[LACNIC/Seguridad] Fwd: [LAC-TF] [lacnog] Estandar de configuración de seguridad para routers IOS ipv6

Carlos Martinez-Cagnazzo carlosm3011 en gmail.com
Jue Dic 2 11:52:51 BRST 2010


Me pareció interesante, lo comparto aqui también.


---------- Forwarded message ----------
From: Antonio Ricapito <antonio_ricapito en hotmail.com>
Date: 2010/11/30
Subject: [LAC-TF]  [lacnog] Estandar de configuración de seguridad
para routers IOS ipv6
To: lactf en lac.ipv6tf.org


Estimados:


Estoy tratando de generar un estandar de configuración para routers
Cisco con IOS de routers de borde de proveedores con full BGP en IPv6
que contemple los aspectos de seguridad, y en esa linea quisiera
compartir con ustedes y poder escuchar sugerencias. Al filtro de
entrada de MATIAN AND BOGONS es necesario complementarla con un filtro
antispoofing.

Se omite la configuración de IPv4.


La recomendacion general es aplicar en principio las mismas reglas y
politicas utilizadas para IPv4 (salvo excepciones), mas otras
especificas para IPv6 (como extension header/fragments). En especial
aplica lo de las ACL, VTY, ICMP y BGP.



Les recomiendo tambien un documento de la NSA/DoD con recomendaciones
de seguridad en IPv6 para Routers Cisco

http://www.nsa.gov/ia/_files/routers/I33-002R-06.pdf



Para Martian/Bogon te recomiendo leer

http://6session.wordpress.com/2009/04/08/ipv6-martian-and-bogon-filters/

y mirar

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt


De esto puedo resumir lo siguiente:

Para las conexiones WAN de proveedores (mascara puede ser /126 /120 u otra)

!

ipv6 unicast-routing

no ipv6 source-route

ipv6 cef

!

interface FastEthernet0/0

description WAN (nei 2001:db8::2)

ipv6 address 2001:db8::1/120

ipv6 enable

ipv6 traffic-filter FILTER-MARTIANS-AND-BOGONS in

no ipv6 redirects

no ipv6 unreachables

ipv6 nd ra suppress

!



!

router bgp XXXX

no synchronization

bgp router-id 1.1.1.1

no bgp fast-external-fallover

bgp log-neighbor-changes

neighbor 2001:db8:1::32:238 remote-as YYYY

neighbor 2001:db8:1::32:238 ebgp-multihop 2

neighbor 2001:db8:1::32:238 password 7 XXXXX

neighbor 2001:db8:1::32:238 update-source Loopback0

no auto-summary

!

!

address-family ipv6

  neighbor 2001:db8:1::32:238 activate

  neighbor 2001:db8:1::32:238 remove-private-as

  neighbor 2001:db8:1::32:238 prefix-list MARTIANS in

  neighbor 2001:db8:1::32:238 prefix-list MYPREFIX out

exit-address-family

!

!

ipv6 route 2001:db8:1::32:238/128 2001:db8::2

!

!

