Benutzer-Werkzeuge

Webseiten-Werkzeuge


best-practice_ipv6_security

Best Practice: IPv6-Security (RA-Guard, NH, ...)

In diesem Artikel möchte ich ein ACL-Beispiel veröffentlichen mit dem man sich auf dem Alcatel-Lucent OmniSwitch gegen die typischen IPv6-Angriffe von Endanwendern absichern kann.

! QOS condition-action-rule set that implements the RFC 4890 recommendations.
! Please see: http://www.rfc-editor.org/rfc/rfc4890.txt
!
! The following port group MUST be modified with the ports that are not trusted for router-advertisements.
policy port group ra-not-trusted 1/1-10
policy condition v6-ra source port group ra-not-trusted icmptype 134 icmpcode 0 ipv6
policy condition v6-homeagent icmptype 144 ipv6
policy condition v6-homeagentb icmptype 145 ipv6
policy condition v6-mobility icmptype 146 ipv6
policy condition v6-mobilityb icmptype 147 ipv6
policy condition v6-redirects icmptype 137 ipv6
policy condition v6-request icmptype 139 ipv6
policy condition v6-requestb icmptype 140 ipv6
policy condition v6-router-renum icmptype 138 ipv6
policy action v6-deny disposition drop
policy rule drop-v6-redirects condition v6-redirects action v6-deny log
policy rule drop-v6-router-renum condition v6-router-renum action v6-deny log
policy rule drop-v6-request condition v6-request action v6-deny log
policy rule drop-v6-requestb condition v6-requestb action v6-deny log
policy rule drop-v6-homeagent condition v6-homeagent action v6-deny log
policy rule drop-v6-homeagentb condition v6-homeagentb action v6-deny log
policy rule drop-v6-mobility condition v6-mobility action v6-deny log
policy rule drop-v6-mobilityb condition v6-mobilityb action v6-deny log
policy rule drop-v6-ra condition v6-ra action v6-deny log
! IPv6 security: Deprecate nh 0
! RFC 5095 deprecates nh 0. Please see: http://www.rfc-editor.org/rfc/rfc5095.txt
policy condition nh0 nh 0 ipv6
policy rule drop-nh condition nh0 action v6-deny

TODO

  • OSPFv3, VRRPv3 und RIPng mit berücksichtigen
best-practice_ipv6_security.txt · Zuletzt geändert: 2014/06/20 13:21 von benny