Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given the prevalence of broken PMTU-D alone, is apparently not well-understood in many quarters, heh.
Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already?
I may be dense, networking isn't my primary field (sysadmin).. but isn't ICMP there for a good reason? I.e. congestion control? I've always argued vehemently with PCI-DSS and similar auditors that I will not filter /all/ ICMP traffic on the border.
This can bite you in unexpected ways, too. For example, on a Cisco ASA,
if you add a system-level 'icmpv6 permit' line and if this does not
include ND, then you break ND responses to the ASA. This is much unlike
ARP, which is unaffected by 'icmp permit' statements for IPv4. And, the
default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This
seems so obvious in retrospect, but at the time was a bit of a
head-scratcher.
This can bite you in unexpected ways, too. For example, on a Cisco ASA,
if you add a system-level 'icmpv6 permit' line and if this does not
include ND, then you break ND responses to the ASA. This is much unlike
ARP, which is unaffected by 'icmp permit' statements for IPv4. And, the
default with no such lines is to permit all ICMP/ICMPv6 to the ASA. This
seems so obvious in retrospect, but at the time was a bit of a
head-scratcher.
ARP is a seperate protocol supporting IPv4 ... For IPv6 ND is done
using ICMPv6 messages. A bit confusing transitioning from IPv4/ARP
for sure.