ipv6 prefix-list MARTIANS description MARTIAN PREFIX-LIST

ipv6 prefix-list MARTIANS seq 10 deny ::/128

ipv6 prefix-list MARTIANS seq 20 deny ::/96 le 128

ipv6 prefix-list MARTIANS seq 30 deny ::/128

ipv6 prefix-list MARTIANS seq 40 deny ::1/128

ipv6 prefix-list MARTIANS seq 50 deny ::FFFF:0.0.0.0/96

ipv6 prefix-list MARTIANS seq 60 deny ::208.0.0.0/100

ipv6 prefix-list MARTIANS seq 70 deny ::127.0.0.0/104

ipv6 prefix-list MARTIANS seq 80 deny ::/104

ipv6 prefix-list MARTIANS seq 90 deny ::255.0.0.0/104

ipv6 prefix-list MARTIANS seq 100 deny ::/8 le 128

ipv6 prefix-list MARTIANS seq 110 deny 200::/7 le 128

ipv6 prefix-list MARTIANS seq 120 deny 3FFE::/16 le 128

ipv6 prefix-list MARTIANS seq 130 deny 2001:DB8::/32 le 128

ipv6 prefix-list MARTIANS seq 140 deny 2002:E000::/20

ipv6 prefix-list MARTIANS seq 150 deny 2002:7F00::/24

ipv6 prefix-list MARTIANS seq 160 deny 2002::/24

ipv6 prefix-list MARTIANS seq 170 deny 2002:FF00::/24

ipv6 prefix-list MARTIANS seq 190 deny 2002:A00::/24

ipv6 prefix-list MARTIANS seq 200 deny 2002:AC10::/28

ipv6 prefix-list MARTIANS seq 210 deny 2002:C0A8::/32

ipv6 prefix-list MARTIANS seq 220 deny FC00::/7 le 128

ipv6 prefix-list MARTIANS seq 230 deny FE80::/10 le 128

ipv6 prefix-list MARTIANS seq 240 deny FEC0::/10 le 128

ipv6 prefix-list MARTIANS seq 250 deny FF00::/8 le 128

ipv6 prefix-list MARTIANS seq 260 permit 2001::/23 le 64

ipv6 prefix-list MARTIANS seq 270 permit 2001:200::/23 le 64

ipv6 prefix-list MARTIANS seq 280 permit 2001:400::/23 le 64

ipv6 prefix-list MARTIANS seq 290 permit 2001:600::/23 le 64

ipv6 prefix-list MARTIANS seq 300 permit 2001:800::/23 le 64

ipv6 prefix-list MARTIANS seq 310 permit 2001:A00::/23 le 64

ipv6 prefix-list MARTIANS seq 320 permit 2001:C00::/23 le 64

ipv6 prefix-list MARTIANS seq 330 permit 2001:E00::/23 le 64

ipv6 prefix-list MARTIANS seq 340 permit 2001:1200::/23 le 64

ipv6 prefix-list MARTIANS seq 350 permit 2001:1400::/23 le 64

ipv6 prefix-list MARTIANS seq 360 permit 2001:1600::/23 le 64

ipv6 prefix-list MARTIANS seq 370 permit 2001:1800::/23 le 64

ipv6 prefix-list MARTIANS seq 380 permit 2001:1A00::/23 le 64

ipv6 prefix-list MARTIANS seq 390 permit 2001:1C00::/22 le 64

ipv6 prefix-list MARTIANS seq 400 permit 2001:2000::/20 le 64

ipv6 prefix-list MARTIANS seq 410 permit 2001:3000::/21 le 64

ipv6 prefix-list MARTIANS seq 420 permit 2001:3800::/22 le 64

ipv6 prefix-list MARTIANS seq 430 permit 2001:4000::/23 le 64

ipv6 prefix-list MARTIANS seq 440 permit 2001:4200::/23 le 64

ipv6 prefix-list MARTIANS seq 450 permit 2001:4400::/23 le 64

ipv6 prefix-list MARTIANS seq 460 permit 2001:4600::/23 le 64

ipv6 prefix-list MARTIANS seq 470 permit 2001:4800::/23 le 64

ipv6 prefix-list MARTIANS seq 480 permit 2001:4A00::/23 le 64

ipv6 prefix-list MARTIANS seq 490 permit 2001:4C00::/23 le 64

ipv6 prefix-list MARTIANS seq 500 permit 2001:5000::/20 le 64

ipv6 prefix-list MARTIANS seq 510 permit 2001:8000::/19 le 64

ipv6 prefix-list MARTIANS seq 520 permit 2001:A000::/20 le 64

ipv6 prefix-list MARTIANS seq 530 permit 2001:B000::/20 le 64

ipv6 prefix-list MARTIANS seq 540 permit 2002::/16 le 64

ipv6 prefix-list MARTIANS seq 550 permit 2003::/18 le 64

ipv6 prefix-list MARTIANS seq 560 permit 2400::/12 le 64

ipv6 prefix-list MARTIANS seq 570 permit 2600::/12 le 64

ipv6 prefix-list MARTIANS seq 580 permit 2610::/23 le 64

ipv6 prefix-list MARTIANS seq 590 permit 2620::/23 le 64

ipv6 prefix-list MARTIANS seq 600 permit 2800::/12 le 64

ipv6 prefix-list MARTIANS seq 610 permit 2A00::/12 le 64

ipv6 prefix-list MARTIANS seq 620 permit 2C00::/12 le 64

!

