Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Is blocking incoming IPv6 ping a good idea?  (Read 7249 times)

evantkh

  • Full Member
  • ***
  • Posts: 122
Is blocking incoming IPv6 ping a good idea?
« on: February 04, 2015, 05:45:42 AM »

For security. Will it cause protocols malfunction? Other ICMP error signals are not filtered.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2744
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #1 on: February 04, 2015, 05:46:21 AM »

Yes, it's a bad idea.

No, you shouldn't block it.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #2 on: February 04, 2015, 05:48:17 AM »

Yes, it's a bad idea.

No, you shouldn't block it.

What will goes wrong?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1751
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #5 on: February 04, 2015, 05:56:57 AM »

Blocking ICMP does nothing for security. Nothing. Someone could still flood-ping your host and cause issues even with it filtered at your side, because your upstream isn't filtering/rate-limiting it.

Rate limit ICMP if anything. Still doesn't fix an attack vector if the upstream isn't doing the same for you.

Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

Unless you are doing this on something that can process millions or close to a billion pps, your side loses every time.
« Last Edit: February 04, 2015, 06:03:09 AM by broquea »
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2744
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #6 on: February 04, 2015, 05:57:14 AM »

Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #7 on: February 04, 2015, 05:59:42 AM »

Blocking ICMP does nothing for security. Nothing.
Rate limit ICMP if anything.
Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

The incoming ICMP rate is also limited by default on my router.
Do you mean just blocking incoming echo request does not have problem unless someone to test whether an endpoint is reachable by using ping?

I want to at least hide the IP using by the machines and can only be discovered after doing a port scan.
At the same time, most of the incoming traffic is blocked unless I expicitly allow them like allow forward incoming port 80 to an IP.
« Last Edit: February 04, 2015, 06:02:52 AM by evantkh »
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #8 on: February 04, 2015, 06:00:30 AM »

Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.

I have said that other ICMP error signals are not filtered, including Time Exceeded etc.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1751
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #9 on: February 04, 2015, 06:23:06 AM »

Quote
I want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #10 on: February 04, 2015, 07:30:58 AM »

Quote
I want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.

Then why ISPs block echo request in Ipv4 networks?

In fact, I am blocking echo request on the router rather than on the server/computer to prevent from ICMP inbound traceroute.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1751
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #11 on: February 04, 2015, 09:35:00 AM »

Quote
Then why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #12 on: February 04, 2015, 04:43:01 PM »

Quote
Then why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

How to block outgoing hop limit exceeded with ip6tables? Prevent from traceroute.
Logged

passport123

  • Newbie
  • *
  • Posts: 39
Re: Is blocking incoming IPv6 ping a good idea?
« Reply #13 on: February 05, 2015, 08:58:59 AM »

Quote
Then why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

At one point, many years ago (late 1990's?), Windows suffered from the "ping of death" exploit.  At that time, IPv4 pings were widely blocked, and I suspect many have just not unblocked them.
Logged