Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4478
Views
8
Helpful
5
Replies

IPv6 hardening Best Practices?

jdcardenas
Level 1
Level 1

‎04-11-2012 07:41 PM - edited ‎03-09-2019 11:49 PM

Hi,

I have been searching everywhere for information about best practices to harden Cisco devices when IPv6 is implemented, I have found many documents showing possible threats however some of them are more than 3 years old and don't give a good example of how to implement the best practices

Anyone has information or a guide on how to harden your devices when IPv6 is in place?

Thank you

Labels:
0 Helpful
5 Replies 5

sean_evershed
Level 7
Level 7

‎04-11-2012 08:45 PM

Hi,

You will find some good references in the Design Zone for IPv6. Many of the documents there have been updated recently.

http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html

For example see below the IPv6 Campus Security Section

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html#wp390569

One of the best older references out there is IPv6 Security, 2008

http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945

See also IPv6 for Enterprises, 2011

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142325

If you keep track of the Cisco Press ebook deals of the day you can purchase them at a heavily discounted rate.

http://www.ciscopress.com/deals/

Don't forget to rate posts that are helpul.

jdcardenas
Level 1
Level 1
In response to sean_evershed

‎04-15-2012 08:32 PM

Thank you Sean, however it seems there is no general guidance as it is for IPv4, I gound a couple of good examples on your links though

0 Helpful

jdcardenas
Level 1
Level 1
In response to jdcardenas

‎04-15-2012 11:48 PM

One more Question: Is there any IPv6 ACL similar to the ones exisitin in IPv6 to harden an Internet connection? i.e. wtih IPv4 you can have

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 126.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.0.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 223.255.255.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

Is there an IPv6 Equivalent?

0 Helpful

sean_evershed
Level 7
Level 7
In response to jdcardenas

‎04-15-2012 11:55 PM

Sure, See below the reference from Team Cymru for filtering IPv6 bogons

http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/

Cheers

Sean

0 Helpful

jdcardenas
Level 1
Level 1
In response to sean_evershed

‎04-17-2012 06:11 PM

One More question ... the list is applied as a prefix list, which is OK, however I am not sure if the same prefixes can be used to let's say block connections on a public interface; i.e the IPv4 list above doesn't permit connections from private networks 10.x.x.x, 172.16.x.x and 192.168.x.x

I guess if I use reverse logic from the IPv6 prefix list I can only allow connections from those networks and block everything else, would that bring the same result as in IPv4?

Thank you

0 Helpful
Customers Also Viewed These Support Documents