BCP for securing IPv6 Linux end node in AWS

Eric_Germann2 · May 14, 2017, 1:29pm

Good morning all,

I’m looking for some guidance on best practices to secure IPv6 on Linux end nodes parked in AWS.

Boxes will be running various services (DNS for starters) and I’m looking to secure mainly ICMP at this point. Service filtering is fairly cut and dried.

I’ve reviewed some of the stuff out there, but apparently I’m catching too many of the ICMP types in the rejection as routing eventually breaks. My guess is router discovery gets broken by too tight of filters.

Thanks for any guidance.

EKG

Alarig_Le_Lay · May 14, 2017, 1:42pm

Hi,

Filtering ICMP breaks Internet and it is even more true with IPv6 as
almost all the bootstrap is based on ICMP (ND, RD, RA, etc.). Plus, you
will break connections where there is a MTU change on the path.

So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
why do want to filter ICMP? You will not be DDoSed with pings.

Eric_Germann2 · May 14, 2017, 1:49pm

The goal isn’t to filter _all_ ICMP. The goal is to permit ICMP that is needed for correct operation across the global network while protecting from externally spoofed packets.

For example, on the IPv4 side, there arguably is no value to timestamp requests and address mask requests externally, so dump them.

Thoughts?

EKG

Bjorn_Mork · May 14, 2017, 1:54pm

Alarig Le Lay <alarig@swordarmor.fr> writes:

So, my advise is simply to not filter ICMP and ICMPv6. And by the way,
why do want to filter ICMP? You will not be DDoSed with pings.

I tend to agree. But if you still want to do it, then there is some
advice in https://tools.ietf.org/html/rfc4890

Bjørn

Enno_Rey · May 14, 2017, 2:12pm

Hi Eric,

in addition to RFC 4980 mentioned in another post you might consider the following sources as a starting point:

https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/
https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/
https://www.troopers.de/media/filer_public/85/be/85bef719-59a4-4567-aebb-ce01f9484f4d/ernw_tr16_ipv6secsummit_enterprise_security_strategy_final.pdf
https://www.ernw.de/download/ERNW_Guide_to_Securely_Configure_Linux_Servers_For_IPv6_v1_0.pdf

cheers

Enno

Saku_Ytti1 · May 14, 2017, 2:30pm

Hey,

For example, on the IPv4 side, there arguably is no value to timestamp requests and address mask requests externally, so dump them.

It's very dangerous proposal when we start considering everything 0
value which isn't value to ourselves currently. Is ICMP TS known
attack vector? It has one particularly useful diagnostic purpose, you
can use it to measure unidirectional latencies up-to 1ms accuracy. It
has on occasions reduced needed troubleshooting time and reduced
amount of people who need to look into the problem.

Rich_Kulawiec · May 15, 2017, 10:57am

That's a good guess, but I would also guess that path MTU discovery
may be breaking. (Or not.) I think you may want to implement RFC 4890,
with a look at RFC 4443.

---rsk

JORDI_PALET_MARTINEZ · May 15, 2017, 11:18am

Just make sure that nothing breaks PTB as it happens if you don’t pay attention to ECMP.

RFC7690

1&1 in Germany has this issue since at least 18-24 months ago, so all their customers with IPv6 enabled are *broken* for anyone having a smaller MTU because tunnels or the ISP technology, etc. They are aware of that, I told them for many months, but is not yet fixed, so make sure you don’t use those data centers if you want to enable IPv6.

You can check this with any of their IPv6 enabled sites (thousands I guess), for example http://diskmakerx.com/

And a nice tool to check it:

https://nat64check.go6lab.si/

Regards,
Jordi