Prefix Solicitation messages, and outgoing Home Agent   Address Discovery Reply and ICMP Mobile Prefix Advertisement  messages.  It may be desirable to limit the destination addresses   for the incoming messages to links that are known to support home   agents.
+then
-o  If the site is prepared to host roaming mobile nodes, the firewall   must allow outgoing Home Agent Address Discovery Request and   Mobile Prefix Solicitation messages, and incoming Home Agent  Address Discovery Reply and ICMP Mobile Prefix Advertisement  messages.
+   # Allow incoming destination unreachable messages
-o  Administrators may find it desirable to prevent static nodes that   are normally resident on the site from behaving as mobile nodes by   dropping Mobile IPv6 messages from these nodes.
+   # only for existing sessions
-A.15.  Unused and Experimental Messages
+   for inner_prefix in $INNER_PREFIXES
-A large number of ICMPv6 Type values are currently unused.  Thesevalues have not had a specific function registered with IANA.  Thissection describes how to treat messages that attempt to use theseType values in a way of which the network administrator (and hencethe firewall) is not aware.
+   do
-[RFC4443] defines a number of experimental Type values for ICMPv6Error and Informational messages, which could be used in site-specific ways.  These messages should be dropped by transit networksand at site edges.  They should also not be propagated within sitesunless the network administrator is explicitly made aware of usage.
+    ip6tables -A icmpv6-filter -m state -p icmpv6 \
-The codes reserved for future extension of the ICMPv6 Type spaceshould currently be dropped as this functionality is as yetundefined.
+        -d $inner_prefix \
-Any ICMPv6 Informational messages of which the firewall is not awareshould be allowed to transit through the firewall but should not beaccepted for local delivery on any of its interfaces.
+        --state ESTABLISHED,RELATED --icmpv6-type \
-Unknown ICMPv6 Error messages should be allowed to pass throughtransit networks.  At end site boundaries any incoming ICMPv6 Errormessages of which the firewall is not aware may be allowed throughthe firewall in line with the specification in [RFC4443], whichrequests delivery of unknown error messages to higher-layer protocol
+        destination-unreachable -j ACCEPT
+   done
+else
+   # Allow incoming destination unreachable messages
+   for inner_prefix in $INNER_PREFIXES
+   do
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type destination-unreachable -j ACCEPT
+  done
+fi
+# Allow outgoing destination unreachable messages
+for inner_prefix in $INNER_PREFIXES
+do
+  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type destination-unreachable -j ACCEPT
+done
+# PACKET TOO BIG ERROR MESSAGES
+# =============================
+if [ "$STATE_ENABLED" -eq "1" ]
+then
+  # Allow incoming Packet Too Big messages
+  # only for existing sessions
+  for inner_prefix in $INNER_PREFIXES
+  do
+    ip6tables -A icmpv6-filter -m state -p icmpv6 \
-processes.  However, administrators may wish to disallow forwardingof these incoming messages as a potential security risk.  Unknownoutgoing Error messages should be dropped as the administrator shouldbe aware of all messages that could be generated on the site.
+        -d $inner_prefix \
-Also, the SEAMOBY working group has had an ICMPv6 message (Type 150)allocated for experimental use in two protocols.  This message issent end-to-end and may need to pass through firewalls on sites thatare supporting the experimental protocols.
+        --state ESTABLISHED,RELATED \
-Appendix B.  Example Script to Configure ICMPv6 Firewall Rules
+        --icmpv6-type packet-too-big \
-This appendix contains an example script to implement most of therules suggested in this document when using the Netfilter packetfiltering system for Linux [netfilter].  When used with IPv6, the'ip6tables' command is used to configure packet filtering rules forthe Netfilter system.  The script is targeted at a simple enterprisesite that may or may not support Mobile IPv6.
+        -j ACCEPT
-#!/bin/bash# Set of prefixes on the trusted ("inner") side of the firewallexport INNER_PREFIXES="2001:DB8:85::/60"# Set of hosts providing services so that they can be made pingableexport PINGABLE_HOSTS="2001:DB8:85::/64"# Configuration option: Change this to 1 if errors allowed only for# existing sessionsexport STATE_ENABLED=0# Configuration option: Change this to 1 if messages to/from link# local addresses should be filtered.# Do not use this if the firewall is a bridge.# Optional for firewalls that are routers.export FILTER_LINK_LOCAL_ADDRS=0# Configuration option: Change this to 0 if the site does not support# Mobile IPv6 Home Agents - see Appendix A.14export HOME_AGENTS_PRESENT=1# Configuration option: Change this to 0 if the site does not support# Mobile IPv6 mobile nodes being present on the site -# see Appendix A.14export MOBILE_NODES_PRESENT=1
+  done