!

ipv6 access-list FILTER-MARTIANS-AND-BOGONS

remark ACL TO DROP ALL PACKETS WITH IPv6 MARTIAN SOURCE ADDRESSES

remark FIRST THE MARTIANS

deny ipv6 host :: any

deny ipv6 host ::1 any

deny ipv6 ::FFFF:0.0.0.0/96 any

deny ipv6 ::208.0.0.0/100 any

deny ipv6 ::127.0.0.0/104 any

deny ipv6 ::/104 any

deny ipv6 ::255.0.0.0/104 any

deny ipv6 ::/8 any

deny ipv6 200::/7 any

deny ipv6 3FFE::/16 any

deny ipv6 2001:DB8::/32 any

deny ipv6 2002:E000::/20 any

deny ipv6 2002:7F00::/24 any

deny ipv6 2002::/24 any

deny ipv6 2002:FF00::/24 any

deny ipv6 2002:A00::/24 any

deny ipv6 2002:AC10::/28 any

deny ipv6 2002:C0A8::/32 any

deny ipv6 FC00::/7 any

deny ipv6 FE80::/10 any

deny ipv6 FEC0::/10 any

deny ipv6 FF00::/8 any

remark PERMITE REDES BOGONS . ESTA SECCION SE DEBE MANTENER FUENTE IANA

permit ipv6 2001::/23 any

permit ipv6 2001:200::/23 any

permit ipv6 2001:400::/23 any

permit ipv6 2001:600::/23 any

permit ipv6 2001:800::/23 any

permit ipv6 2001:A00::/23 any

permit ipv6 2001:C00::/23 any

permit ipv6 2001:E00::/23 any

permit ipv6 2001:1200::/23 any

permit ipv6 2001:1400::/23 any

permit ipv6 2001:1600::/23 any

permit ipv6 2001:1800::/23 any

permit ipv6 2001:1A00::/23 any

permit ipv6 2001:1C00::/22 any

permit ipv6 2001:2000::/20 any

permit ipv6 2001:3000::/21 any

permit ipv6 2001:3800::/22 any

permit ipv6 2001:4000::/23 any

permit ipv6 2001:4200::/23 any

permit ipv6 2001:4400::/23 any

permit ipv6 2001:4600::/23 any

permit ipv6 2001:4800::/23 any

permit ipv6 2001:4A00::/23 any

permit ipv6 2001:4C00::/23 any

permit ipv6 2001:5000::/20 any

permit ipv6 2001:8000::/19 any

permit ipv6 2001:A000::/20 any

permit ipv6 2001:B000::/20 any

permit ipv6 2002::/16 any

permit ipv6 2003::/18 any

permit ipv6 2400::/12 any

permit ipv6 2600::/12 any

permit ipv6 2610::/23 any

permit ipv6 2620::/23 any

permit ipv6 2800::/12 any

permit ipv6 2A00::/12 any

permit ipv6 2C00::/12 any

!

ipv6 access-list remote-mgmt-acl

remark allow login only to loopback0

deny ipv6 any any log-input

!

line vty 0 4

exec-timeout 35791 0

ipv6 access-class remote-mgmt-acl in

login

transport input telnet ssh









_______________________________________________
LACTF mailing list
LACTF en lacnic.net
https://mail.lacnic.net/mailman/listinfo/lactf




-- 
--
=========================
Carlos M. Martinez-Cagnazzo
http://cagnazzo.name
=========================



Más información sobre la lista de distribución Seguridad