Re: BCP for securing IPv6 Linux end node in AWS

2017-05-15 Thread JORDI PALET MARTINEZ
ttps://nat64check.go6lab.si/ Regards, Jordi -Mensaje original- De: NANOG <nanog-boun...@nanog.org> en nombre de Rich Kulawiec <r...@gsp.org> Responder a: <r...@gsp.org> Fecha: lunes, 15 de mayo de 2017, 12:57 Para: nanog list <nanog@nanog.org> Asunto: Re: BCP for

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-15 Thread Rich Kulawiec
On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote: > I???ve reviewed some of the stuff out there, but apparently I???m > catching too many of the ICMP types in the rejection as routing eventually > breaks. My guess is router discovery gets broken by too tight of filters. That's a good

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Saku Ytti
On 14 May 2017 at 16:49, Eric Germann wrote: Hey, > For example, on the IPv4 side, there arguably is no value to timestamp > requests and address mask requests externally, so dump them. It's very dangerous proposal when we start considering everything 0 value which

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Enno Rey
Hi Eric, in addition to RFC 4980 mentioned in another post you might consider the following sources as a starting point: https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Eric Germann
The goal isn’t to filter _all_ ICMP. The goal is to permit ICMP that is needed for correct operation across the global network while protecting from externally spoofed packets. For example, on the IPv4 side, there arguably is no value to timestamp requests and address mask requests

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Bjørn Mork
Alarig Le Lay writes: > So, my advise is simply to not filter ICMP and ICMPv6. And by the way, > why do want to filter ICMP? You will not be DDoSed with pings. I tend to agree. But if you still want to do it, then there is some advice in

Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Alarig Le Lay
On dim. 14 mai 09:29:45 2017, Eric Germann wrote: > Good morning all, > > I’m looking for some guidance on best practices to secure IPv6 on > Linux end nodes parked in AWS. > > Boxes will be running various services (DNS for starters) and I’m > looking to secure mainly ICMP at this point.

BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Eric Germann
Good morning all, I’m looking for some guidance on best practices to secure IPv6 on Linux end nodes parked in AWS. Boxes will be running various services (DNS for starters) and I’m looking to secure mainly ICMP at this point. Service filtering is fairly cut and dried. I’ve reviewed some of