-ip6tables -N icmpv6-filterip6tables -A FORWARD -p icmpv6 -j icmpv6-filter
+else
-# Match scope of src and dest else deny# This capability is not provided for in base ip6tables functionality# An extension (agr) exists which may support it.#@TODO@
+  # Allow incoming Packet Too Big messages
+  for inner_prefix in $INNER_PREFIXES
+  do
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type packet-too-big -j ACCEPT
+  done
+fi
+# Allow outgoing Packet Too Big messages
+for inner_prefix in $INNER_PREFIXES
+do
+  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type packet-too-big -j ACCEPT
+done
+# TIME EXCEEDED ERROR MESSAGES
+# ============================
+if [ "$STATE_ENABLED" -eq "1" ]
+then
+  # Allow incoming time exceeded code 0 messages
+  # only for existing sessions
+  for inner_prefix in $INNER_PREFIXES
+  do
+    ip6tables -A icmpv6-filter -m state -p icmpv6 \
+        -d $inner_prefix \
+        --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
+        -j ACCEPT
+  done
+else
+  # Allow incoming time exceeded code 0 messages
+  for inner_prefix in $INNER_PREFIXES
+  do
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type ttl-zero-during-transit -j ACCEPT
+  done
+fi
+#@POLICY@
+# Allow incoming time exceeded code 1 messages
+for inner_prefix in $INNER_PREFIXES
+do
-# ECHO REQUESTS AND RESPONSES# ===========================
+ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
-# Allow outbound echo requests from prefixes which belong to the sitefor inner_prefix in $INNER_PREFIXESdo  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \       --icmpv6-type echo-request -j ACCEPTdone
+        --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
-# Allow inbound echo requests towards only predetermined hostsfor pingable_host in $PINGABLE_HOSTSdo  ip6tables -A icmpv6-filter -p icmpv6 -d $pingable_host \        --icmpv6-type echo-request -j ACCEPTdone
+done
-if [ "$STATE_ENABLED" -eq "1" ]then  # Allow incoming and outgoing echo reply messages  # only for existing sessions  ip6tables -A icmpv6-filter -m state -p icmpv6 \        --state ESTABLISHED,RELATED --icmpv6-type \      echo-reply -j ACCEPTelse  # Allow both incoming and outgoing echo replies  for pingable_host in $PINGABLE_HOSTS  do    # Outgoing echo replies from pingable hosts    ip6tables -A icmpv6-filter -p icmpv6 -s $pingable_host \        --icmpv6-type echo-reply -j ACCEPT  done  # Incoming echo replies to prefixes which belong to the site  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \        --icmpv6-type echo-reply -j ACCEPT  donefi
-# Deny icmps to/from link local addresses# If the firewall is a router:#    These rules should be redundant as routers should not forward#    link local addresses but to be sure...# DO NOT ENABLE these rules if the firewall is a bridgeif [ "$FILTER_LINK_LOCAL_ADDRS" -eq "1" ]then  ip6tables -A icmpv6-filter -p icmpv6 -d fe80::/10 -j DROP
+# Allow outgoing time exceeded code 0 messages
+for inner_prefix in $INNER_PREFIXES
+do
+ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type ttl-zero-during-transit -j ACCEPT
+done
+#@POLICY@
+# Allow outgoing time exceeded code 1 messages
+for inner_prefix in $INNER_PREFIXES
+do
+ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
+done
+# PARAMETER PROBLEM ERROR MESSAGES
+# ================================
-  ip6tables -A icmpv6-filter -p icmpv6 -s fe80::/10 -j DROPfi
+if [ "$STATE_ENABLED" -eq "1" ]
-# Drop echo replies which have a multicast address as a# destinationip6tables -A icmpv6-filter -p icmpv6 -d ff00::/8 \        --icmpv6-type echo-reply -j DROP
+then
-# DESTINATION UNREACHABLE ERROR MESSAGES# ======================================
+  # Allow incoming parameter problem code 1 and 2 messages
-if [ "$STATE_ENABLED" -eq "1" ]then  # Allow incoming destination unreachable messages  # only for existing sessions  for inner_prefix in $INNER_PREFIXES  do   ip6tables -A icmpv6-filter -m state -p icmpv6 \         -d $inner_prefix \         --state ESTABLISHED,RELATED --icmpv6-type \         destination-unreachable -j ACCEPT  doneelse  # Allow incoming destination unreachable messages  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \         --icmpv6-type destination-unreachable -j ACCEPT  donefi
+  # for an existing session
-# Allow outgoing destination unreachable messagesfor inner_prefix in $INNER_PREFIXESdo  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \         --icmpv6-type destination-unreachable -j ACCEPTdone
+  for inner_prefix in $INNER_PREFIXES
-# PACKET TOO BIG ERROR MESSAGES# =============================
+  do
-if [ "$STATE_ENABLED" -eq "1" ]then  # Allow incoming Packet Too Big messages  # only for existing sessions  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -m state -p icmpv6 \
+    ip6tables -A icmpv6-filter -m state -p icmpv6 \
+        -d $inner_prefix \
+        --state ESTABLISHED,RELATED --icmpv6-type \
+        unknown-header-type \
+        -j ACCEPT
+    ip6tables -A icmpv6-filter -m state -p icmpv6 \
