6

So, we recently got our /48 prefix from our LIR, and started small-scale deploying it in a lab.

What struck me as odd is that sites like http://ipv6-test.com/ insist that you allow incoming ICMP Echo requests. I understand why you should allow ICMPv6 outgoing, but incoming? Even if it's just a ping?

So, my question is: Aside from possible DDoS attacks utilizing ICMP, are there any drawbacks in allowing incoming ICMP echo requests?

I read RFC4890 ( https://www.ietf.org/rfc/rfc4890.txt ) but couldn't find a definite answer there.

A.5. ICMPv6 Echo Request and Echo Response

suggests that

It is not thought that there is a significant risk from scanning attacks on a well-designed IPv6 network (see Section 3.2), and so connectivity checks should be allowed by default.

Is this point still valid, given the RFC is almost 10 years old? Also, the RFC does not differentiate between outgoing and incoming directions.

I always felt the recommendation for v4 was to block ICMP at the gateway, but then again, v6 heavily relies on ICMP.

So, any suggestions?

lightxx
  • 197
  • 2
  • 9
  • 2
    Don't block ICMP for IPv6 you will break it – user9517 Jun 14 '16 at 09:28
  • I was looking for arguments, not "don't do it". Specifically, arguments for/against incoming ICMPv6 packets. – lightxx Jun 14 '16 at 09:29
  • "You will break it" seems like a pretty definitive argument to me... though a proper source would have been helpful. – Dan Jun 14 '16 at 13:10
  • The OP quotes RFC 4890, The answer is leave it open, and if you don't, as mentioned, you'll break it. This should be closed as he clearly wants an opinion, not facts. – Jim B Jun 14 '16 at 23:27
  • When you can get a significant fraction of 2^64 devices onto a single physical network segment, then that advice will no longer hold. Until then, it's pretty sound. – Michael Hampton Jul 01 '16 at 01:13

1 Answers1

9

This first bit is not a direct answer to your question. I just include it here for others that don't realise the importance of ICMPv6.

IPv6 really needs certain ICMP message types to get through. The most important ones are Packet-Too-Big and Parameter-Problem. If you block those then you will get connectivity issues.

Also: the IPv6 equivalent of ARP is neighbour-discovery, which uses ICMP packets as well. The stateless auto configuration is part of neighbour discovery, so also needs ICMP.

In IPv4 there's is a misunderstanding that all incoming ICMP should be blocked, and you can get away with that. With IPv6 you really need to allow at least some ICMP. Take a look at https://www.rfc-editor.org/rfc/rfc4890, it contains some really good advice on how to filter ICMP without breaking the protocol.

The answer to your question Blocking incoming ICMP echo requests is fine. I personally don't do it because allowing them makes debugging a lot easier, but if you don't want to allow them in you don't have to. The main risk you run if you allow them in is that if someone finds a stable (non-temporary/privacy) address for e.g. your laptop then they can keep pinging it to see when it's switched on. That might be considered a privacy risk. They'll have to find such an address first though, because for outgoing connections it will use its temporary privacy addresses.

Community
  • 1
Sander Steffann
  • 7,572
  • 18
  • 29
  • 3
    I don't think I have seen Parameter-Problem used in any normal communication, so I am curious what you think will break if it is blocked. – kasperd Jan 24 '18 at 23:01