[nsp-sec] IPv6 bad actors ??

Gert Doering gert at greenie.muc.de
Wed Mar 14 18:09:18 EDT 2012 

Hi,

On Wed, Mar 14, 2012 at 04:22:08PM -0400, Dario Ciccarone wrote:
>     Appreciate your answer. I have about a gazillion extra questions to
> ask you, but let me limit myself to one: what do you use as source of
> recommendations or best practices wrt IPv6 traffic filtering/IPv6
> security in general - RFCs, NANOG, Cisco/other vendors whitepapers, Eric
> Vyncke's book, etc . . .

Ummm.  Combination of "IPv4 BCPs applied to v6" (anti-spoofing and
iACL filters come to mind) and "add what's needed if new issues show
up with v6" (like the RH0 attacks).

If people argue for filtering ICMP, I slap them with RFC4890 :-)

In addition, there's the ipv6-ops at lists.cluenet.de list, which is also
a very good source of useful information, without the religious debates
that seem to fuel the NANOG list...


>     And as a bonus one: if you were to ask for a whitepaper/set of
> whitepapers on IPv6 security or resiliency issues, or addressing best
> practices, or first hop security, etc - which topics would be of
> interest to you ?

"How to get our customers motivated to turn on IPv6 on their servers"
(we're mostly a server hosting / datacenter ISP these days).  But that's
less of a technical problem than political/

"Differences in IPv6 feature completeness across Cisco platforms for 
dummies" is another one that comes to mind.  But I'm not sure anyone 
can explain that well enough for mortals to understnad.


Seriously: I've been asked a couple of times for an "address plan" BCP,
so that one might be worth pursueing.  

Another one might be a whitepaper that takes typical IPv4 networks (ISP, 
enterprise, access) with all that's typically used for IPv4 there (BGP, 
OSPF, HSRP/VRRP, VPDN, ...) and explains one-by-one what needs to be done
to make this work "with IPv6" - like: sample configs for BGP and OSPF
(simple), VPDN/Radius examples with DHCP-PD (not so simple :) ), etc.


>     And the one about "we will filter all, wait for Mobile IPv6 clients
> to complain" - I would laugh, but I've heard that one before already :)

I'm not particularily happy that our gear cannot filter "just RH0"...
(maybe it can, by now, but originally it couldn't and I can't remember
whether that was a hardware or software limitation).

gert

-- 
Gert Doering
SpaceNet AG, AS 5539, gert at space.net.  PGP-KeyID: 0x65514975
Also reachable via gert at greenie.muc.de and gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120314/848c3eb8/attachment-0001.sig>

More information about the nsp-security mailing list