Online IPv6 related information of interest

Example::IPv6:firewall:ruleset

Below you will find an example ruleset for your IPv6 firewall, which you can use as a baseline. Replace the <2001:db8> with you own IPv6 network address.

remark reject multicast addresses

deny ipv6 ff00::/16 any log
deny ipv6 any ff05::/16 log

remark reject site-local and ipv4-compatibility addresses
deny ipv6  fc00::/10   any  log
deny ipv6  any  fc00::/10  log
deny ipv6  0::/96  any  log
deny ipv6  any 0::/96  log

remark reject 6to4 destination (if not providing 6to4 relays)
deny ipv6 any 2002::/16 log

remark reject external traffic with internal source addr
deny ipv6 2001:db8:60::/44 any log

remark reject unique local, should be confined our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log

remark reject type 0 routing header

deny ipv6 any any routing-type 0 log

remark allow incoming connections to specific servers (<replace>)
permit tcp any host <2001:db8:60::80> eq www
permit tcp any host <2001:db8:60::25> eq smtp
permit udp any host <2001:db8:60::53> eq domain

remark allow BGP sessions either way for external BGP peer
permit tcp host <2001:db8:2::1> host <2001:db8:2::2> eq bgp
permit tcp host <2001:db8:2::1> eq bgp host <2001:db8:2::2>

remark allow incoming TCP on non-reserved ports

permit tcp any <2001:db8:60::/44> range 1024 65535

remark allow responses to outgoing DNS back to any host
permit udp   any  eq  domain <2001:db8:60::/44>

remark allow IPSec and IKE between North and Remote
permit udp host <2001:db8:2f::2> eq 500 host <2001:db8:6f::2> eq 500
permit esp host <2001:db8:2f::2> host <2001:db8:6f::2>

remark allow UDP to non-reserved ports with destination of our net or global multicast
permit udp  any  <2001:db8:60::/44> gt 1023
permit udp  any  ffe0::/12 gt 1023

remark allow specific ICMP types inbound to global addresses
permit icmp any  <2001:db8:60::/44>   destination-unreachable
permit icmp any  <2001:db8:60::/44>   packet-too-big
permit icmp any  <2001:db8:60::/44>   parameter-problem
permit icmp any  <2001:db8:60::/44 >  echo-reply

remark allow ping from our partners at remote site
permit icmp <2001:db8:20::/44>   <2001:db8:60::/44>  echo-request

remark allow ND and MLD ICMP types generally, but not RD
permit icmp  any  any    nd-na
permit icmp  any  any    nd-ns
permit icmp  any  any    mld-query
permit icmp  any  any    mld-redunction

remark allow tunnel traffic only to North and Central routers
permit 41   any  host <2001:db8:6f::2>
permit 41 any host <2001:db8:60::f14b:65a1>

remark reject everything else
deny ipv6 any any log

remark reject multicast source addresses
deny ipv6 ff00::/16 any log

remark reject site-local and ipv4-compatibility addresses
deny ipv6 fc00::/10 any log
deny ipv6 any fc00::/10 log
deny ipv6 0::/96 any log
deny ipv6 any 0::/96 log

remark reject unique local, should not exit our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log

remark reject type 0 routing header
deny ipv6 any any routing-type 0 log

remark allow outbound TCP from specific servers
permit tcp host <2001:db8:60::80> eq www 2000::/3
permit tcp host <2001:db8:60::80> eq 443 2000::/3
permit tcp host <2001:db8:60::25> eq smtp 2000::/3

remark allow outbound TCP from non-reserved ports
permit tcp <2001:db8:60::/44> gt 1023 2000::/3

remark allow BGP sessions either way for our BGP
peer  permit tcp host <2001:db8:6f::2> eq bgp host <2001:db8:6f::1>
permit tcp host <2001:db8:6f::2> host <2001:db8:6f::1> eq bgp

remark allow UDP to valid addresses and global multicast
permit udp <2001:db8:60::/44> 2000::/3
permit udp <2001:db8:60::/44> ffe0::/12

remark allow specific ICMP messages out to everywhere
permit icmp <2001:db8:60::/44> 2000::/3 packet-too-big
permit icmp <2001:db8:60::/44> 2000::/3 parameter-problem
permit icmp <2001:db8:60::/44> 2000::/3 echo-request

remark allow some ICMP just to our partners at remote site
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> destination-unreachable
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> echo-reply

remark allow tunnels only from North and Central routers
permit 41 host <2001:db8:6f::2> any
permit 41 host <2001:db8:60::f14b:65a1> any

remark deny everything else
deny ipv6 any any log

Business:reasons:to:deploy:IPv6::now

Why should organizations start planning and deploying IPv6 connectivity now?
Lets collaborate on that and help them. Send me your arguments!
(arguments listed in no particular order)

  • [LIMITED DAMAGE]
    “Reputation impact will be low to none when service offering over IPv6 is not flawless, due to current limited IPv6 connected customer community. This will not be the  case in the near future when the mass is IPv6 connected, so take the chance while you still can.” (Ferry)
  • [PREVENT DIVESTMENT]
    “Adoption and transition to IPv6 will likely happen in the near future (less than 5 years), which means that new equipment requires support for IPv6. You will be able to transition on a economic attractive way, if there is a plan.” (Ferry)
  • [PRESERVE MARKETING STATISTICS]
    “Customers will move to IPv6 by them selves or through ISP transition. Marketing statistics will be impacted or become useless when staying on IPv4. Statistics will list for example thousands of IPv6 users as a single IPv4 user, due to IPv6-t0-IPv4 address translation. A single IPv6 user will become untraceable” (Ferry)
  • [MODERN IMAGO]
    “Being able to adopt to modern technology will increase your imago and will have a positive effect on attracting customers and employees. Setting competition behind.” (Ferry)
  • [RACE AWARENESS]
    “Organizations should prepare themselves for the IPv6 transition rather than ignoring it due to a lack of knowledge. That way they find out what infrastructure and application changes are needed,  to assure services delivery to their customers.” (Ferry)

IPv6:Privacy:extension:demands::Identity:based:firewalling

With SLAAC, your MAC address is embedded into your IPv6 address. When you connect to the world, you’re giving them something that can be traced back to you (or at least a piece of hardware you have). RFC3041 was created to help address this privacy issue. It’s since been obsoleted by RFC4941.

Read more in the article of IPcalypse how to enable this on Ubuntu (which will probably work on other Linux flavours as well)

Security:challenges:deploying:IPv6

The migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted. IPv6 is not backwards compatible with IPv4, which means organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization to navigate the process smoothly and securely.

Organisations will most likely face security challenges throughout the deployment process, including:

  • An attacker community that most likely has more experience and comfort with IPv6 than an organization in the early stages of deployment
  • Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks
  • Added complexity while operating IPv4 and IPv6 in parallel
  • Lack of IPv6 maturity in security products when compared to IPv4 capabilities
  • Proliferation of transition-driven IPv6 (or IPv4) tunnels, which complicate defenses at network boundaries even if properly authorized, and can completely circumvent those defenses if unauthorized (e.g. host-based tunnels initiated by end users)

Free:Usenet:download

When IPv6 connected, you can benefit from the free Usenet service from XS News.
After you have created an account, you can start downloading from server reader.ipv6.xsnews.nl with 10 concurrent connections.

Have fun

IPv6:hall:of:fame

Get your environment up-and-running and after that in the hal of fame.

This can be done at www.ip6.nl, where realizing the “IPv6-only DNS” got me puzzled.