Understanding How vGW Series Handles ICMPv6 Protocol Traffic

This topic covers the Internet Control Message Protocol version 6 (ICMPv6) which is integral to IPv6 and fundamental to the proper functioning of IPv6 networks.

It describes the vGW Series default firewall policy protocol group for handling ICMPv6 traffic.

Warning: By default vGW Series allows inbound and outbound ICMPv6 traffic. Juniper Networks strongly recommends that you not override this default policy because of the important role that ICMPv6 plays in establishing and maintaining communication in IPv6 networks.

About ICMPv6

ICMPv6 consists of a large number of messages with diverse functions which, like ICMP messages for IPv4 networks, could be categorized broadly as error and information messages.

ICMP for IPv4 is an auxiliary protocol not necessarily required for IPv4 proper functioning. By contrast, ICMPv6 is an essential component in the establishment and maintenance of IPv6 communications. Among the messages it includes are those for address assignment, address resolution, and multicast group management. ICMPv6 error messages and information messages are transported by IPv6 packets in which the IPv6 Next Header value for ICMPv6 is set to 58.

Filtering ICMPv6 Packets

In IPv4 networks, it is common practice for firewalls to drop ICMP Echo Request messages to protect against scanning attacks and to minimize the risk of denial of service attacks. Port scanning in IPv6 networks is less severe, so it is not necessary to filter IPv6 Echo Requests. In practice, it is important to avoid aggressive filtering of ICMPv6 packets. Because they are fundamental to the proper functioning of IPv6 networks and tunneling, it is essential that ICMPv6 connectivity messages are allowed to pass through the firewall.

vGW Series establishes a default protocol group called DefaultAllow-ICMPv6 that allows access to traffic from a comprehensive set of ICMPv6 protocols. A default rule for the DefaultAllow-ICMPv6 protocol is created that is applied to the inbound Global policy rule set to allow this inbound traffic. See Figure 62.

Figure 62: Default Global Policy Showing Default ICMPv6 Allow Group

Default Global Policy Showing Default ICMPv6
Allow Group

Default Policy Group for Allowing Inbound ICMPv6 Packets

vGW Series provides the predefined DefaultAllow-ICMPv6 protocol group that allows inbound ICMPv6 traffic for all types of packets included in the group. Because ICMPv6 is critical to proper IPv6 functioning, it is important that you allow this traffic. However, if for some reason you wish to block traffic from one or more ICPMv6 protocols that are members of the default protocol group, you can edit the list to exclude them from the allow condition and filter the traffic. See Editing the Default ICMPv6 Protocols Group Members.

Viewing the Default ICMPv6 Protocols Group Members

You can view the list of ICMPv6 protocols that comprise the DefaultAllow-ICMPv6 protocol group on the Settings module Security Settings > Protocols page. See Figure 63.

Figure 63: Protocols Settings ICMPv6 Default Protocol Group

 Protocols Settings ICMPv6 Default
Protocol Group

To view the list:

  1. Beside Protocols, select Groups.
  2. Click DefaultAllow-ICMPv6.

    The column on the right side of the Edit protocol group pane shows the group members:

    • icmp6-listener-query

      130. Multicast Listener Query (RFC 2710)

    • icmp6-router-solicitation

      133. Router Solicitation (RFC 4861)

    • icmp6-router-advertisement

      134. Router Advertisement (RFC 2461)

    • icmp6-nd-solicitation

      135. Neighbor Discovery Solicitation (RFC 4861)

    • icmp6-inv-nd-solicitation

      141. Inverse Neighbor Discovery Solicitation Message (RFC 3122)

    • icmp6-cert-path-advertisement

      149. Certification Path Advertisement Message (RFC 3971)

    • icmp6-mcast-router-advertisement

      151. Multicast Router Advertisement (RFC 4286)

    • icmp6-mcast-router-termination

      153. Multicast Router Termination (RFC 4286)

Editing the Default ICMPv6 Protocols Group Members

If you must block traffic on any of the ICMPv6 protocols in the vGW DefaultAllow-ICMPv6 protocol group, you can edit the group from Settings module Security Settings > Protocol page.

To edit the list from the Settings module Security Settings > Protocol page:

  1. Beside Protocols, select Groups.
  2. Click DefaultAllow-ICMPv6.

    The column on the right side of the Edit protocol group pane shows the group members:

    • icmp6-cert-path-advertisement
    • icmp6-inv-nd-solicitation
    • icmp6-listener-query
    • icmp6-mcast-router-advertisement
    • icmp6-mcast-router-termination
    • icmp6-nd-solicitation
    • icmp6-router-advertisement
    • icmp6-router-solicitation
  3. Select the ICMPv6 protocol that you want to remove from the list, thereby blocking its packets, and click the left facing arrow.

    Repeat this process for each protocol that you want to remove from the list.

  4. Click Save.

Related Documentation