NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

malacath's avatar
malacath
Aspirant
Apr 29, 2017
Solved

Netgear R7000 IPv6 ICMP Filtered

When going to http://ipv6-test.com/

 

The test only gives my 17/20

 

The reason is that ICMP is filtered which according to that site is a bad thing.

 

I know it is definately the router doing the filtering because I know how to stop windows filtering it and android doesn't filter it by default.

I have looked in the router interface settings and cannot find any setting that will stop ICMPv6 being filtered.

 

Is this website correct?

Is filtering ICMP really a problem?

Will it cause problems when websites start going ipv6 only?

 

I have owned the router a few months now and it would be the perfect router if it wasn't for this website saying ICMP filtering is a problem.

 

 

 

 


  • malacath wrote:

     

    Is this website correct?


    Yes.


    Is filtering ICMP really a problem?

    Will it cause problems when websites start going ipv6 only?


    It can be a problem.  IPv6 relies on something calling PMTUD (Path MTU Discovery) to work.  Blocking ICMPv6 prevents PMTUD from working.  Unfortunately, unblocking ICMPv6 has a downside.  It can expose your devices to a certain kind of DoS attack (atomic fragment attack).  This puts you in a "Damned if you do.  Damned if you don't." situation.  There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.

     

    In the meantime, you may find that things will work even without ICMPv6.  Consider yourself lucky.
     

4 Replies


  • malacath wrote:

     

    Is this website correct?


    Yes.


    Is filtering ICMP really a problem?

    Will it cause problems when websites start going ipv6 only?


    It can be a problem.  IPv6 relies on something calling PMTUD (Path MTU Discovery) to work.  Blocking ICMPv6 prevents PMTUD from working.  Unfortunately, unblocking ICMPv6 has a downside.  It can expose your devices to a certain kind of DoS attack (atomic fragment attack).  This puts you in a "Damned if you do.  Damned if you don't." situation.  There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.

     

    In the meantime, you may find that things will work even without ICMPv6.  Consider yourself lucky.
     

    • malacath's avatar
      malacath
      Aspirant

      Thanks for the info.

       

      Sounds like it's nothing to worry about for now?

      • TheEther's avatar
        TheEther
        Guru

        You may be lucky and everything works.  Or you may find that certain destinations are unreachable.