[194577] in North American Network Operators' Group
BCP for securing IPv6 Linux end node in AWS
daemon@ATHENA.MIT.EDU (Eric Germann)
Sun May 14 09:29:54 2017
X-Original-To: nanog@nanog.org
From: Eric Germann <ekgermann@semperen.com>
Date: Sun, 14 May 2017 09:29:45 -0400
To: nanog list <nanog@nanog.org>
X-Assp-Envelope-From: ekgermann@semperen.com
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_D21DC4A3-4833-49A1-AA45-A55FF0BD9367
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Good morning all,
I=E2=80=99m looking for some guidance on best practices to secure IPv6 =
on Linux end nodes parked in AWS.
Boxes will be running various services (DNS for starters) and I=E2=80=99m =
looking to secure mainly ICMP at this point. Service filtering is =
fairly cut and dried. =20
I=E2=80=99ve reviewed some of the stuff out there, but apparently I=E2=80=99=
m catching too many of the ICMP types in the rejection as routing =
eventually breaks. My guess is router discovery gets broken by too =
tight of filters.
Thanks for any guidance.
EKG
--Apple-Mail=_D21DC4A3-4833-49A1-AA45-A55FF0BD9367
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK7TCCBQMw
ggProAMCAQICEG8QIP378TpqOF1dICJ58+EwDQYJKoZIhvcNAQELBQAwdTELMAkGA1UEBhMCSUwx
FjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTAeFw0xNjA1MTMx
ODAwMDNaFw0xOTA4MTMxODAwMDNaMEgxHzAdBgNVBAMMFmVrZ2VybWFubkBzZW1wZXJlbi5jb20x
JTAjBgkqhkiG9w0BCQEWFmVrZ2VybWFubkBzZW1wZXJlbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC4ELs5Td7kb9lf0MgriUzVH4WxoambUspF5jjmkBDoBcKmjdcdgxFqUsit
pj8AIjXl60+DTe604gzqDPX4R9ByhZcWwkiHdwepMNw+VyWnyLcRlzsASRxNF8sL6MQ8dEIWWKsp
ksd+QRVYsiXam3RizgKH0wSU/aACnan/nvGaKWSc34uOtxiRP33qQSuQt8osqYxwJRMTiQu0b+Hl
pvcD2Ga04ECHFFnrqfj/JBFQuek7EDRF/mU84yjbOBCSZlcT05zavOjErof8Mi41ZtbMMKdcTeYd
oCS5h6KIpXYSq9sKmfno5EuiaGSM//VuRK3s8ojhxsPdp5OQb1r9zTrNAgMBAAGjggG6MIIBtjAO
BgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFD9fWF3NV4dfB2qYFCyGT41EXP9EMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJ
KLUnSG1oMG8GCCsGAQUFBwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wu
Y29tMDkGCCsGAQUFBzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50
MS5jcnQwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVu
dDEuY3JsMCEGA1UdEQQaMBiBFmVrZ2VybWFubkBzZW1wZXJlbi5jb20wIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMEcGA1UdIARAMD4wPAYLKwYBBAGBtTcBAgUwLTArBggrBgEF
BQcCARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAQEA
sXsjuIR2sCP/6k3W5xjUMoOdu8ISxcUBOOxHoBu+H5+y1CCsnc+CktB6lZ1AOygw81o3sX2rdPch
ZiwJs7IKqrmaenhNvH7lvHNML1DC+HidwymO/SXBju8rvxkPLcekK93QT2Xq4i0OIwS24UIWzfSw
uIkX3qfKB9n3pBHk0HK2aON+VxMK++jrw/Sujhx7ix/s77zFk15oq4MDwaWIAUKFuvOHSGKrGnxD
JUkh4Rk3nVeq7MWdY+qWzZxxmJlgFodjRWcs5lYngALIxpzOQt3mItqVhWVmFA67D91gD97btG+m
mQyCU7SvhPYNN+PSUvdiQ9xZA8tj0aleEEYl7zCCBeIwggPKoAMCAQICEGunin0K14jWUQr5WeTn
tOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x
KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAx
MDAwNVowdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAx
IENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtb
X64eG3XAtRmvmCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvH
pJX/xKnmVkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJD
PG+4D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI
dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuuN0jh
rxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFo
dHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEEWjBYMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuc3Rh
cnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+SQ+PtxtGK8kotSdIbWgwHwYD
VR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0gBDgwNjA0BgRVHSAAMCwwKgYIKwYB
BQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAgEA
i+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtV
qspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpFNjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvets
D+bjyOngCIVeC/GmsmtbuLOzJ606tEc9uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfC
BJb+e29bLafgu6JqjOUJ9eXXj20p6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YP
hKGAWUxKPMAVGgcYoXzWydOvZ3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5
TbxI40kDGcBOBHhwnaOumZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0
KfUDHt1/q59BvDI7RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA7
0qHX4mq9MIjO/ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2
I9U4zEsNJQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6Mx
ggNOMIIDSgIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG
A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29t
IENsYXNzIDEgQ2xpZW50IENBAhBvECD9+/E6ajhdXSAiefPhMAkGBSsOAwIaBQCgggGZMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDUxNDEzMjk0NlowIwYJKoZI
hvcNAQkEMRYEFKqHZwpSUuWIkRL+JoqP5AL49oz9MIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkG
A1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQ
bxAg/fvxOmo4XV0gInnz4TCBnAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAU
BgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQbxAg/fvxOmo4XV0g
Innz4TANBgkqhkiG9w0BAQEFAASCAQBYgU04sE88Kl4jiAJt/2BT+zYxtyEFplA1FeRR0e5lVQXE
BGycubkKlOhUBt+FVKOfJHHrZMvP5ZvR+9SoiLZAx/J2dUOZZkmBxMqLZNxy2wnoDZdb/Paoi2/U
Dpu3CbYzfw9Wfb/DL0DqL3SSc2XT8qr3+sXWYVAhi6FN45v3uDsZ7drfF4y/l2ESzXGUz6N9ufeZ
FaidRaYenkteGrOBhjqdQvzJ4XVLM+UV/TVWwCnv1cXX7/HtYgtYXvzy0p/gyCbUDr6g4C0+gg95
z+w2N8Y4nj6PXAtVBUOYi/wQTtusnec+QogcxLr1I6iMpF3knvMJ0JuOuQUC8rJXk5JyAAAAAAAA
--Apple-Mail=_D21DC4A3-4833-49A1-AA45-A55FF0BD9367--
