| icmp in ipv6 does much more than its ipv4 counterpart and most importantly: 1) L2 address resolution (neighbor discovery), which ARP used to do in ipv4, 2) full network autoconfiguration (global scope addresses, default route(s), DNS resolver), which DHCP used to do in ipv4 (although DHCPv6 is still an option), 3) multicast group management (MLD), which igmp used to do in ipv4, 4) path mtu discovery (through 'packet too big' messages this article references). Routers fragment packets exceeding the link MTU in ipv4, they notify the source of the lower mtu in ipv6. ping, TTL exceeded, destination (host, route or port) unreachable and parameter problem were mostly carried over from ipv4. Blocking 1, 2 (and to some extent 3) on a local network will most likely break ipv6 connectivity entirely while blocking the others will only break it in subtle, hard to debug ways (especially with ECMP and traffic engineering where multiple routes for a given destination can be used). I've found that explaining this before asking network admins to unblock icmpv6 filters is a good way to succeed (although it can be hard, i'll give you that). People aren't used to filter ARP or link local broadcast in ipv4 (which DHCP uses), so telling them that they need to allow icmpv6 to let stations merely configure themselves is a bit of a mentality change. At the same time, developers of firewall management tools like ufw understood this problem a while ago and insert a working, good, tried and tested icmpv6 accept list as first rule which you can't mess with. Telling people to use ufw is usually much better than teaching them ip[6]tables. |