Benutzer-Werkzeuge

Webseiten-Werkzeuge


best-practice_ipv6_security
no way to compare when less than two revisions

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.


best-practice_ipv6_security [2014/06/20 11:21] (aktuell) – angelegt benny
Zeile 1: Zeile 1:
 +====== Best Practice: IPv6-Security (RA-Guard, NH, ...) ======
 +
 +In diesem Artikel möchte ich ein ACL-Beispiel veröffentlichen mit dem man sich auf dem Alcatel-Lucent OmniSwitch gegen die typischen IPv6-Angriffe von Endanwendern absichern kann.
 +
 +<code>
 +! QOS condition-action-rule set that implements the RFC 4890 recommendations.
 +! Please see: http://www.rfc-editor.org/rfc/rfc4890.txt
 +!
 +! The following port group MUST be modified with the ports that are not trusted for router-advertisements.
 +policy port group ra-not-trusted 1/1-10
 +policy condition v6-ra source port group ra-not-trusted icmptype 134 icmpcode 0 ipv6
 +policy condition v6-homeagent icmptype 144 ipv6
 +policy condition v6-homeagentb icmptype 145 ipv6
 +policy condition v6-mobility icmptype 146 ipv6
 +policy condition v6-mobilityb icmptype 147 ipv6
 +policy condition v6-redirects icmptype 137 ipv6
 +policy condition v6-request icmptype 139 ipv6
 +policy condition v6-requestb icmptype 140 ipv6
 +policy condition v6-router-renum icmptype 138 ipv6
 +policy action v6-deny disposition drop
 +policy rule drop-v6-redirects condition v6-redirects action v6-deny log
 +policy rule drop-v6-router-renum condition v6-router-renum action v6-deny log
 +policy rule drop-v6-request condition v6-request action v6-deny log
 +policy rule drop-v6-requestb condition v6-requestb action v6-deny log
 +policy rule drop-v6-homeagent condition v6-homeagent action v6-deny log
 +policy rule drop-v6-homeagentb condition v6-homeagentb action v6-deny log
 +policy rule drop-v6-mobility condition v6-mobility action v6-deny log
 +policy rule drop-v6-mobilityb condition v6-mobilityb action v6-deny log
 +policy rule drop-v6-ra condition v6-ra action v6-deny log
 +! IPv6 security: Deprecate nh 0
 +! RFC 5095 deprecates nh 0. Please see: http://www.rfc-editor.org/rfc/rfc5095.txt
 +policy condition nh0 nh 0 ipv6
 +policy rule drop-nh condition nh0 action v6-deny
 +</code>
 +
 +====== TODO ======
 +  * OSPFv3, VRRPv3 und RIPng mit berücksichtigen
  
best-practice_ipv6_security.txt · Zuletzt geändert: 2014/06/20 11:21 von benny

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki