Collection of documents

Comparison:IPv4:versus:IPv6

IPv4 versus IPv6 - slide 1
IPv4 versus IPv6

Example::IPv6:firewall:ruleset

Below you will find an example ruleset for your IPv6 firewall, which you can use as a baseline. Replace the <2001:db8> with you own IPv6 network address.

remark reject multicast addresses

deny ipv6 ff00::/16 any log
deny ipv6 any ff05::/16 log

remark reject site-local and ipv4-compatibility addresses
deny ipv6  fc00::/10   any  log
deny ipv6  any  fc00::/10  log
deny ipv6  0::/96  any  log
deny ipv6  any 0::/96  log

remark reject 6to4 destination (if not providing 6to4 relays)
deny ipv6 any 2002::/16 log

remark reject external traffic with internal source addr
deny ipv6 2001:db8:60::/44 any log

remark reject unique local, should be confined our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log

remark reject type 0 routing header

deny ipv6 any any routing-type 0 log

remark allow incoming connections to specific servers (<replace>)
permit tcp any host <2001:db8:60::80> eq www
permit tcp any host <2001:db8:60::25> eq smtp
permit udp any host <2001:db8:60::53> eq domain

remark allow BGP sessions either way for external BGP peer
permit tcp host <2001:db8:2::1> host <2001:db8:2::2> eq bgp
permit tcp host <2001:db8:2::1> eq bgp host <2001:db8:2::2>

remark allow incoming TCP on non-reserved ports

permit tcp any <2001:db8:60::/44> range 1024 65535

remark allow responses to outgoing DNS back to any host
permit udp   any  eq  domain <2001:db8:60::/44>

remark allow IPSec and IKE between North and Remote
permit udp host <2001:db8:2f::2> eq 500 host <2001:db8:6f::2> eq 500
permit esp host <2001:db8:2f::2> host <2001:db8:6f::2>

remark allow UDP to non-reserved ports with destination of our net or global multicast
permit udp  any  <2001:db8:60::/44> gt 1023
permit udp  any  ffe0::/12 gt 1023

remark allow specific ICMP types inbound to global addresses
permit icmp any  <2001:db8:60::/44>   destination-unreachable
permit icmp any  <2001:db8:60::/44>   packet-too-big
permit icmp any  <2001:db8:60::/44>   parameter-problem
permit icmp any  <2001:db8:60::/44 >  echo-reply

remark allow ping from our partners at remote site
permit icmp <2001:db8:20::/44>   <2001:db8:60::/44>  echo-request

remark allow ND and MLD ICMP types generally, but not RD
permit icmp  any  any    nd-na
permit icmp  any  any    nd-ns
permit icmp  any  any    mld-query
permit icmp  any  any    mld-redunction

remark allow tunnel traffic only to North and Central routers
permit 41   any  host <2001:db8:6f::2>
permit 41 any host <2001:db8:60::f14b:65a1>

remark reject everything else
deny ipv6 any any log

remark reject multicast source addresses
deny ipv6 ff00::/16 any log

remark reject site-local and ipv4-compatibility addresses
deny ipv6 fc00::/10 any log
deny ipv6 any fc00::/10 log
deny ipv6 0::/96 any log
deny ipv6 any 0::/96 log

remark reject unique local, should not exit our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log

remark reject type 0 routing header
deny ipv6 any any routing-type 0 log

remark allow outbound TCP from specific servers
permit tcp host <2001:db8:60::80> eq www 2000::/3
permit tcp host <2001:db8:60::80> eq 443 2000::/3
permit tcp host <2001:db8:60::25> eq smtp 2000::/3

remark allow outbound TCP from non-reserved ports
permit tcp <2001:db8:60::/44> gt 1023 2000::/3

remark allow BGP sessions either way for our BGP
peer  permit tcp host <2001:db8:6f::2> eq bgp host <2001:db8:6f::1>
permit tcp host <2001:db8:6f::2> host <2001:db8:6f::1> eq bgp

remark allow UDP to valid addresses and global multicast
permit udp <2001:db8:60::/44> 2000::/3
permit udp <2001:db8:60::/44> ffe0::/12

remark allow specific ICMP messages out to everywhere
permit icmp <2001:db8:60::/44> 2000::/3 packet-too-big
permit icmp <2001:db8:60::/44> 2000::/3 parameter-problem
permit icmp <2001:db8:60::/44> 2000::/3 echo-request

remark allow some ICMP just to our partners at remote site
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> destination-unreachable
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> echo-reply

remark allow tunnels only from North and Central routers
permit 41 host <2001:db8:6f::2> any
permit 41 host <2001:db8:60::f14b:65a1> any

remark deny everything else
deny ipv6 any any log

Cisco::Lack:of:IPv6:training:biggest:threat

Cisco writes that the lack of IPv6 training for network and security staff is probably the biggest threat for operation in 2011–2012.