+        -d $inner_prefix \
+        --state ESTABLISHED,RELATED \
+        --icmpv6-type unknown-option \
+        -j ACCEPT
+  done
+fi
+# Allow outgoing parameter problem code 1 and code 2 messages
+for inner_prefix in $INNER_PREFIXES
+do
+  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type unknown-header-type -j ACCEPT
+  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type unknown-option -j ACCEPT
+done
+#@POLICY@
+# Allow incoming and outgoing parameter
+# problem code 0 messages
+for inner_prefix in $INNER_PREFIXES
+do
+  ip6tables -A icmpv6-filter -p icmpv6 \
+        --icmpv6-type bad-header \
+        -j ACCEPT
+done
-        -d $inner_prefix \        --state ESTABLISHED,RELATED \        --icmpv6-type packet-too-big \        -j ACCEPT  doneelse  # Allow incoming Packet Too Big messages  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \        --icmpv6-type packet-too-big -j ACCEPT  donefi
+# NEIGHBOR DISCOVERY MESSAGES
-# Allow outgoing Packet Too Big messagesfor inner_prefix in $INNER_PREFIXESdo  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \        --icmpv6-type packet-too-big -j ACCEPTdone
+# ===========================
-# TIME EXCEEDED ERROR MESSAGES# ============================
-if [ "$STATE_ENABLED" -eq "1" ]then  # Allow incoming time exceeded code 0 messages  # only for existing sessions  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -m state -p icmpv6 \        -d $inner_prefix \        --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \        -j ACCEPT  doneelse  # Allow incoming time exceeded code 0 messages  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \        --icmpv6-type ttl-zero-during-transit -j ACCEPT  donefi
-#@POLICY@# Allow incoming time exceeded code 1 messagesfor inner_prefix in $INNER_PREFIXESdo
+# Drop NS/NA messages both incoming and outgoing
+ip6tables -A icmpv6-filter -p icmpv6 \
+        --icmpv6-type neighbor-solicitation -j DROP
+ip6tables -A icmpv6-filter -p icmpv6 \
+        --icmpv6-type neighbor-advertisement -j DROP
+# Drop RS/RA messages both incoming and outgoing
+ip6tables -A icmpv6-filter -p icmpv6 \
+        --icmpv6-type router-solicitation -j DROP
+ip6tables -A icmpv6-filter -p icmpv6 \
+        --icmpv6-type router-advertisement -j DROP
+# Drop Redirect messages both incoming and outgoing
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type redirect -j DROP
-ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \        --icmpv6-type ttl-zero-during-reassembly -j ACCEPTdone
+# MLD MESSAGES
-# Allow outgoing time exceeded code 0 messagesfor inner_prefix in $INNER_PREFIXESdoip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \        --icmpv6-type ttl-zero-during-transit -j ACCEPTdone
+# ============
-#@POLICY@# Allow outgoing time exceeded code 1 messagesfor inner_prefix in $INNER_PREFIXESdoip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \        --icmpv6-type ttl-zero-during-reassembly -j ACCEPTdone
-# PARAMETER PROBLEM ERROR MESSAGES# ================================
+# Drop incoming and outgoing
-if [ "$STATE_ENABLED" -eq "1" ]then  # Allow incoming parameter problem code 1 and 2 messages  # for an existing session  for inner_prefix in $INNER_PREFIXES  do    ip6tables -A icmpv6-filter -m state -p icmpv6 \        -d $inner_prefix \        --state ESTABLISHED,RELATED --icmpv6-type \        unknown-header-type \        -j ACCEPT    ip6tables -A icmpv6-filter -m state -p icmpv6 \        -d $inner_prefix \        --state ESTABLISHED,RELATED \        --icmpv6-type unknown-option \        -j ACCEPT  donefi
+# Multicast Listener queries (MLDv1 and MLDv2)
-# Allow outgoing parameter problem code 1 and code 2 messagesfor inner_prefix in $INNER_PREFIXESdo  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \        --icmpv6-type unknown-header-type -j ACCEPT  ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 130 -j DROP
+# Drop incoming and outgoing Multicast Listener reports (MLDv1)
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 131 -j DROP
+# Drop incoming and outgoing Multicast Listener Done messages (MLDv1)
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 132 -j DROP
+# Drop incoming and outgoing Multicast Listener reports (MLDv2)
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 143 -j DROP
-        --icmpv6-type unknown-option -j ACCEPTdone
-#@POLICY@# Allow incoming and outgoing parameter# problem code 0 messagesfor inner_prefix in $INNER_PREFIXESdo  ip6tables -A icmpv6-filter -p icmpv6 \        --icmpv6-type bad-header \        -j ACCEPTdone
-# NEIGHBOR DISCOVERY MESSAGES# ===========================
-# Drop NS/NA messages both incoming and outgoingip6tables -A icmpv6-filter -p icmpv6 \        --icmpv6-type neighbor-solicitation -j DROPip6tables -A icmpv6-filter -p icmpv6 \        --icmpv6-type neighbor-advertisement -j DROP
-# Drop RS/RA messages both incoming and outgoingip6tables -A icmpv6-filter -p icmpv6 \        --icmpv6-type router-solicitation -j DROPip6tables -A icmpv6-filter -p icmpv6 \        --icmpv6-type router-advertisement -j DROP
