[194581] in North American Network Operators' Group
Re: BCP for securing IPv6 Linux end node in AWS
daemon@ATHENA.MIT.EDU (Enno Rey)
Sun May 14 10:12:19 2017
X-Original-To: nanog@nanog.org
Date: Sun, 14 May 2017 16:12:13 +0200
From: Enno Rey <erey@ernw.de>
To: nanog@nanog.org
In-Reply-To: <30DE8DBE-D609-492C-A0F6-E65543AD0BC9@semperen.com>
Errors-To: nanog-bounces@nanog.org
Hi Eric,
in addition to RFC 4980 mentioned in another post you might consider the following sources as a starting point:
https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/
https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/
https://www.troopers.de/media/filer_public/85/be/85bef719-59a4-4567-aebb-ce01f9484f4d/ernw_tr16_ipv6secsummit_enterprise_security_strategy_final.pdf
https://www.ernw.de/download/ERNW_Guide_to_Securely_Configure_Linux_Servers_For_IPv6_v1_0.pdf
cheers
Enno
On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> Good morning all,
>
> I???m looking for some guidance on best practices to secure IPv6 on Linux end nodes parked in AWS.
>
> Boxes will be running various services (DNS for starters) and I???m looking to secure mainly ICMP at this point. Service filtering is fairly cut and dried.
>
> I???ve reviewed some of the stuff out there, but apparently I???m catching too many of the ICMP types in the rejection as routing eventually breaks. My guess is router discovery gets broken by too tight of filters.
>
> Thanks for any guidance.
>
> EKG
>
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
