[194578] in North American Network Operators' Group
Re: BCP for securing IPv6 Linux end node in AWS
daemon@ATHENA.MIT.EDU (Alarig Le Lay)
Sun May 14 09:42:31 2017
X-Original-To: nanog@nanog.org
Date: Sun, 14 May 2017 15:42:26 +0200
From: Alarig Le Lay <alarig@swordarmor.fr>
To: nanog@nanog.org
In-Reply-To: <30DE8DBE-D609-492C-A0F6-E65543AD0BC9@semperen.com>
Errors-To: nanog-bounces@nanog.org
--e43yzarbzajkp6t2
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On dim. 14 mai 09:29:45 2017, Eric Germann wrote:
> Good morning all,
>=20
> I=E2=80=99m looking for some guidance on best practices to secure IPv6 on
> Linux end nodes parked in AWS.
>=20
> Boxes will be running various services (DNS for starters) and I=E2=80=99m
> looking to secure mainly ICMP at this point. Service filtering is
> fairly cut and dried. =20
>=20
> I=E2=80=99ve reviewed some of the stuff out there, but apparently I=E2=80=
=99m catching
> too many of the ICMP types in the rejection as routing eventually
> breaks. My guess is router discovery gets broken by too tight of
> filters.
>=20
> Thanks for any guidance.
>=20
> EKG
Hi,
Filtering ICMP breaks Internet and it is even more true with IPv6 as
almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, you
will break connections where there is a MTU change on the path.
So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
why do want to filter ICMP? You will not be DDoSed with pings.
--=20
alarig
--e43yzarbzajkp6t2
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE+2yGwT0H0n57WkRbrzhKwWsgK4gFAlkYXsEACgkQrzhKwWsg
K4jXVwf+M6AiZWlVrj5dANKkfd7VpEyNml1zO/PXfPPKf5EizT3UI+sYrLnK5FB0
kkyQSgnaMWygF53uoqo9qtJdDUAhhnYTipmi6o2zS6eOeSGlgPc462cWJso58/QT
9Qao08yI253HFlKbU1Kop9q84To/peVlwcCR/tnhXLz16jaNgPPDtv+Rve/Pa0P7
jeaehCZf51w9wW19KTpIvt7zF7VQdYuaZsc1urrJwFWrW0aR6dgUattr8W4m6qv+
yArMdRk+ddOVyyDUzFCLpC7RThKK3U51fE/qkGpz9eSwJalDY08hZ8DuJBfQd8/d
bclYFUVG5vZT5dqyFLPDbNa/xJSUBQ==
=CaMl
-----END PGP SIGNATURE-----
--e43yzarbzajkp6t2--
