[194580] in North American Network Operators' Group
Re: BCP for securing IPv6 Linux end node in AWS
daemon@ATHENA.MIT.EDU (Eric Germann)
Sun May 14 09:59:13 2017
X-Original-To: nanog@nanog.org
From: Eric Germann <ekgermann@semperen.com>
In-Reply-To: <20170514134225.fh2n3oxglh5wgd5a@mew.swordarmor.fr>
Date: Sun, 14 May 2017 09:49:44 -0400
To: Alarig Le Lay <alarig@swordarmor.fr>
X-Assp-Envelope-From: ekgermann@semperen.com
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_9FD12C9C-ABD3-4CA7-90DF-DFBF82AFC78A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
The goal isn=E2=80=99t to filter _all_ ICMP. The goal is to permit ICMP =
that is needed for correct operation across the global network while =
protecting from externally spoofed packets.
For example, on the IPv4 side, there arguably is no value to timestamp =
requests and address mask requests externally, so dump them.
Thoughts?
EKG
> On May 14, 2017, at 9:42 AM, Alarig Le Lay <alarig@swordarmor.fr> =
wrote:
>=20
> On dim. 14 mai 09:29:45 2017, Eric Germann wrote:
>> Good morning all,
>>=20
>> I=E2=80=99m looking for some guidance on best practices to secure =
IPv6 on
>> Linux end nodes parked in AWS.
>>=20
>> Boxes will be running various services (DNS for starters) and I=E2=80=99=
m
>> looking to secure mainly ICMP at this point. Service filtering is
>> fairly cut and dried. =20
>>=20
>> I=E2=80=99ve reviewed some of the stuff out there, but apparently =
I=E2=80=99m catching
>> too many of the ICMP types in the rejection as routing eventually
>> breaks. My guess is router discovery gets broken by too tight of
>> filters.
>>=20
>> Thanks for any guidance.
>>=20
>> EKG
>=20
> Hi,
>=20
> Filtering ICMP breaks Internet and it is even more true with IPv6 as
> almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, =
you
> will break connections where there is a MTU change on the path.
>=20
> So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
> why do want to filter ICMP? You will not be DDoSed with pings.
>=20
> --=20
> alarig
--Apple-Mail=_9FD12C9C-ABD3-4CA7-90DF-DFBF82AFC78A
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK7TCCBQMw
ggProAMCAQICEG8QIP378TpqOF1dICJ58+EwDQYJKoZIhvcNAQELBQAwdTELMAkGA1UEBhMCSUwx
FjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTAeFw0xNjA1MTMx
ODAwMDNaFw0xOTA4MTMxODAwMDNaMEgxHzAdBgNVBAMMFmVrZ2VybWFubkBzZW1wZXJlbi5jb20x
JTAjBgkqhkiG9w0BCQEWFmVrZ2VybWFubkBzZW1wZXJlbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC4ELs5Td7kb9lf0MgriUzVH4WxoambUspF5jjmkBDoBcKmjdcdgxFqUsit
pj8AIjXl60+DTe604gzqDPX4R9ByhZcWwkiHdwepMNw+VyWnyLcRlzsASRxNF8sL6MQ8dEIWWKsp
ksd+QRVYsiXam3RizgKH0wSU/aACnan/nvGaKWSc34uOtxiRP33qQSuQt8osqYxwJRMTiQu0b+Hl
pvcD2Ga04ECHFFnrqfj/JBFQuek7EDRF/mU84yjbOBCSZlcT05zavOjErof8Mi41ZtbMMKdcTeYd
oCS5h6KIpXYSq9sKmfno5EuiaGSM//VuRK3s8ojhxsPdp5OQb1r9zTrNAgMBAAGjggG6MIIBtjAO
BgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFD9fWF3NV4dfB2qYFCyGT41EXP9EMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJ
KLUnSG1oMG8GCCsGAQUFBwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wu
Y29tMDkGCCsGAQUFBzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50
MS5jcnQwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVu
dDEuY3JsMCEGA1UdEQQaMBiBFmVrZ2VybWFubkBzZW1wZXJlbi5jb20wIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMEcGA1UdIARAMD4wPAYLKwYBBAGBtTcBAgUwLTArBggrBgEF
BQcCARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAQEA
sXsjuIR2sCP/6k3W5xjUMoOdu8ISxcUBOOxHoBu+H5+y1CCsnc+CktB6lZ1AOygw81o3sX2rdPch
ZiwJs7IKqrmaenhNvH7lvHNML1DC+HidwymO/SXBju8rvxkPLcekK93QT2Xq4i0OIwS24UIWzfSw
uIkX3qfKB9n3pBHk0HK2aON+VxMK++jrw/Sujhx7ix/s77zFk15oq4MDwaWIAUKFuvOHSGKrGnxD
JUkh4Rk3nVeq7MWdY+qWzZxxmJlgFodjRWcs5lYngALIxpzOQt3mItqVhWVmFA67D91gD97btG+m
mQyCU7SvhPYNN+PSUvdiQ9xZA8tj0aleEEYl7zCCBeIwggPKoAMCAQICEGunin0K14jWUQr5WeTn
tOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x
KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAx
MDAwNVowdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAx
IENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtb
X64eG3XAtRmvmCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvH
pJX/xKnmVkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJD
PG+4D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI
dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuuN0jh
rxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFo
dHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEEWjBYMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuc3Rh
cnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+SQ+PtxtGK8kotSdIbWgwHwYD
VR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0gBDgwNjA0BgRVHSAAMCwwKgYIKwYB
BQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsFAAOCAgEA
i+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtV
qspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpFNjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvets
D+bjyOngCIVeC/GmsmtbuLOzJ606tEc9uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfC
BJb+e29bLafgu6JqjOUJ9eXXj20p6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YP
hKGAWUxKPMAVGgcYoXzWydOvZ3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5
TbxI40kDGcBOBHhwnaOumZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0
KfUDHt1/q59BvDI7RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA7
0qHX4mq9MIjO/ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2
I9U4zEsNJQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6Mx
ggNOMIIDSgIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG
A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29t
IENsYXNzIDEgQ2xpZW50IENBAhBvECD9+/E6ajhdXSAiefPhMAkGBSsOAwIaBQCgggGZMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDUxNDEzNDk0NFowIwYJKoZI
hvcNAQkEMRYEFAbUaQwSkl3JkfvjBLUpuz8ap8a0MIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkG
A1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQ
bxAg/fvxOmo4XV0gInnz4TCBnAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAU
BgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQbxAg/fvxOmo4XV0g
Innz4TANBgkqhkiG9w0BAQEFAASCAQCVOqW4KhVAuz9J0GoS8mOzGt31aVW/Fb0y3KzeFHqrc8mk
fsQSmjLYYoY1buGvZzVNS6mIAB+8yxELGD2zVvsYm9Z9Zw9DngmZe8qAsjWhRG6gxw+2IiQ1lHlk
M7O7XJ1BXjA5a5seHiijbTdqp9uGSTSP6n22ZWtKl6DZ9OKc5T0rcGq3ctPrc9g7M+NuTXz810oT
JVSLRo61r5H2dyDG569/TbQEY2imuCZ0oXsG15lgWiYUWMgvTpTRJrmB3RU43qQ8iOst4NyOasgu
T6ej1wyDezTeaANKjiQnwLWoQrg8KChSCU+2LI5MMSrO7p2DnKqdcgCR7WZ1muDGit63AAAAAAAA
--Apple-Mail=_9FD12C9C-ABD3-4CA7-90DF-DFBF82AFC78A--
