best-practice_ipv6_security
no way to compare when less than two revisions
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
— | best-practice_ipv6_security [2014/06/20 11:21] (aktuell) – angelegt benny | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Best Practice: IPv6-Security (RA-Guard, NH, ...) ====== | ||
+ | |||
+ | In diesem Artikel möchte ich ein ACL-Beispiel veröffentlichen mit dem man sich auf dem Alcatel-Lucent OmniSwitch gegen die typischen IPv6-Angriffe von Endanwendern absichern kann. | ||
+ | |||
+ | < | ||
+ | ! QOS condition-action-rule set that implements the RFC 4890 recommendations. | ||
+ | ! Please see: http:// | ||
+ | ! | ||
+ | ! The following port group MUST be modified with the ports that are not trusted for router-advertisements. | ||
+ | policy port group ra-not-trusted 1/1-10 | ||
+ | policy condition v6-ra source port group ra-not-trusted icmptype 134 icmpcode 0 ipv6 | ||
+ | policy condition v6-homeagent icmptype 144 ipv6 | ||
+ | policy condition v6-homeagentb icmptype 145 ipv6 | ||
+ | policy condition v6-mobility icmptype 146 ipv6 | ||
+ | policy condition v6-mobilityb icmptype 147 ipv6 | ||
+ | policy condition v6-redirects icmptype 137 ipv6 | ||
+ | policy condition v6-request icmptype 139 ipv6 | ||
+ | policy condition v6-requestb icmptype 140 ipv6 | ||
+ | policy condition v6-router-renum icmptype 138 ipv6 | ||
+ | policy action v6-deny disposition drop | ||
+ | policy rule drop-v6-redirects condition v6-redirects action v6-deny log | ||
+ | policy rule drop-v6-router-renum condition v6-router-renum action v6-deny log | ||
+ | policy rule drop-v6-request condition v6-request action v6-deny log | ||
+ | policy rule drop-v6-requestb condition v6-requestb action v6-deny log | ||
+ | policy rule drop-v6-homeagent condition v6-homeagent action v6-deny log | ||
+ | policy rule drop-v6-homeagentb condition v6-homeagentb action v6-deny log | ||
+ | policy rule drop-v6-mobility condition v6-mobility action v6-deny log | ||
+ | policy rule drop-v6-mobilityb condition v6-mobilityb action v6-deny log | ||
+ | policy rule drop-v6-ra condition v6-ra action v6-deny log | ||
+ | ! IPv6 security: Deprecate nh 0 | ||
+ | ! RFC 5095 deprecates nh 0. Please see: http:// | ||
+ | policy condition nh0 nh 0 ipv6 | ||
+ | policy rule drop-nh condition nh0 action v6-deny | ||
+ | </ | ||
+ | |||
+ | ====== TODO ====== | ||
+ | * OSPFv3, VRRPv3 und RIPng mit berücksichtigen | ||
best-practice_ipv6_security.txt · Zuletzt geändert: 2014/06/20 11:21 von benny