nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BCP for securing IPv6 Linux end node in AWS

From: Enno Rey <erey () ernw de>
Date: Sun, 14 May 2017 16:12:13 +0200
Hi Eric,

in addition to RFC 4980 mentioned in another post you might consider the following sources as a starting point:

https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/
https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/
https://www.troopers.de/media/filer_public/85/be/85bef719-59a4-4567-aebb-ce01f9484f4d/ernw_tr16_ipv6secsummit_enterprise_security_strategy_final.pdf
https://www.ernw.de/download/ERNW_Guide_to_Securely_Configure_Linux_Servers_For_IPv6_v1_0.pdf

cheers

Enno

On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:

Good morning all,

I???m looking for some guidance on best practices to secure IPv6 on Linux end nodes parked in AWS.

Boxes will be running various services (DNS for starters) and I???m looking to secure mainly ICMP at this point.  
Service filtering is fairly cut and dried.  

I???ve reviewed some of the stuff out there, but apparently I???m catching too many of the ICMP types in the 
rejection as routing eventually breaks.  My guess is router discovery gets broken by too tight of filters.

Thanks for any guidance.

EKG





-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
Previous By Date Next
Previous By Thread Next

Current thread: