Subj : Re: Debugging PING
To   : Paul Hayton
From : Markus Reschke
Date : Tue Sep 22 2015 12:47:30

Hi Paul!

Sep 22 22:05 2015, Paul Hayton wrote to Michiel van der Vlist:

 PH> So it turns out although AICCU adds a rule to the inbound firewall 
 PH> settings in windows called "AICCU: Allow incoming ICMPv6 echo request" 
 PH> it only enables a limited range of ICMP types. I found by setting this 
 PH> to ALL types then the ping replies started to happen.

BTW, if you're interested in a proper ICMPv6 ruleset please have a look at RFC4890. Some types should be limited to specific address ranges and some dropped completely. I don't want to discourage you in your IPv6 endevour but it's a good idea be cautious and a little bit paranoid, because there are security issues in various IPv6 stacks and also some inherent issues in the protocol itself. IPv6 is not less secure then IPv4, but most vendors are not up to date security-wise. Currently it's quite easy to crash or DoS most IPv6 systems. And a $100k firewall doesn't fix that either.

 PH> It also seems each time you run AICCU it adds another copy of this 
 PH> rule exception to the firewall... not good.

For the same destination IPv6 address (range)? <facepalm>

Regards,
Markus

--- 
 * Origin: *** theca tabellaria *** (2:240/1661)

.