This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] IPv6 ICMP - denied packets
- Previous message (by thread): [atlas] IPv6 ICMP - denied packets
- Next message (by thread): [atlas] IPv6 ICMP - denied packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Philip Homburg
philip.homburg at ripe.net
Mon Jun 23 23:19:53 CEST 2014
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014/06/23 23:01 , Joachim Tingvold wrote: > Hi, > > I recently installed a probe at home, and now my router spits out > loads of 'denied icmpv6'-messages. > > After going through the logs for the last two days, I have ~1900 > entries of denies towards the probe -- all of them more or less > like this (with different source); > > ### Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list > ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102) > -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets ### > > I've got an ACL applied ingress on the link to my ISP, and the > relevant part is shown below; > > ### ipv6 access-list ipv6-inbound sequence 2000 permit icmp any any > echo-reply sequence 2005 permit icmp any any echo-request sequence > 2010 permit icmp any any packet-too-big sequence 2015 permit icmp > any any time-exceeded sequence 2020 permit icmp any any > destination-unreachable sequence 2025 permit icmp any any > parameter-problem sequence 2100 deny icmp any any log-input ### > > This ACL conforms to RFC4890[1] (except the Mobile IPv6 part). > > Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them > have the code bit[2] set to 1, and ~1600 of them are set to 4. Type 1, code 4 is port unreachable. That is triggered by UDP traceroute. It would be better not to filter those packets. Type 1, code 1 means administratively prohibited. It is best to allow that one as well. Or in general, any destination unreachable ICMP. Though I don't understand why 'sequence 2020 permit icmp any any destination-unreachable' does accept those packets. Philip -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOomfkACgkQ23LKRM64egJu+QCfVdUc8qMYufSw+IvThUYfzPyn nwYAoIK0MmsAYptBL8DUgqCB4bb1brC0 =5Cqj -----END PGP SIGNATURE-----
- Previous message (by thread): [atlas] IPv6 ICMP - denied packets
- Next message (by thread): [atlas] IPv6 ICMP - denied packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]