Recommendations for Filtering ICMPv6 Messages in Firewalls
RFC 4890
Document Type RFC - Informational (May 2007; Errata)
Last updated 2018-12-20
Replaces draft-ietf-v6ops-icmpv6-filtering-bcp
Stream IETF
Formats plain text pdf html bibtex
Reviews
SECDIR Early Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4890 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD David Kessens
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          E. Davies
Request for Comments: 4890                                    Consultant
Category: Informational                                       J. Mohacsi
                                                          NIIF/HUNGARNET
                                                                May 2007

       Recommendations for Filtering ICMPv6 Messages in Firewalls

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   In networks supporting IPv6, the Internet Control Message Protocol
   version 6 (ICMPv6) plays a fundamental role with a large number of
   functions, and a correspondingly large number of message types and
   options.  ICMPv6 is essential to the functioning of IPv6, but there
   are a number of security risks associated with uncontrolled
   forwarding of ICMPv6 messages.  Filtering strategies designed for the
   corresponding protocol, ICMP, in IPv4 networks are not directly
   applicable, because these strategies are intended to accommodate a
   useful auxiliary protocol that may not be required for correct
   functioning.

   This document provides some recommendations for ICMPv6 firewall
   filter configuration that will allow propagation of ICMPv6 messages
   that are needed to maintain the functioning of the network but drop
   messages that are potential security risks.

Davies & Mohacsi             Informational                      [Page 1]
RFC 4890            ICMPv6 Filtering Recommendations            May 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Classifying ICMPv6 Messages  . . . . . . . . . . . . . . . . .  6
     2.1.  Error and Informational ICMPv6 Messages  . . . . . . . . .  6
     2.2.  Addressing of ICMPv6 . . . . . . . . . . . . . . . . . . .  6
     2.3.  Network Topology and Address Scopes  . . . . . . . . . . .  7
     2.4.  Role in Establishing and Maintaining Communication . . . .  7
   3.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
     3.1.  Denial-of-Service Attacks  . . . . . . . . . . . . . . . .  9
     3.2.  Probing . . . . . . . . . . . . . . . . . . . . . . . . . . 9
     3.3.  Redirection Attacks . . . . . . . . . . . . . . . . . . . . 9
     3.4.  Renumbering Attacks  . . . . . . . . . . . . . . . . . . . 10
     3.5.  Problems Resulting from ICMPv6 Transparency  . . . . . . . 10
   4.  Filtering Recommendations  . . . . . . . . . . . . . . . . . . 10
     4.1.  Common Considerations  . . . . . . . . . . . . . . . . . . 11
     4.2.  Interaction of Link-Local Messages with
           Firewall/Routers and Firewall/Bridges  . . . . . . . . . . 12
     4.3.  Recommendations for ICMPv6 Transit Traffic . . . . . . . . 13
       4.3.1.  Traffic That Must Not Be Dropped . . . . . . . . . . . 14
       4.3.2.  Traffic That Normally Should Not Be Dropped  . . . . . 14
       4.3.3.  Traffic That Will Be Dropped Anyway -- No Special
               Attention Needed . . . . . . . . . . . . . . . . . . . 15
       4.3.4.  Traffic for Which a Policy Should Be Defined . . . . . 16
       4.3.5.  Traffic That Should Be Dropped Unless a Good Case
               Can Be Made  . . . . . . . . . . . . . . . . . . . . . 17
     4.4.  Recommendations for ICMPv6 Local Configuration Traffic . . 18
       4.4.1.  Traffic That Must Not Be Dropped . . . . . . . . . . . 18
       4.4.2.  Traffic That Normally Should Not Be Dropped  . . . . . 19
       4.4.3.  Traffic That Will Be Dropped Anyway -- No Special
               Attention Needed . . . . . . . . . . . . . . . . . . . 19
       4.4.4.  Traffic for Which a Policy Should Be Defined . . . . . 20
       4.4.5.  Traffic That Should Be Dropped Unless a Good Case
               Can Be Made  . . . . . . . . . . . . . . . . . . . . . 21
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 21
     6.2.  Informative References . . . . . . . . . . . . . . . . . . 22
   Appendix A.  Notes on Individual ICMPv6 Messages . . . . . . . . . 24
     A.1.  Destination Unreachable Error Message  . . . . . . . . . . 24
     A.2.  Packet Too Big Error Message . . . . . . . . . . . . . . . 24
     A.3.  Time Exceeded Error Message  . . . . . . . . . . . . . . . 25
     A.4.  Parameter Problem Error Message  . . . . . . . . . . . . . 25
     A.5.  ICMPv6 Echo Request and Echo Response  . . . . . . . . . . 26
     A.6.  Neighbor Solicitation and Neighbor Advertisement
           Messages . . . . . . . . . . . . . . . . . . . . . . . . . 26
     A.7.  Router Solicitation and Router Advertisement Messages  . . 27
     A.8.  Redirect Messages  . . . . . . . . . . . . . . . . . . . . 27
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools