NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
malacath
Apr 29, 2017Aspirant
Netgear R7000 IPv6 ICMP Filtered
When going to http://ipv6-test.com/
The test only gives my 17/20
The reason is that ICMP is filtered which according to that site is a bad thing.
I know it is definately the router doing the filtering because I know how to stop windows filtering it and android doesn't filter it by default.
I have looked in the router interface settings and cannot find any setting that will stop ICMPv6 being filtered.
Is this website correct?
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
I have owned the router a few months now and it would be the perfect router if it wasn't for this website saying ICMP filtering is a problem.
malacath wrote:Is this website correct?
Yes.
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
It can be a problem. IPv6 relies on something calling PMTUD (Path MTU Discovery) to work. Blocking ICMPv6 prevents PMTUD from working. Unfortunately, unblocking ICMPv6 has a downside. It can expose your devices to a certain kind of DoS attack (atomic fragment attack). This puts you in a "Damned if you do. Damned if you don't." situation. There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.
In the meantime, you may find that things will work even without ICMPv6. Consider yourself lucky.
4 Replies
malacath wrote:Is this website correct?
Yes.
Is filtering ICMP really a problem?
Will it cause problems when websites start going ipv6 only?
It can be a problem. IPv6 relies on something calling PMTUD (Path MTU Discovery) to work. Blocking ICMPv6 prevents PMTUD from working. Unfortunately, unblocking ICMPv6 has a downside. It can expose your devices to a certain kind of DoS attack (atomic fragment attack). This puts you in a "Damned if you do. Damned if you don't." situation. There is work ongoing in the IETF (the standards group for TCP/IP Protocols) to figure out how to fix this.
In the meantime, you may find that things will work even without ICMPv6. Consider yourself lucky.
- malacathAspirant
Thanks for the info.
Sounds like it's nothing to worry about for now?
You may be lucky and everything works. Or you may find that certain destinations are unreachable.