[atlas] IPv6 ICMP - denied packets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014/06/23 23:01 , Joachim Tingvold wrote:
> Hi,
> 
> I recently installed a probe at home, and now my router spits out
> loads of 'denied icmpv6'-messages.
> 
> After going through the logs for the last two days, I have ~1900
> entries of denies towards the probe -- all of them more or less
> like this (with different source);
> 
> ### Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list
> ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102)
> -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets ###
> 
> I've got an ACL applied ingress on the link to my ISP, and the
> relevant part is shown below;
> 
> ### ipv6 access-list ipv6-inbound sequence 2000 permit icmp any any
> echo-reply sequence 2005 permit icmp any any echo-request sequence
> 2010 permit icmp any any packet-too-big sequence 2015 permit icmp
> any any time-exceeded sequence 2020 permit icmp any any
> destination-unreachable sequence 2025 permit icmp any any
> parameter-problem sequence 2100 deny icmp any any log-input ###
> 
> This ACL conforms to RFC4890[1] (except the Mobile IPv6 part).
> 
> Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them
> have the code bit[2] set to 1, and ~1600 of them are set to 4.

Type 1, code 4 is port unreachable. That is triggered by UDP
traceroute. It would be better not to filter those packets.

Type 1, code 1 means administratively prohibited. It is best to allow
that one as well. Or in general, any destination unreachable ICMP.

Though I don't understand why 'sequence 2020 permit icmp any any
destination-unreachable' does accept those packets.

Philip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlOomfkACgkQ23LKRM64egJu+QCfVdUc8qMYufSw+IvThUYfzPyn
nwYAoIK0MmsAYptBL8DUgqCB4bb1brC0
=5Cqj
-----END PGP SIGNATURE-----