[ntp:questions] IPv6 and ip6tables

Alexandre Y. Harano harano at nic.br
Tue Mar 12 17:54:30 UTC 2013


Hello there.

In IPv4 firewalls, people usually blocks ICMPv4 messages. In IPv6,
ICMPv6 covers funcionalities provided by ICMP, ARP and RARP. So, there
must be some caution about which ICMPv6 messages to be blocked.

There are a few documents about how to manage ICMPv6 messages.

[1] RFC4890 - Recommendations for Filtering ICMPv6 Messages in
Firewalls: http://tools.ietf.org/html/rfc4890

[2] NIST - Guidelines for the Secure Deployment of IPv6:
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
(Subsection 3.5.6 and Table 3-7)

Remaining any doubts, don't hesitate to ask them!

On 2013-03-12 13:50, Rob wrote:
> Xavier Robin <geckolimo at gmail.com> wrote:
>> I don't know if it is related with my provider's network architecture (I have a VPS server hosted by gandi.net) or if it is the common behaviour of NTP over IPv6. I should note I've already had ICMPv6-related issues in the past: I had to turn on router-solicitation and router-advertisement to get a global ipv6 address at all. What should be enabled is still a bit arcane to me.
> 
> When you don't understand ICMP(v6) you should not block it in your
> firewall, as this will cause the weirdest of problems.
> 
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions
> 


-- 
Alexandre Yukio Harano
Projects Analyst
harano at nic.br
+55 11 5509-3537 ext 4041

NIC.br - http://nic.br
CEPTRO.br - http://ceptro.br

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntp.org/pipermail/questions/attachments/20130312/96e481b6/attachment.sig>


More information about the questions mailing list