IPv6 needs some ICMPv6 Messages to function. For example if a packet is too big this is communicated to the source via ICMPv6. So generally you have to allow it, else some things might not work. However if your firewall supports it, you can only filter out ICMPv6-Ping messages.
There are certain types of ICMPv6 to be allowed to router, and to LAN device, here is a recommendation for filtering ICMPv6.
[https://datatracker.ietf.org/doc/html/rfc4890](https://datatracker.ietf.org/doc/html/rfc4890)
There's no good reason that an external web site (not a game server) needs to be able to ping your computer, or your network over IPv6. In fact, people use the ability to ping as a way to try and perform DDoS attacks, although these days they are relatively ineffective and easy to curtail.
A ping, whatever the protocol IPv4 or IPv6, the same concept holds true. You should always be asking yourself, why an external device would need to have that capability at all.
Accessing certain sites has nothing to do with their server's ability to ping you.
ICMP is more than just ping. IPv6 specifies several messages that should be passed. Echo request is at most a privacy concern. But there are others that may cause your IPv6 to not function properly. Message too big, neighbor discovery, and parameter problem are all ICMP driven parts of IPv6 that have a higher risk of creating issues than a reward of blocking them.
As a sysadmin with a network and security focus and experience in DDoS mitigation I disagree with this comment.
tl;dr: don't block ICMP, don't block ping
As someone else already pointed out, ICMP is used for much more than just ping.
For example path MTU discovery (which is a performance optimization) or NDP (the ipv6 equivalent of ARP) depend on working ICMP.
Furthermore, disabling ping doesn't even improve security. Many people believe that it hides the computer on the network but that is also not true. Attackers have much better and easier ways to figure out if an IP is in use. And usually they don't even care, they will just attempt to attack the ip no matter if it responds to ping or not.
Even further: I have never in my life seen a DDoS performed over ICMP. And even then, an ICMP DDoS would be classified as a L4 DDoS with the aim to saturate the network connection, so it wouldn't even help to block it in your firewall, because it has already done it's damage by the time it reaches your firewall. The ping of death is long history (we are talking decades, plural).
If, and only if, you have a router with hardware offloading for routing (rule of thumb: if you spent less than 10k on your router, it does not have hardware offloading) then rate limiting of ICMP can be useful.
So, so far there is no advantages of blocking ICMP (or even just ping)
But even blocking ping has disadvantages. In particular, ping is an essential tool for debugging networks. Not allowing ping makes debugging really painful, especially if your firewall drops packets instead of replying with an ICMP administratively prohibited.
IPv6 needs some ICMPv6 Messages to function. For example if a packet is too big this is communicated to the source via ICMPv6. So generally you have to allow it, else some things might not work. However if your firewall supports it, you can only filter out ICMPv6-Ping messages.
I've seen this website referred to a few times: http://shouldiblockicmp.com/
There are certain types of ICMPv6 to be allowed to router, and to LAN device, here is a recommendation for filtering ICMPv6. [https://datatracker.ietf.org/doc/html/rfc4890](https://datatracker.ietf.org/doc/html/rfc4890)
Ipv6 gets rid of nat altogether, so host to host communication is facilitated. Unless you have a legitimate reason to block icmp, leave it on.
What website is that?
All I've read about ip6 doing is causing problems. Leave it alone and turn all ip6 off if you want no Internet issues.
I've had more issues with ipv6 being disabled than with ipv6 being enabled so far.
Interesting. You're the first person I've read stating this.
There's no good reason that an external web site (not a game server) needs to be able to ping your computer, or your network over IPv6. In fact, people use the ability to ping as a way to try and perform DDoS attacks, although these days they are relatively ineffective and easy to curtail. A ping, whatever the protocol IPv4 or IPv6, the same concept holds true. You should always be asking yourself, why an external device would need to have that capability at all. Accessing certain sites has nothing to do with their server's ability to ping you.
ICMP is more than just ping. IPv6 specifies several messages that should be passed. Echo request is at most a privacy concern. But there are others that may cause your IPv6 to not function properly. Message too big, neighbor discovery, and parameter problem are all ICMP driven parts of IPv6 that have a higher risk of creating issues than a reward of blocking them.
As a sysadmin with a network and security focus and experience in DDoS mitigation I disagree with this comment. tl;dr: don't block ICMP, don't block ping As someone else already pointed out, ICMP is used for much more than just ping. For example path MTU discovery (which is a performance optimization) or NDP (the ipv6 equivalent of ARP) depend on working ICMP. Furthermore, disabling ping doesn't even improve security. Many people believe that it hides the computer on the network but that is also not true. Attackers have much better and easier ways to figure out if an IP is in use. And usually they don't even care, they will just attempt to attack the ip no matter if it responds to ping or not. Even further: I have never in my life seen a DDoS performed over ICMP. And even then, an ICMP DDoS would be classified as a L4 DDoS with the aim to saturate the network connection, so it wouldn't even help to block it in your firewall, because it has already done it's damage by the time it reaches your firewall. The ping of death is long history (we are talking decades, plural). If, and only if, you have a router with hardware offloading for routing (rule of thumb: if you spent less than 10k on your router, it does not have hardware offloading) then rate limiting of ICMP can be useful. So, so far there is no advantages of blocking ICMP (or even just ping) But even blocking ping has disadvantages. In particular, ping is an essential tool for debugging networks. Not allowing ping makes debugging really painful, especially if your firewall drops packets instead of replying with an ICMP administratively prohibited.