[184527] in North American Network Operators' Group
Re: /27 the new /24
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Oct 7 07:56:01 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <56113C5C.8050702@satchell.net>
Date: Wed, 7 Oct 2015 04:54:47 -0700
To: Stephen Satchell <list@satchell.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Oct 4, 2015, at 7:49 AM, Stephen Satchell <list@satchell.net> =
wrote:
>=20
> On 10/04/2015 06:40 AM, Matthias Leisi wrote:
>> Fully agree. But the current state of IPv6 outside "professional=E2=80=9C=
>> networks/devices is sincerely limited by a lot of poor CPE and
>> consumer device implementations.
>=20
> I have to ask: where is the book _IPv6 for Dummies_ or equivalent?
>=20
> Specifically, is =
http://www.xnetworks.es/contents/Infoblox/IPv6forDummies.pdf any good? =
(I just downloaded it to inspect.)
>=20
> My bookshelf is full of books describing IPv4. Saying "IPv6 just =
works" ignores the issues of configuring intelligent firewalls to block =
the ne-er-do-wells using the new IP-level protocol.
You will need most of the same blockages in IPv6 that you needed in =
IPv4, actually.
There are some important differences for ICMP (don=E2=80=99t break =
PMTU-D or ND), but otherwise, really not much difference between your =
IPv4 security policy and your IPv6 security policy.
In fact, on my linux box, I generate my IPv4 iptables file using little =
more than a global search and replace on the IPv6 iptables configuration =
which replaces the IPv6 prefixes/addresses with the corresponding IPv4 =
prefixes/addresses. (My IPv6 addresses for things that take incoming =
connections have an algorithmic map to IPv4 addresses for things that =
have them.)
> I use CentOS, the community version of Red Hat Enterprise. I looked =
around for useful books on building IPv6 firewalls with the same =
granularity as the above-mentioned book for IPv4, and haven't found =
anything useful as yet. In particular, I'm looking for material that =
lays out how to build a mostly-closed firewall and DMZ in IPv6. The =
lack of IPv6 support goes further: I didn't find anything useful in Red =
Hat (CentOS) firewall tools that provides IPv6 support...but that's =
probably because I don't know what I'm looking for. (Also, that GUI =
software is intended for use on individual servers/computers, not in a =
edge-firewall with forwarding and DMZ responsibilities.)
Where you have an iptables file, you add an ip6tables file and change =
the prefixes and addresses. Otherwise, it=E2=80=99s really pretty much =
the same.
There is limited IPv6 support in many of the GUIs still, unfortunately, =
but the command line tools are all there and for the most part work =
pretty much identically for v4 and v6, the difference often being as =
little as ping vs ping6 or <command> <args> vs. <command> -6 <args>.
> Building a secure firewall takes more than just knowing how to issue =
ip6table commands; one also needs to know exactly what goes into those =
commands. NANOG concentrates on network operators who need to provide a =
good Internet experience to all their downstream customers, which is why =
I see the bias toward openness...as it should be. Those of us who run =
edge networks have different problems to solve.
If you know what goes into the iptables commands, then there=E2=80=99s =
very little difference for the ip6tables commands.
Primarily it involves changing the IPv4 addresses and/or prefixes into =
IPv6 addresses and/or prefixes. The rest of the commands are very much =
literally the same=E2=80=A6 An example from my actual configurations:
iptables:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j =
ACCEPT
-A RH-Firewall-1-INPUT -s 192.159.10.0/24 -m state --state NEW -m tcp -p =
tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m =
limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m =
limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 =
-j ACCEPT
ip6tables:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j =
ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW =
-m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m =
limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m =
limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 =
-j ACCEPT
This is not my entire configuration (which is somewhat complex and in =
need of some cruft removal due to organic growth over time), but these 6 =
lines do provide a reasonably representative sample of things and =
include rate-limiting DNS queries from outsiders.
> I'm not asking NANOG to go past its charter, but I am asking the IPv6 =
fanatics on this mailing list to recognize that, even though the net =
itself may be running IPv6, the support and education infrastructure is =
still behind the curve. Reading RFCs is good, reading man pages is =
good, but there is no guidance about how to implement end-network =
policies in the wild yet...at least not that I've been able to find.
There is actually quite a bit of information out there. Sylvia Hagen=E2=80=
=99s IPv6 book covers a lot of this (O=E2=80=99Reilly publishes it).
There are also several other good IPv6 books.
> "ipv6.disable" will be changed to zero when I know how to set the =
firewall to implement the policies I need to keep other edge networks =
from disrupting mine.
You do. You just don=E2=80=99t realize that you do. See above.
Owen
