I have been searching everywhere for information about best practices to harden Cisco devices when IPv6 is implemented, I have found many documents showing possible threats however some of them are more than 3 years old and don't give a good example of how to implement the best practices
Anyone has information or a guide on how to harden your devices when IPv6 is in place?
You will find some good references in the Design Zone for IPv6. Many of the documents there have been updated recently.
For example see below the IPv6 Campus Security Section
One of the best older references out there is IPv6 Security, 2008
See also IPv6 for Enterprises, 2011
If you keep track of the Cisco Press ebook deals of the day you can purchase them at a heavily discounted rate.
Don't forget to rate posts that are helpul.
Thank you Sean, however it seems there is no general guidance as it is for IPv4, I gound a couple of good examples on your links though
One more Question: Is there any IPv6 ACL similar to the ones exisitin in IPv6 to harden an Internet connection? i.e. wtih IPv4 you can have
deny ip 10.0.0.0 0.255.255.255 any
deny ip 188.8.131.52 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 184.108.40.206 0.0.0.255 any
deny ip 220.127.116.11 18.104.22.168 any
Is there an IPv6 Equivalent?
Sure, See below the reference from Team Cymru for filtering IPv6 bogons
One More question ... the list is applied as a prefix list, which is OK, however I am not sure if the same prefixes can be used to let's say block connections on a public interface; i.e the IPv4 list above doesn't permit connections from private networks 10.x.x.x, 172.16.x.x and 192.168.x.x
I guess if I use reverse logic from the IPv6 prefix list I can only allow connections from those networks and block everything else, would that bring the same result as in IPv4?