Re: BCP for securing IPv6 Linux end node in AWS

[Eric Germann <ekgermann () semperen com>]

The goal isn’t to filter _all_ ICMP.  The goal is to permit ICMP that is needed for correct operation across the global 
network while protecting from externally spoofed packets.

For example, on the IPv4 side, there arguably is no value to timestamp requests and address mask requests externally, 
so dump them.

Thoughts?

EKG

> On May 14, 2017, at 9:42 AM, Alarig Le Lay <alarig () swordarmor fr> wrote:
>
> On dim. 14 mai 09:29:45 2017, Eric Germann wrote:
> > Good morning all,
> >
> > I’m looking for some guidance on best practices to secure IPv6 on
> > Linux end nodes parked in AWS.
> >
> > Boxes will be running various services (DNS for starters) and I’m
> > looking to secure mainly ICMP at this point.  Service filtering is
> > fairly cut and dried.  
> >
> > I’ve reviewed some of the stuff out there, but apparently I’m catching
> > too many of the ICMP types in the rejection as routing eventually
> > breaks.  My guess is router discovery gets broken by too tight of
> > filters.
> >
> > Thanks for any guidance.
> >
> > EKG
>
> Hi,
>
> Filtering ICMP breaks Internet and it is even more true with IPv6 as
> almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, you
> will break connections where there is a MTU change on the path.
>
> So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
> why do want to filter ICMP? You will not be DDoSed with pings.
>
> -- 
> alarig

Attachment: smime.p7s
Description: