[v6ops] [Errata Verified] RFC4890 (3985)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 19 May 2014 14:34 UTC

To: jamesrobertson@live.com, elwynd@dial.pipex.com, mohacsi@niif.hu
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20140519143422.F25E7180016@rfc-editor.org>
Date: Mon, 19 May 2014 07:34:22 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Mz9VvTYAs10d2p35S3lZgLhOzo8
Cc: v6ops@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org
Subject: [v6ops] [Errata Verified] RFC4890 (3985)
Precedence: list

The following errata report has been verified for RFC4890,
"Recommendations for Filtering ICMPv6 Messages in Firewalls". 

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=4890&eid=3985

--------------------------------------
Status: Verified
Type: Technical

Reported by: James Robertson <jamesrobertson@live.com>
Date Reported: 2014-05-13
Verified by: Joel Jaeggli (IESG)

Section: Appendix B

Original Text
-------------
if [ "$STATE_ENABLED" -eq "1" ]
then
  # Allow incoming time exceeded code 0 messages
  # only for existing sessions
  for inner_prefix in $INNER_PREFIXES
  do
    ip6tables -A icmpv6-filter -m state -p icmpv6 \
         -d $inner_prefix \
         --state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
         -j ACCEPT
  done
else
  # Allow incoming time exceeded code 0 messages
  for inner_prefix in $INNER_PREFIXES
  do
    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
         --icmpv6-type ttl-zero-during-transit -j ACCEPT
  done
fi

Corrected Text
--------------
if [ "$STATE_ENABLED" -eq "1" ]
then
  # Allow incoming time exceeded code 0 messages
  # only for existing sessions
  for inner_prefix in $INNER_PREFIXES
  do
    ip6tables -A icmpv6-filter -m state -p icmpv6 \
     -d $inner_prefix \
     --state ESTABLISHED,RELATED --icmpv6-type ttl-zero-during-transit \
     -j ACCEPT
  done
else
  # Allow incoming time exceeded code 0 messages
  for inner_prefix in $INNER_PREFIXES
  do
    ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
         --icmpv6-type ttl-zero-during-transit -j ACCEPT
  done
fi

Notes
-----
RFC 4890 Errata ID 2706 states that icmpv6-type packet-too-big should
state icmpv6-type ttl-zero-during-transmit. This should read
ttl-zero-during-transit.

--------------------------------------
RFC4890 (draft-ietf-v6ops-icmpv6-filtering-recs-03)
--------------------------------------
Title               : Recommendations for Filtering ICMPv6 Messages in Firewalls
Publication Date    : May 2007
Author(s)           : E. Davies, J. Mohacsi
Category            : INFORMATIONAL
Source              : IPv6 Operations
Area                : Operations and Management
Stream              : IETF
Verifying Party     : IESG

[v6ops] [Technical Errata Reported] RFC4890 (3985) RFC Errata System
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Fred Baker (fred)
Re: [v6ops] [Technical Errata Reported] RFC4890 (… joel jaeggli
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Elwyn Davies
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Fred Baker (fred)
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Suresh Krishnan
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Mohacsi Janos
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Fred Baker (fred)
[v6ops] [Errata Verified] RFC4890 (3985) RFC Errata System
Re: [v6ops] [Technical Errata Reported] RFC4890 (… joel jaeggli
Re: [v6ops] [Technical Errata Reported] RFC4890 (… Elwyn Davies
Re: [v6ops] [Technical Errata Reported] RFC4890 (… joel jaeggli