Router IPv6 Address Responds to ICMP on WAN - Security Risk?

[JDB]

Looking for thoughts on if this is really an issue!

I recently enabled IPv6 as my ISP (Sky UK) offer it. It was simple enough, simply selected Native mode and my clients got addresses and the router a global scope /56 prefix.

The only thing I've found which is a bit disturbing is the router responds to ICMP ping echo-request from the WAN side.

I have the IPv4 firewall set to not respond to ping on WAN, and also have the IPv6 firewall enabled (not that there are any real options for it).

I can't confess to being an IPv6 guru, but I'm thinking at least the option to blackhole WAN pings should be available?

As an aside, I also got dynv6.com working with a custom DDNS script (not that I have any real use for it - yet). I had to add a 'sleep 60' to the top of the ddns-start script though as the IPv6 address allocation takes 20-30 seconds longer than the IPv4, so on reboot I was updating <blank> IPv6 and would have to wait 24hrs for it to show the change (or do it manually).

 

[RMerlin]

I can't confess to being an IPv6 guru, but I'm thinking at least the option to blackhole WAN pings should be available?

RFCs requires that IPv6 clients send proper ICMP replies to ping requests.

Quite frankly, dropping ping requests is worth zero in terms of security.

 

[microchip]

All router manufacturers, with the exception of NETGEAR, respond to ICMPv6 ping requests and thus comply with the RFC. NETGEAR is the only vendor that blocks ICMPv6 in order to "protect its users" LOL (they're idiots violating the RFC)

 

[JDB]

Thanks for clarifying guys. I did a few external port scans etc and confirmed it black holes everything else, I was a bit concerned as the IP is assigned to the LAN side br0.

I like blocking ICMP normally on the basis that if you don't respond then any would be hacker doesn't know you are there to attack, but I guess IPv6 you rely on your F/W protecting you.


Sent from my iPhone using Tapatalk

 

[microchip]

Thanks for clarifying guys. I did a few external port scans etc and confirmed it black holes everything else, I was a bit concerned as the IP is assigned to the LAN side br0.

I like blocking ICMP normally on the basis that if you don't respond then any would be hacker doesn't know you are there to attack, but I guess IPv6 you rely on your F/W protecting you.


Sent from my iPhone using Tapatalk

Hackers are not that dumb to only look at whether you respond to ping or not. As RMerlin pointed out, it only provides a false sense of "security"

 

[xeqw]

Some routers like those from TP-Link, have no SPI Firewall available on the IPv6 connection, leaving some ports visible from the outside.

 

[Marcio Santos]

Looking for thoughts on if this is really an issue!

I recently enabled IPv6 as my ISP (Sky UK) offer it. It was simple enough, simply selected Native mode and my clients got addresses and the router a global scope /56 prefix.

The only thing I've found which is a bit disturbing is the router responds to ICMP ping echo-request from the WAN side.

I have the IPv4 firewall set to not respond to ping on WAN, and also have the IPv6 firewall enabled (not that there are any real options for it).

I can't confess to being an IPv6 guru, but I'm thinking at least the option to blackhole WAN pings should be available?

As an aside, I also got dynv6.com working with a custom DDNS script (not that I have any real use for it - yet). I had to add a 'sleep 60' to the top of the ddns-start script though as the IPv6 address allocation takes 20-30 seconds longer than the IPv4, so on reboot I was updating <blank> IPv6 and would have to wait 24hrs for it to show the change (or do it manually).

Would you mind sharing your dynv6.com custom DDNS script ? My ISP gives me native ipv6 but I don't know much about scripting.

Edit: never mind, I've read some examples and created a script and it worked ! it's really easy.

 

[JDB]

Would you mind sharing your dynv6.com custom DDNS script ? My ISP gives me native ipv6 but I don't know much about scripting.

Edit: never mind, I've read some examples and created a script and it worked ! it's really easy.

Was just about to post mine, but glad you got it working!