[nsp-sec] IPv6 bad actors ??

Dario Ciccarone dciccaro at cisco.com
Thu Mar 15 13:03:44 EDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gert:

    Thanks for your feedback. Please see inline:

On 3/14/12 6:09 PM, Gert Doering wrote:
> Hi,
>
> On Wed, Mar 14, 2012 at 04:22:08PM -0400, Dario Ciccarone wrote:
>> Appreciate your answer. I have about a gazillion extra questions to
>> ask you, but let me limit myself to one: what do you use as source of
>> recommendations or best practices wrt IPv6 traffic filtering/IPv6
>> security in general - RFCs, NANOG, Cisco/other vendors whitepapers, Eric
>> Vyncke's book, etc . . .
>
> Ummm. Combination of "IPv4 BCPs applied to v6" (anti-spoofing and
> iACL filters come to mind) and "add what's needed if new issues show
> up with v6" (like the RH0 attacks).
Well, those are on our TODO list for sure - been there for more than a
year, actually :). One of the issues we found is the different level of
support across platforms - you yourself gave an example with an IOS
release matching only on the presence of any RH, while others allow to
match on specific RH types. We're still trying to come up with some way
to make that whitepaper generic - but it will need to have a "please
verify your OS and release for which features are supported" caveat.
Would that still be useful - ie, a WP focusing on, say, IOS 15T and you
then will to adapt as required based on what is supported on your platform ?

We recently published a WP on RTBH on IPv6 -
http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html
>
>
> If people argue for filtering ICMP, I slap them with RFC4890 :-)
Yeah, the problem w/ 4890 is its focus on firewalls - same rules would
need to be adapted for access/aggregation/core devices. If we write a WP
on this, we'll make sure to point out those differences, and why they
are relevant.
>
>
> In addition, there's the ipv6-ops at lists.cluenet.de list, which is also
> a very good source of useful information, without the religious debates
> that seem to fuel the NANOG list...
>
>
>> And as a bonus one: if you were to ask for a whitepaper/set of
>> whitepapers on IPv6 security or resiliency issues, or addressing best
>> practices, or first hop security, etc - which topics would be of
>> interest to you ?
>
> "How to get our customers motivated to turn on IPv6 on their servers"
> (we're mostly a server hosting / datacenter ISP these days). But that's
> less of a technical problem than political/
Pass on that one :)
>
>
> "Differences in IPv6 feature completeness across Cisco platforms for
> dummies" is another one that comes to mind. But I'm not sure anyone
> can explain that well enough for mortals to understnad.
Explaining is the easy part. Collecting the information may be a bit
challenging.
>
>
>
> Seriously: I've been asked a couple of times for an "address plan" BCP,
> so that one might be worth pursueing.
We've also discussed that one. We have a docwiki.cisco.com document on
that (not authored by my team), focused on a possible scheme for an
Enterprise. There are discussions on extending it - but it would need to
take into consideration things like RFC-6164, which means it would also
need to be caveated (ie: impact of using 6164 on P2P links if you ever
plan to use CGAs, etc).
>
>
> Another one might be a whitepaper that takes typical IPv4 networks (ISP,
> enterprise, access) with all that's typically used for IPv4 there (BGP,
> OSPF, HSRP/VRRP, VPDN, ...) and explains one-by-one what needs to be done
> to make this work "with IPv6" - like: sample configs for BGP and OSPF
> (simple), VPDN/Radius examples with DHCP-PD (not so simple :) ), etc.
Some of that is already available as "Cisco Validated Designs" at
http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html
- for branch, Enterprise & Internet Edge. I don't know what the plans
are for data center, SP, etc. I can certainly ask :)

Take a look, let us know what you think. We weren't involved on those -
but we can certainly relay feedback to the appropriate team.
>
>
>
>> And the one about "we will filter all, wait for Mobile IPv6 clients
>> to complain" - I would laugh, but I've heard that one before already :)
>
> I'm not particularily happy that our gear cannot filter "just RH0"...
> (maybe it can, by now, but originally it couldn't and I can't remember
> whether that was a hardware or software limitation).
And that goes back to my original comment about any WP will either need
to be highly generic, for a one-size-fits-all, smallest common
denominator, or be highly specific - and then whoever is reading it
would need to verify which one of those features is available on each
platform they're using.

Again, thanks for your feedback.

Dario

>
>
> gert
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9iIPAACgkQjJUYH7oa4PDFgACghipftSEIJY52WzlEtxo3Ly3o
tBkAoMIXkCn9l4FmZjwTo5/E+uWTTFbn
=p8H/
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list