BCP for securing IPv6 Linux end node in AWS

Enno Rey erey at ernw.de
Sun May 14 14:12:13 UTC 2017


Hi Eric,

in addition to RFC 4980 mentioned in another post you might consider the following sources as a starting point:

https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/
https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/
https://www.troopers.de/media/filer_public/85/be/85bef719-59a4-4567-aebb-ce01f9484f4d/ernw_tr16_ipv6secsummit_enterprise_security_strategy_final.pdf
https://www.ernw.de/download/ERNW_Guide_to_Securely_Configure_Linux_Servers_For_IPv6_v1_0.pdf

cheers

Enno

On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> Good morning all,
> 
> I???m looking for some guidance on best practices to secure IPv6 on Linux end nodes parked in AWS.
> 
> Boxes will be running various services (DNS for starters) and I???m looking to secure mainly ICMP at this point.  Service filtering is fairly cut and dried.  
> 
> I???ve reviewed some of the stuff out there, but apparently I???m catching too many of the ICMP types in the rejection as routing eventually breaks.  My guess is router discovery gets broken by too tight of filters.
> 
> Thanks for any guidance.
> 
> EKG
> 



-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================


More information about the NANOG mailing list