I am doing some testing with control plane filters on lo0 for IPv6.
I am migrating our IPv4 filter to a IPv6 equivilent.
The "securing the Routing engine" day one book is really good for IPv4 but doesnt touch on IPv6 luckily most of the items in it still apply for the IPv6 world, my questions are regarding ICMPv6.
1. why are there two ICMPv6 listed on my MX router as choices for next-header type?
MX80# set from next-header ?
<range> Range of values
[ Open a set of values
ah IP Security authentication header
dstopts IPv6 destination options
egp Exterior gateway protocol
esp IPSec Encapsulating Security Payload
fragment IPv6 fragment header
gre Generic routing encapsulation
hop-by-hop IPv6 hop-by-hop options
icmp Internet Control Message Protocol
icmp6 Internet Control Message Protocol Version 6 <-----
icmpv6 Internet Control Message Protocol version 6 <-----
2. When my firewall term is a simple: do a match on ICMPv6 and an accept statement, why do I get the following reponse from a remote router doing a traceroute to it?
> traceroute inet6 2a02:x:1:1:x:x:x:166
traceroute6 to 2a02:x:1:1:x:x:x:166 (2a02:x:1:1:x:x:x:166) from 2a02:x:1:1:x:x:x:13, 64 hops max, 12 byte packets
1 2a02:x:1:5::1 (2a02:x:1:5::1) 17.311 ms 2a02:x:1:4::1 (2a02:x:1:4::1) 12.459 ms 12.437 ms
2 2a02:x:1:39:: (2a02:x:1:39::) 20.067 ms !P 15.091 ms !P 15.098 ms !P
from my notes I see that the !P response is :
!P Unrecognized Next Header type encountered The destination does not implement the layer-4 protocol used. You should retry with ICMPv6 Echo Requests (-I command line option) which MUST be supported by any IPv6 node.
3. I cannot find anywhere on the internet a recommendation for control plane filter for ICMPv6. Anybody got any recommendations/real-life examples?