中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeNetworking TechnologiesNetworking TCP/IPAn IPv6 Deployment Guide Chapter 9: Security issues in an IPv6 based networking environment

9.2.2 ICMP Filtering(2)

ICMPv6 parameter problem (Type 4):

• You should consider enabling incoming ICMPv6 parameter problem messages as answers to outgoing IPv6 packets for debugging purpose.
• You must generate correct ICMPv6 parameter problem messages since they are essential for proper operation of Internet.

ICMPv6 Neighbour Solicitation and Neighbour Advertisement (Type 135 and 136):

• You must enable incoming and outgoing ICMPv6 Neighbour Solicitation, Neighbour Advertisement packets, with proper link-local addresses or multicast addresses for the Neighbour Discovery function to operate properly.

ICMPv6 Router Solicitation and Router Advertisement (Type 133 and 134):

• If the Stateless Address Autoconfiguration function is used, you must enable outgoing ICMPv6 Router Advertisement packets, with proper link-local addresses and multicast addresses (All node multicast addresses should be ff02::1).
• If the Stateless Address Autoconfiguration function is used, you must enable incoming ICMPv6 Router Solicitation packets, with proper link-local addresses and multicast addresses (All router multicast addresses should be ff02::2).

ICMPv6 redirect (Type 137)

• You may disallow ICMPv6 router redirect messages passing, if you have only one exit router. However, router redundancy might be implemented by router redirect. It is important to know that redirect has link-local meaning only.

ICMPv6 MLD listener query, listener report and listener done (Type 130, 131 and 132):

• You should enable incoming and outgoing ICMPv6 MLD messages, with proper link-local addresses or multicast addresses if you want to use IPv6 multicast on a bigger scope than linklocal. This is required if the "internet-router-firewall-protected network" architecture is used. In this case your firewall should act as an MLD router.

ICMPv6 renumbering (Type 138)

• You may disallow ICMPv6 router renumbering messages passing, since router renumbering is not widely adopted.

ICMPv6 node information query and reply (Type 139 and 140)

• You may disallow ICMPv6 node information query and reply processing, since node information query/reply is not widely adopted.

We summarise the ICMPv6 recommendations in Table 9-3.

Note: Each IPv6 specific ICMP feature is in bold, each required ICMP feature is in italics.
‹ 9.2.2 ICMP Filtering(1)up9.3 Securing Autoconfiguration ›