-# Drop Redirect messages both incoming and outgoingip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type redirect -j DROP
-# MLD MESSAGES# ============
-# Drop incoming and outgoing# Multicast Listener queries (MLDv1 and MLDv2)ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 130 -j DROP
-# Drop incoming and outgoing Multicast Listener reports (MLDv1)ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 131 -j DROP
-# Drop incoming and outgoing Multicast Listener Done messages (MLDv1)ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 132 -j DROP
-# Drop incoming and outgoing Multicast Listener reports (MLDv2)ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 143 -j DROP
 # ROUTER RENUMBERING MESSAGES
+# ===========================
+# Drop router renumbering messages
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 138 -j DROP
+# NODE INFORMATION QUERIES
+# ========================
+# Drop node information queries (139) and replies (140)
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 139 -j DROP
+ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 140 -j DROP
-# ===========================
+# MOBILE IPv6 MESSAGES
-# Drop router renumbering messagesip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 138 -j DROP
+# ====================
-# NODE INFORMATION QUERIES# ========================
-# Drop node information queries (139) and replies (140)ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 139 -j DROPip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type 140 -j DROP
-# MOBILE IPv6 MESSAGES# ====================
+# If there are mobile ipv6 home agents present on the
-# If there are mobile ipv6 home agents present on the# trusted side allowif [ "$HOME_AGENTS_PRESENT" -eq "1" ]then  for inner_prefix in $INNER_PREFIXES  do   #incoming Home Agent address discovery request   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \         --icmpv6-type 144 -j ACCEPT   #outgoing Home Agent address discovery reply   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \         --icmpv6-type 145 -j ACCEPT   #incoming Mobile prefix solicitation   ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \         --icmpv6-type 146 -j ACCEPT   #outgoing Mobile prefix advertisement   ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \         --icmpv6-type 147 -j ACCEPT  donefi
+# trusted side allow
-# If there are roaming mobile nodes present on the# trusted side allowif [ "$MOBILE_NODES_PRESENT" -eq "1" ]then  for inner_prefix in $INNER_PREFIXES  do    #outgoing Home Agent address discovery request    ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \        --icmpv6-type 144 -j ACCEPT    #incoming Home Agent address discovery reply    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+if [ "$HOME_AGENTS_PRESENT" -eq "1" ]
+then
+  for inner_prefix in $INNER_PREFIXES
+  do
+    #incoming Home Agent address discovery request
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type 144 -j ACCEPT
+    #outgoing Home Agent address discovery reply
+    ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type 145 -j ACCEPT
+    #incoming Mobile prefix solicitation
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type 146 -j ACCEPT
+    #outgoing Mobile prefix advertisement
+    ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type 147 -j ACCEPT
+  done
+fi
+# If there are roaming mobile nodes present on the
+# trusted side allow
+if [ "$MOBILE_NODES_PRESENT" -eq "1" ]
+then
+  for inner_prefix in $INNER_PREFIXES
+  do
+    #outgoing Home Agent address discovery request
+    ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type 144 -j ACCEPT
+    #incoming Home Agent address discovery reply
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type 145 -j ACCEPT
+    #outgoing Mobile prefix solicitation
+    ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \
+        --icmpv6-type 146 -j ACCEPT
+    #incoming Mobile prefix advertisement
+    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
+        --icmpv6-type 147 -j ACCEPT
+  done
+fi
+# DROP EVERYTHING ELSE
+# ====================
-        --icmpv6-type 145 -j ACCEPT    #outgoing Mobile prefix solicitation    ip6tables -A icmpv6-filter -p icmpv6 -s $inner_prefix \        --icmpv6-type 146 -j ACCEPT    #incoming Mobile prefix advertisement    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \        --icmpv6-type 147 -j ACCEPT  donefi
-# DROP EVERYTHING ELSE# ====================
 ip6tables -A icmpv6-filter -p icmpv6 -j DROP
      Example Netfilter Configuration Script for ICMPv6 Filtering
 Authors' Addresses
@@ Line 1,282: / Line 1,642: @@
 Phone: +44 7889 488 335
 EMail: [email protected]
 Janos Mohacsi
@@ Line 1,292: / Line 1,651: @@
 Phone: +36 1 4503070
 EMail: [email protected]
 Full Copyright Statement
@@ Line 1,353: / Line 1,696: @@
 Funding for the RFC Editor function is currently provided by the
 Internet Society.
 [[Category:Informational]]

