DONT BLOCK ICMP (Maybe rate limit !)
Since setting IP IPV6 networks icmp has become more important
Most IPV6 test sites Test ICMP connectivity.
I have found this one to be very important
IPv6 - (Type2, Code0) Packet Too Big (IPv6)
This is essential for MTU path discovery
IPv6 Routers do not Fragment packets like IPv4 did, they just send back Packet too big and the sender need to adjust. these messages need to get back to sender!
Also IPv4 used ARP for Layer 2 to Layer 3 mappings.
But IPv6 Uses ICMP for
Router Solicitation (RS) (Type133, Code0)
Router Advertisement (RA) (Type134, Code0)
Neighbor Solicitation (NS) (Type135, Code0)
Neighbor Advertisement (NA) (Type136, Code0)
Redirect (Type137, Code0)
These should be permitted in the network but not outside
I have found a great source of information here
No comments:
Post a Comment