datatracker.ietf.org
Sign in
Version 5.6.3.p2, 2014-09-29
Report a bug

Recommendations for Filtering ICMPv6 Messages in Firewalls
RFC 4890

Network Working Group                                          E. Davies
Request for Comments: 4890                                    Consultant
Category: Informational                                       J. Mohacsi
                                                          NIIF/HUNGARNET
                                                                May 2007

       Recommendations for Filtering ICMPv6 Messages in Firewalls

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   In networks supporting IPv6, the Internet Control Message Protocol
   version 6 (ICMPv6) plays a fundamental role with a large number of
   functions, and a correspondingly large number of message types and
   options.  ICMPv6 is essential to the functioning of IPv6, but there
   are a number of security risks associated with uncontrolled
   forwarding of ICMPv6 messages.  Filtering strategies designed for the
   corresponding protocol, ICMP, in IPv4 networks are not directly
   applicable, because these strategies are intended to accommodate a
   useful auxiliary protocol that may not be required for correct
   functioning.

   This document provides some recommendations for ICMPv6 firewall
   filter configuration that will allow propagation of ICMPv6 messages
   that are needed to maintain the functioning of the network but drop
   messages that are potential security risks.

Davies & Mohacsi             Informational                      [Page 1]
RFC 4890            ICMPv6 Filtering Recommendations            May 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Classifying ICMPv6 Messages  . . . . . . . . . . . . . . . . .  6
     2.1.  Error and Informational ICMPv6 Messages  . . . . . . . . .  6
     2.2.  Addressing of ICMPv6 . . . . . . . . . . . . . . . . . . .  6
     2.3.  Network Topology and Address Scopes  . . . . . . . . . . .  7
     2.4.  Role in Establishing and Maintaining Communication . . . .  7
   3.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
     3.1.  Denial-of-Service Attacks  . . . . . . . . . . . . . . . .  9
     3.2.  Probing . . . . . . . . . . . . . . . . . . . . . . . . . . 9
     3.3.  Redirection Attacks . . . . . . . . . . . . . . . . . . . . 9
     3.4.  Renumbering Attacks  . . . . . . . . . . . . . . . . . . . 10
     3.5.  Problems Resulting from ICMPv6 Transparency  . . . . . . . 10
   4.  Filtering Recommendations  . . . . . . . . . . . . . . . . . . 10
     4.1.  Common Considerations  . . . . . . . . . . . . . . . . . . 11
     4.2.  Interaction of Link-Local Messages with
           Firewall/Routers and Firewall/Bridges  . . . . . . . . . . 12
     4.3.  Recommendations for ICMPv6 Transit Traffic . . . . . . . . 13
       4.3.1.  Traffic That Must Not Be Dropped . . . . . . . . . . . 14
       4.3.2.  Traffic That Normally Should Not Be Dropped  . . . . . 14
       4.3.3.  Traffic That Will Be Dropped Anyway -- No Special
               Attention Needed . . . . . . . . . . . . . . . . . . . 15
       4.3.4.  Traffic for Which a Policy Should Be Defined . . . . . 16
       4.3.5.  Traffic That Should Be Dropped Unless a Good Case
               Can Be Made  . . . . . . . . . . . . . . . . . . . . . 17
     4.4.  Recommendations for ICMPv6 Local Configuration Traffic . . 18
       4.4.1.  Traffic That Must Not Be Dropped . . . . . . . . . . . 18
       4.4.2.  Traffic That Normally Should Not Be Dropped  . . . . . 19
       4.4.3.  Traffic That Will Be Dropped Anyway -- No Special
               Attention Needed . . . . . . . . . . . . . . . . . . . 19
       4.4.4.  Traffic for Which a Policy Should Be Defined . . . . . 20
       4.4.5.  Traffic That Should Be Dropped Unless a Good Case
               Can Be Made  . . . . . . . . . . . . . . . . . . . . . 21
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 21
     6.2.  Informative References . . . . . . . . . . . . . . . . . . 22
   Appendix A.  Notes on Individual ICMPv6 Messages . . . . . . . . . 24
     A.1.  Destination Unreachable Error Message  . . . . . . . . . . 24
     A.2.  Packet Too Big Error Message . . . . . . . . . . . . . . . 24
     A.3.  Time Exceeded Error Message  . . . . . . . . . . . . . . . 25
     A.4.  Parameter Problem Error Message  . . . . . . . . . . . . . 25
     A.5.  ICMPv6 Echo Request and Echo Response  . . . . . . . . . . 26
     A.6.  Neighbor Solicitation and Neighbor Advertisement
           Messages . . . . . . . . . . . . . . . . . . . . . . . . . 26

[include full document text]