Anonymous

Search

Difference between revisions of "RFC4890"

Latest revision as of 18:46, 5 October 2020

Contents

Introduction

Classifying ICMPv6 Messages

Error and Informational ICMPv6 Messages

Addressing of ICMPv6

Network Topology and Address Scopes

Role in Establishing and Maintaining Communication

Security Considerations

Denial-of-Service Attacks

Probing

Redirection Attacks

Renumbering Attacks

Problems Resulting from ICMPv6 Transparency

Filtering Recommendations

Common Considerations

Interaction of Link-Local Messages with Firewall/Routers and

Recommendations for ICMPv6 Transit Traffic

Traffic That Must Not Be Dropped

Traffic That Normally Should Not Be Dropped

Traffic That Will Be Dropped Anyway -- No Special Attention

Traffic for Which a Policy Should Be Defined

Traffic That Should Be Dropped Unless a Good Case Can Be Made

Recommendations for ICMPv6 Local Configuration Traffic

Traffic That Must Not Be Dropped

Traffic That Normally Should Not Be Dropped

Traffic That Will Be Dropped Anyway -- No Special Attention

Traffic for Which a Policy Should Be Defined

Traffic That Should Be Dropped Unless a Good Case Can Be Made

Acknowledgements

References

Normative References

Informative References

Navigation

Wiki tools

Page tools

Categories