[LAC-TF] [lacnog] Estandar de configuración de seguridad para routers IOS ipv6

Antonio Ricapito antonio_ricapito at hotmail.com
Tue Nov 30 18:59:18 BRST 2010


Estimados:


Estoy tratando de generar un estandar de configuración para routers Cisco con IOS de routers de borde de proveedores con full BGP en IPv6 que contemple los aspectos de seguridad, y en esa linea quisiera compartir con ustedes y poder escuchar sugerencias. Al filtro de entrada de MATIAN AND BOGONS es necesario complementarla con un filtro antispoofing. 
 
Se omite la configuración de IPv4.
 
La recomendacion general es aplicar en principio las mismas reglas y politicas utilizadas para IPv4 (salvo excepciones), mas otras especificas para IPv6 (como extension header/fragments). En especial aplica lo de las ACL, VTY, ICMP y BGP.
 
Les recomiendo tambien un documento de la NSA/DoD con recomendaciones de seguridad en IPv6 para Routers Cisco
http://www.nsa.gov/ia/_files/routers/I33-002R-06.pdf
 
Para Martian/Bogon te recomiendo leer
http://6session.wordpress.com/2009/04/08/ipv6-martian-and-bogon-filters/
y mirar
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
 
De esto puedo resumir lo siguiente:
 
Para las conexiones WAN de proveedores (mascara puede ser /126 /120 u otra)
 
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef

!
interface FastEthernet0/0 
description WAN (nei 2001:db8::2)
ipv6 address 2001:db8::1/120 
ipv6 enable
ipv6 traffic-filter FILTER-MARTIANS-AND-BOGONS in
no ipv6 redirects
no ipv6 unreachables
ipv6 nd ra suppress
!
 
