> Even things like ICMPv6 - if you just let it through the firewall you could be asking for trouble, but blocking it also causes IPv6 problems. Ugh. Oh, it's simpler than IPv4 they say.
This causes issues on IPv4 as well, the only difference is that a lot of the dirty hacks and workarounds were removed for IPv6 so that people are forced to deploy it properly.
First, ICMPv6 has more features - and can drive network configuration and reconfiguration. I've seen ICMPv6 stuff for things like discovery, address configuration, PMTU, ARP RARP type stuff, maybe some multicast group management? Where is this in ICMPv4?
"forced to deploy it properly" = giant headache. I'm tired of IPv6 folks saying it's a pain in the neck because it's "proper".
With ICMPv4 if you really needed / wanted, you could basically drop ICMPv4 at the firwall edge (with TCP MSS clamping etc). And the attack space with ICMPv4 coming through I don't think was TOO bad.
When folks say they don't need to filter ICMPv6 for things like RS / RA / NS / NA traffic that seems SO SO sketchy to me.
This causes issues on IPv4 as well, the only difference is that a lot of the dirty hacks and workarounds were removed for IPv6 so that people are forced to deploy it properly.