Benutzer-Werkzeuge

Webseiten-Werkzeuge


best-practice_ipv6_security

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

best-practice_ipv6_security [2014/06/20 13:21] (aktuell)
benny angelegt
Zeile 1: Zeile 1:
 +====== Best Practice: IPv6-Security (RA-Guard, NH, ...) ======
 +
 +In diesem Artikel möchte ich ein ACL-Beispiel veröffentlichen mit dem man sich auf dem Alcatel-Lucent OmniSwitch gegen die typischen IPv6-Angriffe von Endanwendern absichern kann.
 +
 +<​code>​
 +! QOS condition-action-rule set that implements the RFC 4890 recommendations.
 +! Please see: http://​www.rfc-editor.org/​rfc/​rfc4890.txt
 +!
 +! The following port group MUST be modified with the ports that are not trusted for router-advertisements.
 +policy port group ra-not-trusted 1/1-10
 +policy condition v6-ra source port group ra-not-trusted icmptype 134 icmpcode 0 ipv6
 +policy condition v6-homeagent icmptype 144 ipv6
 +policy condition v6-homeagentb icmptype 145 ipv6
 +policy condition v6-mobility icmptype 146 ipv6
 +policy condition v6-mobilityb icmptype 147 ipv6
 +policy condition v6-redirects icmptype 137 ipv6
 +policy condition v6-request icmptype 139 ipv6
 +policy condition v6-requestb icmptype 140 ipv6
 +policy condition v6-router-renum icmptype 138 ipv6
 +policy action v6-deny disposition drop
 +policy rule drop-v6-redirects condition v6-redirects action v6-deny log
 +policy rule drop-v6-router-renum condition v6-router-renum action v6-deny log
 +policy rule drop-v6-request condition v6-request action v6-deny log
 +policy rule drop-v6-requestb condition v6-requestb action v6-deny log
 +policy rule drop-v6-homeagent condition v6-homeagent action v6-deny log
 +policy rule drop-v6-homeagentb condition v6-homeagentb action v6-deny log
 +policy rule drop-v6-mobility condition v6-mobility action v6-deny log
 +policy rule drop-v6-mobilityb condition v6-mobilityb action v6-deny log
 +policy rule drop-v6-ra condition v6-ra action v6-deny log
 +! IPv6 security: Deprecate nh 0
 +! RFC 5095 deprecates nh 0. Please see: http://​www.rfc-editor.org/​rfc/​rfc5095.txt
 +policy condition nh0 nh 0 ipv6
 +policy rule drop-nh condition nh0 action v6-deny
 +</​code>​
 +
 +====== TODO ======
 +  * OSPFv3, VRRPv3 und RIPng mit berücksichtigen
  
best-practice_ipv6_security.txt · Zuletzt geändert: 2014/06/20 13:21 von benny