So, we recently got our /48 prefix from our LIR, and started small-scale deploying it in a lab.
What struck me as odd is that sites like http://ipv6-test.com/ insist that you allow incoming ICMP Echo requests. I understand why you should allow ICMPv6 outgoing, but incoming? Even if it's just a ping?
So, my question is: Aside from possible DDoS attacks utilizing ICMP, are there any drawbacks in allowing incoming ICMP echo requests?
I read RFC4890 ( https://www.ietf.org/rfc/rfc4890.txt ) but couldn't find a definite answer there.
A.5. ICMPv6 Echo Request and Echo Response
suggests that
It is not thought that there is a significant risk from scanning attacks on a well-designed IPv6 network (see Section 3.2), and so connectivity checks should be allowed by default.
Is this point still valid, given the RFC is almost 10 years old? Also, the RFC does not differentiate between outgoing and incoming directions.
I always felt the recommendation for v4 was to block ICMP at the gateway, but then again, v6 heavily relies on ICMP.
So, any suggestions?
This first bit is not a direct answer to your question. I just include it here for others that don't realise the importance of ICMPv6.
IPv6 really needs certain ICMP message types to get through. The most important ones are Packet-Too-Big and Parameter-Problem. If you block those then you will get connectivity issues.
Also: the IPv6 equivalent of ARP is neighbour-discovery, which uses ICMP packets as well. The stateless auto configuration is part of neighbour discovery, so also needs ICMP.
In IPv4 there's is a misunderstanding that all incoming ICMP should be blocked, and you can get away with that. With IPv6 you really need to allow at least some ICMP. Take a look at https://www.rfc-editor.org/rfc/rfc4890, it contains some really good advice on how to filter ICMP without breaking the protocol.
The answer to your question Blocking incoming ICMP echo requests is fine. I personally don't do it because allowing them makes debugging a lot easier, but if you don't want to allow them in you don't have to. The main risk you run if you allow them in is that if someone finds a stable (non-temporary/privacy) address for e.g. your laptop then they can keep pinging it to see when it's switched on. That might be considered a privacy risk. They'll have to find such an address first though, because for outgoing connections it will use its temporary privacy addresses.