[atlas] IPv6 ICMP - denied packets
- Previous message (by thread): [atlas] IPv6 ICMP - denied packets
- Next message (by thread): [atlas] IPv6 ICMP - denied packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Philip Homburg
philip.homburg at ripe.net
Mon Jun 23 23:19:53 CEST 2014
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014/06/23 23:01 , Joachim Tingvold wrote: > Hi, > > I recently installed a probe at home, and now my router spits out > loads of 'denied icmpv6'-messages. > > After going through the logs for the last two days, I have ~1900 > entries of denies towards the probe -- all of them more or less > like this (with different source); > > ### Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list > ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102) > -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets ### > > I've got an ACL applied ingress on the link to my ISP, and the > relevant part is shown below; > > ### ipv6 access-list ipv6-inbound sequence 2000 permit icmp any any > echo-reply sequence 2005 permit icmp any any echo-request sequence > 2010 permit icmp any any packet-too-big sequence 2015 permit icmp > any any time-exceeded sequence 2020 permit icmp any any > destination-unreachable sequence 2025 permit icmp any any > parameter-problem sequence 2100 deny icmp any any log-input ### > > This ACL conforms to RFC4890[1] (except the Mobile IPv6 part). > > Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them > have the code bit[2] set to 1, and ~1600 of them are set to 4. Type 1, code 4 is port unreachable. That is triggered by UDP traceroute. It would be better not to filter those packets. Type 1, code 1 means administratively prohibited. It is best to allow that one as well. Or in general, any destination unreachable ICMP. Though I don't understand why 'sequence 2020 permit icmp any any destination-unreachable' does accept those packets. Philip -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOomfkACgkQ23LKRM64egJu+QCfVdUc8qMYufSw+IvThUYfzPyn nwYAoIK0MmsAYptBL8DUgqCB4bb1brC0 =5Cqj -----END PGP SIGNATURE-----
- Previous message (by thread): [atlas] IPv6 ICMP - denied packets
- Next message (by thread): [atlas] IPv6 ICMP - denied packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]