Re: BCP for securing IPv6 Linux end node in AWS

2017-05-15 Thread JORDI PALET MARTINEZ
Just make sure that nothing breaks PTB as it happens if you don’t pay attention 
to ECMP.

RFC7690

1&1 in Germany has this issue since at least 18-24 months ago, so all their 
customers with IPv6 enabled are *broken* for anyone having a smaller MTU 
because tunnels or the ISP technology, etc. They are aware of that, I told them 
for many months, but is not yet fixed, so make sure you don’t use those data 
centers if you want to enable IPv6.

You can check this with any of their IPv6 enabled sites (thousands I guess), 
for example http://diskmakerx.com/

And a nice tool to check it:

https://nat64check.go6lab.si/

Regards,
Jordi
 

-Mensaje original-
De: NANOG <nanog-boun...@nanog.org> en nombre de Rich Kulawiec <r...@gsp.org>
Responder a: <r...@gsp.org>
Fecha: lunes, 15 de mayo de 2017, 12:57
Para: nanog list <nanog@nanog.org>
Asunto: Re: BCP for securing IPv6 Linux end node in AWS

On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> I???ve reviewed some of the stuff out there, but apparently I???m
> catching too many of the ICMP types in the rejection as routing eventually
> breaks.  My guess is router discovery gets broken by too tight of filters.

That's a good guess, but I would also guess that path MTU discovery
may be breaking.  (Or not.)  I think you may want to implement RFC 4890,
with a look at RFC 4443.

---rsk





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.





Re: BCP for securing IPv6 Linux end node in AWS

2017-05-15 Thread Rich Kulawiec
On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> I???ve reviewed some of the stuff out there, but apparently I???m
> catching too many of the ICMP types in the rejection as routing eventually
> breaks.  My guess is router discovery gets broken by too tight of filters.

That's a good guess, but I would also guess that path MTU discovery
may be breaking.  (Or not.)  I think you may want to implement RFC 4890,
with a look at RFC 4443.

---rsk


Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Saku Ytti
On 14 May 2017 at 16:49, Eric Germann  wrote:

Hey,

> For example, on the IPv4 side, there arguably is no value to timestamp 
> requests and address mask requests externally, so dump them.

It's very dangerous proposal when we start considering everything 0
value which isn't value to ourselves currently. Is ICMP TS known
attack vector? It has one particularly useful diagnostic purpose, you
can use it to measure unidirectional latencies up-to 1ms accuracy. It
has on occasions reduced needed troubleshooting time and reduced
amount of people who need to look into the problem.

-- 
  ++ytti


Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Enno Rey
Hi Eric,

in addition to RFC 4980 mentioned in another post you might consider the 
following sources as a starting point:

https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/
https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/
https://www.troopers.de/media/filer_public/85/be/85bef719-59a4-4567-aebb-ce01f9484f4d/ernw_tr16_ipv6secsummit_enterprise_security_strategy_final.pdf
https://www.ernw.de/download/ERNW_Guide_to_Securely_Configure_Linux_Servers_For_IPv6_v1_0.pdf

cheers

Enno

On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> Good morning all,
> 
> I???m looking for some guidance on best practices to secure IPv6 on Linux end 
> nodes parked in AWS.
> 
> Boxes will be running various services (DNS for starters) and I???m looking 
> to secure mainly ICMP at this point.  Service filtering is fairly cut and 
> dried.  
> 
> I???ve reviewed some of the stuff out there, but apparently I???m catching 
> too many of the ICMP types in the rejection as routing eventually breaks.  My 
> guess is router discovery gets broken by too tight of filters.
> 
> Thanks for any guidance.
> 
> EKG
> 



-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===


Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Eric Germann
The goal isn’t to filter _all_ ICMP.  The goal is to permit ICMP that is needed 
for correct operation across the global network while protecting from 
externally spoofed packets.

For example, on the IPv4 side, there arguably is no value to timestamp requests 
and address mask requests externally, so dump them.

Thoughts?

EKG

> On May 14, 2017, at 9:42 AM, Alarig Le Lay  wrote:
> 
> On dim. 14 mai 09:29:45 2017, Eric Germann wrote:
>> Good morning all,
>> 
>> I’m looking for some guidance on best practices to secure IPv6 on
>> Linux end nodes parked in AWS.
>> 
>> Boxes will be running various services (DNS for starters) and I’m
>> looking to secure mainly ICMP at this point.  Service filtering is
>> fairly cut and dried.  
>> 
>> I’ve reviewed some of the stuff out there, but apparently I’m catching
>> too many of the ICMP types in the rejection as routing eventually
>> breaks.  My guess is router discovery gets broken by too tight of
>> filters.
>> 
>> Thanks for any guidance.
>> 
>> EKG
> 
> Hi,
> 
> Filtering ICMP breaks Internet and it is even more true with IPv6 as
> almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, you
> will break connections where there is a MTU change on the path.
> 
> So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
> why do want to filter ICMP? You will not be DDoSed with pings.
> 
> -- 
> alarig



smime.p7s
Description: S/MIME cryptographic signature


Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Bjørn Mork
Alarig Le Lay  writes:

> So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
> why do want to filter ICMP? You will not be DDoSed with pings.


I tend to agree.  But if you still want to do it, then there is some
advice in https://tools.ietf.org/html/rfc4890


Bjørn


Re: BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Alarig Le Lay
On dim. 14 mai 09:29:45 2017, Eric Germann wrote:
> Good morning all,
> 
> I’m looking for some guidance on best practices to secure IPv6 on
> Linux end nodes parked in AWS.
> 
> Boxes will be running various services (DNS for starters) and I’m
> looking to secure mainly ICMP at this point.  Service filtering is
> fairly cut and dried.  
> 
> I’ve reviewed some of the stuff out there, but apparently I’m catching
> too many of the ICMP types in the rejection as routing eventually
> breaks.  My guess is router discovery gets broken by too tight of
> filters.
> 
> Thanks for any guidance.
> 
> EKG

Hi,

Filtering ICMP breaks Internet and it is even more true with IPv6 as
almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, you
will break connections where there is a MTU change on the path.

So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
why do want to filter ICMP? You will not be DDoSed with pings.

-- 
alarig


signature.asc
Description: PGP signature


BCP for securing IPv6 Linux end node in AWS

2017-05-14 Thread Eric Germann
Good morning all,

I’m looking for some guidance on best practices to secure IPv6 on Linux end 
nodes parked in AWS.

Boxes will be running various services (DNS for starters) and I’m looking to 
secure mainly ICMP at this point.  Service filtering is fairly cut and dried.  

I’ve reviewed some of the stuff out there, but apparently I’m catching too many 
of the ICMP types in the rejection as routing eventually breaks.  My guess is 
router discovery gets broken by too tight of filters.

Thanks for any guidance.

EKG



smime.p7s
Description: S/MIME cryptographic signature