Re: /27 the new /24

[Owen DeLong <owen () delong com>]

> On Oct 4, 2015, at 7:49 AM, Stephen Satchell <list () satchell net> wrote:
>
> On 10/04/2015 06:40 AM, Matthias Leisi wrote:
> > Fully agree. But the current state of IPv6 outside "professional“
> > networks/devices is sincerely limited by a lot of poor CPE and
> > consumer device implementations.
>
> I have to ask:  where is the book _IPv6 for Dummies_ or equivalent?
>
> Specifically, is http://www.xnetworks.es/contents/Infoblox/IPv6forDummies.pdf any good? (I just downloaded it to 
> inspect.)
>
> My bookshelf is full of books describing IPv4.  Saying "IPv6 just works" ignores the issues of configuring 
> intelligent firewalls to block the ne-er-do-wells using the new IP-level protocol.

You will need most of the same blockages in IPv6 that you needed in IPv4, actually.

There are some important differences for ICMP (don’t break PMTU-D or ND), but otherwise, really not much difference 
between your IPv4 security policy and your IPv6 security policy.

In fact, on my linux box, I generate my IPv4 iptables file using little more than a global search and replace on the 
IPv6 iptables configuration which replaces the IPv6 prefixes/addresses with the corresponding IPv4 prefixes/addresses. 
(My IPv6 addresses for things that take incoming connections have an algorithmic map to IPv4 addresses for things that 
have them.)

> I use CentOS, the community version of Red Hat Enterprise.  I looked around for useful books on building IPv6 
> firewalls with the same granularity as the above-mentioned book for IPv4, and haven't found anything useful as yet.  
> In particular, I'm looking for material that lays out how to build a mostly-closed firewall and DMZ in IPv6.  The 
> lack of IPv6 support goes further:  I didn't find anything useful in Red Hat (CentOS) firewall tools that provides 
> IPv6 support...but that's probably because I don't know what I'm looking for.  (Also, that GUI software is intended 
> for use on individual servers/computers, not in a edge-firewall with forwarding and DMZ responsibilities.)

Where you have an iptables file, you add an ip6tables file and change the prefixes and addresses. Otherwise, it’s 
really pretty much the same.

There is limited IPv6 support in many of the GUIs still, unfortunately, but the command line tools are all there and 
for the most part work pretty much identically for v4 and v6, the difference often being as little as ping vs ping6 or 
<command> <args> vs. <command> -6 <args>.

> Building a secure firewall takes more than just knowing how to issue ip6table commands; one also needs to know 
> exactly what goes into those commands.  NANOG concentrates on network operators who need to provide a good Internet 
> experience to all their downstream customers, which is why I see the bias toward openness...as it should be.  Those 
> of us who run edge networks have different problems to solve.

If you know what goes into the iptables commands, then there’s very little difference for the ip6tables commands.

Primarily it involves changing the IPv4 addresses and/or prefixes into IPv6 addresses and/or prefixes. The rest of the 
commands are very much literally the same… An example from my actual configurations:

iptables:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.159.10.0/24 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT

ip6tables:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT


This is not my entire configuration (which is somewhat complex and in need of some cruft removal due to organic growth 
over time), but these 6 lines do provide a reasonably representative sample of things and include rate-limiting DNS 
queries from outsiders.

> I'm not asking NANOG to go past its charter, but I am asking the IPv6 fanatics on this mailing list to recognize 
> that, even though the net itself may be running IPv6, the support and education infrastructure is still behind the 
> curve.  Reading RFCs is good, reading man pages is good, but there is no guidance about how to implement end-network 
> policies in the wild yet...at least not that I've been able to find.

There is actually quite a bit of information out there. Sylvia Hagen’s IPv6 book covers a lot of this (O’Reilly 
publishes it).

There are also several other good IPv6 books.

> "ipv6.disable" will be changed to zero when I know how to set the firewall to implement the policies I need to keep 
> other edge networks from disrupting mine.

You do. You just don’t realize that you do. See above.

Owen