RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 4890, "Recommendations for Filtering ICMPv6 Messages in Firewalls", May 2007

Source of RFC: v6ops (ops)
See Also: RFC 4890 w/ inline errata

Errata ID: 2706
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Phil Whineray
Date Reported: 2011-02-06
Verifier Name: ron bonica
Date Verified: 2011-03-03

Section Appendix B. says:

   if [ "$STATE_ENABLED" -eq "1" ]
   then
     # Allow incoming time exceeded code 0 messages
     # only for existing sessions
     for inner_prefix in $INNER_PREFIXES
     do
       ip6tables -A icmpv6-filter -m state -p icmpv6 \
            -d $inner_prefix \
            --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
            -j ACCEPT
     done
   else
     # Allow incoming time exceeded code 0 messages
     for inner_prefix in $INNER_PREFIXES
     do
       ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
            --icmpv6-type ttl-zero-during-transit -j ACCEPT
     done
   fi

It should say:

   if [ "$STATE_ENABLED" -eq "1" ]
   then
     # Allow incoming time exceeded code 0 messages
     # only for existing sessions
     for inner_prefix in $INNER_PREFIXES
     do
       ip6tables -A icmpv6-filter -m state -p icmpv6 \
            -d $inner_prefix \
            --state ESTABLISHED,RELATED --icmpv6-type ttl-zero-during-transmit \
            -j ACCEPT
     done
   else
     # Allow incoming time exceeded code 0 messages
     for inner_prefix in $INNER_PREFIXES
     do
       ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
            --icmpv6-type ttl-zero-during-transit -j ACCEPT
     done
   fi

Notes:

Not sure if this is really editorial as it is in the example code, not the main RFC.

In any case, the example incorrectly specifies an icmpv6 type in one code path.

Report New Errata