Read all about it in the document “IPv6 Security Brief“.

IPv6:transitioning:perspectives

What options do you have when you want to transition to IPv6?
Besides the native IPv6 method, if your ISP is able to deliver,  it is possible to get connected through an intermediate solution.

Read about it in “Geoff Hutson’s story“.

IPv6:tcpip::Pocket:Reference:Guide

With the introduction of the IPv6 protocol we face not only a new extended addressing scheme, but also a new composition of the IP packet. Compared to the IPv4 protocol, we are dealing with a much more simplified and reduced amount of header sections.

This little “IPv6 tcpip Pocket Reference Guide” will help you understand the differences and composition.

ICMP6:Recommended:Filtering

With IPv6 traffic is mainly regulated through ICMP6, whereas in IPv4 it was a mess of different protocols. Therefor it should be carefully configured and secured, to garantee a smooth functioning network environment.

The recommendations for ICMPv6 firewall filtering are based on RFC 4890. These recommendations allow propagation of ICMPv6 messages needed to maintain functionality of the network but drop messages posing potential security risks. Many ICMPv6 messages should only be used in a link-local context, rather than end-to-end, and filters need to be concerned with the types of addresses in ICMPv6 packets as well as the specific source address, destination addresses, and ICMPv6 Type. RFC 4890 classifies ICMPv6 messages according to whether they are designed for end-to-end communications (traffic to transit a firewall) or local communications within a link (local traffic addressed to an interface on a firewall). All experimental and undefined ICMPv6 messages should be dropped. ACLs should permit only those ICMPv6 messages that are required, based on specific local needs and policies; all others should be dropped.

 

Must Not Drop

Should Not Drop

Message (Type)

Transit

Local

Transit

Local

Maintenande of Communication: Allow non-local when associated with allowed connections

Destination Unreachable (1) – All codes

X

X

Packet Too Big (2)

X

X

Time Exceeded (3) – Code 0 only

X

X

Parameter Problem (4) – Codes 1 and 2 only

X

X

Connectivity Checking:  Allow/disallow non-localvbased on topology/information concealment policy

Echo Request (128)

X

X

Echo Response (129)

X

X

Address Configuration and Router Selection: Allow in link-local only

Router Solicitation (133)

X

Router Advertisement (134)

X

Neighbor Solicitation (135)

X

Neighbor Advertisement (136)

X

Inverse Neighbor Discovery Solicitation (141)

X

Inverse Neighbor Discovery Advertisement (142)

X

Link-local Multicast Receiver
Notification: Allow in link-local only

Listener Query (130)

X

Listener Report (131)

X

Listener Done (132)

X

Listener Report v2 (143)

X

SEND Certification Path Notification: Allow in link-local traffic only

Certification Path Solicitation (148)

X

Certification Path Advertisement (149)

X

Multicast Router
Discovery: Allow in link-local traffic only

Multicast Router Advertisement (151)

X

Multicast Router Solicitation (152)

X

Multicast Router Termination (153)

X

Error
Messages: Allow non-local when associated with allowed connections

Time Exceeded (3) – Code 1

X

X

Parameter Problem (4) – Code 0

X

x

Mobile IPv6: Allow non-local for predefined endpoints

Home Agent Address Discovery Request (144)

x

Home Agent Address Discovery Reply (145)

X

Mobile Prefix Solicitation (146)

x

Mobile Prefix Advertisement (147)

X

Source – Guidelines for the Secure Deployment of IPv6 (NIST)

Preparing:your:IPv6:addressing:plan

Dutch organisation SURFnet has created a document explaining how to prepair an addressing plan for your IPv6 based network. This document is intended for network architects and network managers implementing IPv6 in their organisation.

The manual is translated by the RIPE NCC and is available as:
Preparing an IPv6 Adressing Plan

Attacking:the:IPv6:protocol:suite

If you understand the way things work with IPv6, it becomes clear that it should be fairly easy to fool around with it. Searching around on the internet learned me that there are indeed proof of concept codes available to play around with.

All credits to the guys from The Hackers Choice, for both the explanation and code (V2.3).

Survey:on:IPv6:firewalls

Do you have any idea about the IPv6 support when it comes down to firewalling your environment?
The survey from ICANN in 2007 shows that support is very limited at that time.

So be prepaired to check the current IPv6 support, when replacing your gear.
You can find the survey as “SAC 021

IPv6:Deployment:Guide

Looking for a deployment guide, have a look at this cookbook.
IPv6:Deployment:Guide::pdf