cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4477
Views
8
Helpful
5
Replies

IPv6 hardening Best Practices?

jdcardenas
Level 1
Level 1

Hi,

I have been searching everywhere for information about best practices to harden Cisco devices when IPv6 is implemented, I have found many documents showing possible threats however some of them are more than 3 years old and don't give a good example of how to implement the best practices

Anyone has information or a guide on how to harden your devices when IPv6 is in place?

Thank you

5 Replies 5

sean_evershed
Level 7
Level 7

Hi,

You will find some good references in the Design Zone for IPv6. Many of the documents there have been updated recently.

http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html

For example see below the IPv6 Campus Security Section

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html#wp390569

One of the best older references out there is IPv6 Security, 2008

http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945

See also IPv6 for Enterprises, 2011

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142325

If you keep track of the Cisco Press ebook deals of the day you can purchase them at a heavily discounted rate.

http://www.ciscopress.com/deals/

Don't forget to rate posts that are helpul.

Thank you Sean, however it seems there is no general guidance as it is for IPv4, I gound a couple of good examples on your links though

One more Question: Is there any IPv6 ACL similar to the ones exisitin in IPv6 to harden an Internet connection? i.e. wtih IPv4 you can have

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 126.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.0.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 223.255.255.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

Is there an IPv6 Equivalent?

Sure, See below the reference from Team Cymru for filtering IPv6 bogons

http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/

Cheers

Sean

One More question ... the list is applied as a prefix list, which is OK, however I am not sure if the same prefixes can be used to let's say block connections on a public interface; i.e the IPv4 list above doesn't permit connections from private networks 10.x.x.x, 172.16.x.x and 192.168.x.x

I guess if I use reverse logic from the IPv6 prefix list I can only allow connections from those networks and block everything else, would that bring the same result as in IPv4?

Thank you