!
router bgp XXXX
no synchronization
bgp router-id 1.1.1.1
no bgp fast-external-fallover
bgp log-neighbor-changes
neighbor 2001:db8:1::32:238 remote-as YYYY
neighbor 2001:db8:1::32:238 ebgp-multihop 2
neighbor 2001:db8:1::32:238 password 7 XXXXX
neighbor 2001:db8:1::32:238 update-source Loopback0
no auto-summary
!
!
address-family ipv6
  neighbor 2001:db8:1::32:238 activate
  neighbor 2001:db8:1::32:238 remove-private-as
  neighbor 2001:db8:1::32:238 prefix-list MARTIANS in
  neighbor 2001:db8:1::32:238 prefix-list MYPREFIX out
exit-address-family
!
!
ipv6 route 2001:db8:1::32:238/128 2001:db8::2
!
!
ipv6 prefix-list MARTIANS description MARTIAN PREFIX-LIST
ipv6 prefix-list MARTIANS seq 10 deny ::/128
ipv6 prefix-list MARTIANS seq 20 deny ::/96 le 128
ipv6 prefix-list MARTIANS seq 30 deny ::/128
ipv6 prefix-list MARTIANS seq 40 deny ::1/128
ipv6 prefix-list MARTIANS seq 50 deny ::FFFF:0.0.0.0/96
ipv6 prefix-list MARTIANS seq 60 deny ::208.0.0.0/100
ipv6 prefix-list MARTIANS seq 70 deny ::127.0.0.0/104
ipv6 prefix-list MARTIANS seq 80 deny ::/104
ipv6 prefix-list MARTIANS seq 90 deny ::255.0.0.0/104
ipv6 prefix-list MARTIANS seq 100 deny ::/8 le 128
ipv6 prefix-list MARTIANS seq 110 deny 200::/7 le 128
ipv6 prefix-list MARTIANS seq 120 deny 3FFE::/16 le 128
ipv6 prefix-list MARTIANS seq 130 deny 2001:DB8::/32 le 128
ipv6 prefix-list MARTIANS seq 140 deny 2002:E000::/20
ipv6 prefix-list MARTIANS seq 150 deny 2002:7F00::/24
ipv6 prefix-list MARTIANS seq 160 deny 2002::/24
ipv6 prefix-list MARTIANS seq 170 deny 2002:FF00::/24
ipv6 prefix-list MARTIANS seq 190 deny 2002:A00::/24
ipv6 prefix-list MARTIANS seq 200 deny 2002:AC10::/28
ipv6 prefix-list MARTIANS seq 210 deny 2002:C0A8::/32
ipv6 prefix-list MARTIANS seq 220 deny FC00::/7 le 128
ipv6 prefix-list MARTIANS seq 230 deny FE80::/10 le 128
ipv6 prefix-list MARTIANS seq 240 deny FEC0::/10 le 128
ipv6 prefix-list MARTIANS seq 250 deny FF00::/8 le 128
ipv6 prefix-list MARTIANS seq 260 permit 2001::/23 le 64
ipv6 prefix-list MARTIANS seq 270 permit 2001:200::/23 le 64
ipv6 prefix-list MARTIANS seq 280 permit 2001:400::/23 le 64
ipv6 prefix-list MARTIANS seq 290 permit 2001:600::/23 le 64
ipv6 prefix-list MARTIANS seq 300 permit 2001:800::/23 le 64
ipv6 prefix-list MARTIANS seq 310 permit 2001:A00::/23 le 64
ipv6 prefix-list MARTIANS seq 320 permit 2001:C00::/23 le 64
ipv6 prefix-list MARTIANS seq 330 permit 2001:E00::/23 le 64
ipv6 prefix-list MARTIANS seq 340 permit 2001:1200::/23 le 64
ipv6 prefix-list MARTIANS seq 350 permit 2001:1400::/23 le 64
ipv6 prefix-list MARTIANS seq 360 permit 2001:1600::/23 le 64
ipv6 prefix-list MARTIANS seq 370 permit 2001:1800::/23 le 64
ipv6 prefix-list MARTIANS seq 380 permit 2001:1A00::/23 le 64
ipv6 prefix-list MARTIANS seq 390 permit 2001:1C00::/22 le 64
ipv6 prefix-list MARTIANS seq 400 permit 2001:2000::/20 le 64
ipv6 prefix-list MARTIANS seq 410 permit 2001:3000::/21 le 64
ipv6 prefix-list MARTIANS seq 420 permit 2001:3800::/22 le 64
ipv6 prefix-list MARTIANS seq 430 permit 2001:4000::/23 le 64
ipv6 prefix-list MARTIANS seq 440 permit 2001:4200::/23 le 64
ipv6 prefix-list MARTIANS seq 450 permit 2001:4400::/23 le 64
ipv6 prefix-list MARTIANS seq 460 permit 2001:4600::/23 le 64
ipv6 prefix-list MARTIANS seq 470 permit 2001:4800::/23 le 64
ipv6 prefix-list MARTIANS seq 480 permit 2001:4A00::/23 le 64
ipv6 prefix-list MARTIANS seq 490 permit 2001:4C00::/23 le 64
ipv6 prefix-list MARTIANS seq 500 permit 2001:5000::/20 le 64
ipv6 prefix-list MARTIANS seq 510 permit 2001:8000::/19 le 64
ipv6 prefix-list MARTIANS seq 520 permit 2001:A000::/20 le 64
ipv6 prefix-list MARTIANS seq 530 permit 2001:B000::/20 le 64
ipv6 prefix-list MARTIANS seq 540 permit 2002::/16 le 64
ipv6 prefix-list MARTIANS seq 550 permit 2003::/18 le 64
ipv6 prefix-list MARTIANS seq 560 permit 2400::/12 le 64
ipv6 prefix-list MARTIANS seq 570 permit 2600::/12 le 64
ipv6 prefix-list MARTIANS seq 580 permit 2610::/23 le 64
ipv6 prefix-list MARTIANS seq 590 permit 2620::/23 le 64
ipv6 prefix-list MARTIANS seq 600 permit 2800::/12 le 64
ipv6 prefix-list MARTIANS seq 610 permit 2A00::/12 le 64
ipv6 prefix-list MARTIANS seq 620 permit 2C00::/12 le 64
!
!
ipv6 access-list FILTER-MARTIANS-AND-BOGONS
remark ACL TO DROP ALL PACKETS WITH IPv6 MARTIAN SOURCE ADDRESSES
remark FIRST THE MARTIANS
deny ipv6 host :: any
deny ipv6 host ::1 any
deny ipv6 ::FFFF:0.0.0.0/96 any
deny ipv6 ::208.0.0.0/100 any
deny ipv6 ::127.0.0.0/104 any
deny ipv6 ::/104 any
deny ipv6 ::255.0.0.0/104 any
deny ipv6 ::/8 any
deny ipv6 200::/7 any
deny ipv6 3FFE::/16 any
deny ipv6 2001:DB8::/32 any
deny ipv6 2002:E000::/20 any
deny ipv6 2002:7F00::/24 any
deny ipv6 2002::/24 any
deny ipv6 2002:FF00::/24 any
deny ipv6 2002:A00::/24 any
deny ipv6 2002:AC10::/28 any
deny ipv6 2002:C0A8::/32 any
deny ipv6 FC00::/7 any
deny ipv6 FE80::/10 any
deny ipv6 FEC0::/10 any
deny ipv6 FF00::/8 any
remark PERMITE REDES BOGONS . ESTA SECCION SE DEBE MANTENER FUENTE IANA
permit ipv6 2001::/23 any
permit ipv6 2001:200::/23 any
permit ipv6 2001:400::/23 any
permit ipv6 2001:600::/23 any
permit ipv6 2001:800::/23 any
permit ipv6 2001:A00::/23 any
permit ipv6 2001:C00::/23 any
permit ipv6 2001:E00::/23 any
permit ipv6 2001:1200::/23 any
permit ipv6 2001:1400::/23 any
permit ipv6 2001:1600::/23 any
permit ipv6 2001:1800::/23 any
permit ipv6 2001:1A00::/23 any
permit ipv6 2001:1C00::/22 any
permit ipv6 2001:2000::/20 any
permit ipv6 2001:3000::/21 any
permit ipv6 2001:3800::/22 any
permit ipv6 2001:4000::/23 any
permit ipv6 2001:4200::/23 any
permit ipv6 2001:4400::/23 any
permit ipv6 2001:4600::/23 any
permit ipv6 2001:4800::/23 any
permit ipv6 2001:4A00::/23 any
permit ipv6 2001:4C00::/23 any
permit ipv6 2001:5000::/20 any
permit ipv6 2001:8000::/19 any
permit ipv6 2001:A000::/20 any
permit ipv6 2001:B000::/20 any
permit ipv6 2002::/16 any
permit ipv6 2003::/18 any
permit ipv6 2400::/12 any
permit ipv6 2600::/12 any
permit ipv6 2610::/23 any
permit ipv6 2620::/23 any
permit ipv6 2800::/12 any
permit ipv6 2A00::/12 any
permit ipv6 2C00::/12 any
!
ipv6 access-list remote-mgmt-acl
remark allow login only to loopback0
deny ipv6 any any log-input
!
line vty 0 4
exec-timeout 35791 0
ipv6 access-class remote-mgmt-acl in
login
transport input telnet ssh
 
 
 



  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.lacnic.net/pipermail/lactf/attachments/20101130/c241e2e0/attachment.html>


More information about the LACTF mailing list