We include here two reference translations of the ICMP filtering rules recommended in RFC4890 into access lists for Cisco and Juniper edge routers in the case that Mobile IPv6 is not used.
| Cisco IOS |
JunOS |
RFC4890-compliant ICMP ACLs
|
ipv6 access-list ICMPV6-RFC4890-OUT
permit icmp local-endpoint-of-point-to-point-peering/128 any
permit icmp 2001:LOCAL:NET::/48 any echo-request
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any parameter-problem
deny icmp any any
permit ipv6 any any
ipv6 access-list ICMPV6-RFC4890-IN
permit icmp remote-endpoint-of-point-to-point-peering/128 any
permit icmp any any echo-request
permit icmp any 2001:LOCAL:NET::/48 echo-reply
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any parameter-problem
deny icmp any any
permit ipv6 any any
|
family inet6 {
filter ICMPV6-RFC4890-OUT {
term allow-nren-p2p {
from {
source-address {
local-endpoint-of-point-to-point-peering/128;
}
}
then accept;
}
term echo-requests {
from {
source-address {
2001:LOCAL:NET::/48;
}
next-header icmpv6;
icmp-type echo-request;
}
then accept;
}
term echo-replies {
from {
next-header icmpv6;
icmp-type echo-reply;
}
then accept;
}
term destination-unreachable {
from {
next-header icmpv6;
icmp-type destination-unreachable;
}
then accept;
}
term packet-too-big {
from {
next-header icmpv6;
icmp-type packet-too-big;
}
then accept;
}
term time-exceeded-transit {
from {
next-header icmpv6;
icmp-type time-exceeded;
icmp-code ttl-eq-zero-during-transit;
}
then accept;
}
term time-exceeded-reassembly {
from {
next-header icmpv6;
icmp-type time-exceeded;
icmp-code ttl-eq-zero-during-reassembly;
}
then accept;
}
term parameter-problem {
from {
next-header icmpv6;
icmp-type parameter-problem;
}
then accept;
}
term drop-all-remaining-icmpv6 {
from {
next-header icmpv6;
}
then reject;
}
term permit {
then accept;
}
}
filter ICMPV6-RFC4890-IN {
term allow-nren-p2p {
from {
source-address {
remote-endpoint-of-point-to-point-peering/128;
}
}
then accept;
}
term echo-requests {
from {
next-header icmpv6;
icmp-type echo-request;
}
then accept;
}
term echo-replies {
from {
destination-address {
2001:LOCAL:NET::/48;
}
next-header icmpv6;
icmp-type echo-reply;
}
then accept;
}
term destination-unreachable {
from {
next-header icmpv6;
icmp-type destination-unreachable;
}
then accept;
}
term packet-too-big {
from {
next-header icmpv6;
icmp-type packet-too-big;
}
then accept;
}
term time-exceeded-transit {
from {
next-header icmpv6;
icmp-type time-exceeded;
icmp-code ttl-eq-zero-during-transit;
}
then accept;
}
term time-exceeded-reassembly {
from {
next-header icmpv6;
icmp-type time-exceeded;
icmp-code ttl-eq-zero-during-reassembly;
}
then accept;
}
term parameter-problem {
from {
next-header icmpv6;
icmp-type parameter-problem;
}
then accept;
}
term drop-all-remaining-icmpv6 {
from {
next-header icmpv6;
}
then reject;
}
term permit {
then accept;
}
}
}
|
