Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: evantkh on February 04, 2015, 05:45:42 AM

Title: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 05:45:42 AM
For security. Will it cause protocols malfunction? Other ICMP error signals are not filtered.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: cholzhauer on February 04, 2015, 05:46:21 AM
Yes, it's a bad idea.

No, you shouldn't block it.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 05:48:17 AM
Quote from: cholzhauer on February 04, 2015, 05:46:21 AM
Yes, it's a bad idea.

No, you shouldn't block it.

What will goes wrong?
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: cholzhauer on February 04, 2015, 05:51:49 AM
http://blogs.cisco.com/security/icmp-and-security-in-ipv6

http://security.stackexchange.com/questions/22711/is-it-a-bad-idea-for-a-firewall-to-block-icmp

http://en.wikipedia.org/wiki/Path_MTU_Discovery

You get the idea
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 05:56:44 AM
Quote from: cholzhauer on February 04, 2015, 05:51:49 AM
http://blogs.cisco.com/security/icmp-and-security-in-ipv6

http://security.stackexchange.com/questions/22711/is-it-a-bad-idea-for-a-firewall-to-block-icmp

http://en.wikipedia.org/wiki/Path_MTU_Discovery

You get the idea

I am only blocking incoming echo request...
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: broquea on February 04, 2015, 05:56:57 AM
Blocking ICMP does nothing for security. Nothing. Someone could still flood-ping your host and cause issues even with it filtered at your side, because your upstream isn't filtering/rate-limiting it.

Rate limit ICMP if anything. Still doesn't fix an attack vector if the upstream isn't doing the same for you.

Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

Unless you are doing this on something that can process millions or close to a billion pps, your side loses every time.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: cholzhauer on February 04, 2015, 05:57:14 AM
Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 05:59:42 AM
Quote from: broquea on February 04, 2015, 05:56:57 AM
Blocking ICMP does nothing for security. Nothing.
Rate limit ICMP if anything.
Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

The incoming ICMP rate is also limited by default on my router.
Do you mean just blocking incoming echo request does not have problem unless someone to test whether an endpoint is reachable by using ping?

I want to at least hide the IP using by the machines and can only be discovered after doing a port scan.
At the same time, most of the incoming traffic is blocked unless I expicitly allow them like allow forward incoming port 80 to an IP.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 06:00:30 AM
Quote from: cholzhauer on February 04, 2015, 05:57:14 AM
Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.

I have said that other ICMP error signals are not filtered, including Time Exceeded etc.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: broquea on February 04, 2015, 06:23:06 AM
QuoteI want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 07:30:58 AM
Quote from: broquea on February 04, 2015, 06:23:06 AM
QuoteI want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.

Then why ISPs block echo request in Ipv4 networks?

In fact, I am blocking echo request on the router rather than on the server/computer to prevent from ICMP inbound traceroute.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: evantkh on February 04, 2015, 04:43:01 PM
Quote from: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

How to block outgoing hop limit exceeded with ip6tables? Prevent from traceroute.
Title: Re: Is blocking incoming IPv6 ping a good idea?
Post by: passport123 on February 05, 2015, 08:58:59 AM
Quote from: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

At one point, many years ago (late 1990's?), Windows suffered from the "ping of death" exploit.  At that time, IPv4 pings were widely blocked, and I suspect many have just not unblocked them.