Re: /27 the new /24

[Stephen Satchell <list () satchell net>]

This is excellent feedback, thank you.

On 10/07/2015 04:54 AM, Owen DeLong wrote:
> > On Oct 4, 2015, at 7:49 AM, Stephen Satchell <list () satchell net> wrote:
> >
> > My bookshelf is full of books describing IPv4. Saying "IPv6 just
> > works" ignores the issues of configuring intelligent firewalls to block
> > the ne-er-do-wells using the new IP-level protocol.
>
> You will need most of the same blockages in IPv6 that you needed in IPv4, actually.
>
> There are some important differences for ICMP (don’t break PMTU-D or
> ND), but otherwise, really not much difference between your IPv4
> security policy and your IPv6 security policy.
>
> In fact, on my linux box, I generate my IPv4 iptables file using
> little more than a global search and replace on the IPv6 iptables
> configuration which replaces the IPv6 prefixes/addresses with the
> corresponding IPv4 prefixes/addresses. (My IPv6 addresses for things
> that take incoming connections have an algorithmic map to IPv4 addresses
> for things that have them.)

On my box, I have a librry of shell functions that do the generation, 
driven by parameter tables.  If I'm reading you correctly, I can just 
augment the parameter tables and those functions to generate the 
appropriate corresponding ip6table commands in parallel with the iptable 
commands.

Question: should I still rate-limit ICMP packets in IPv6?  Also, someone 
on this list pointed me to NIST SP800-119, "Guidelines for the Secure 
Deployment of IPv6", the contents of which which I will incorporate.

> There is limited IPv6 support in many of the GUIs still,
> unfortunately, but the command line tools are all there and for the
> most part work pretty much identically for v4 and v6, the difference
> often being as little as ping vs ping6 or <command> <args> vs.
> <command> -6 <args>.

I've not been happy with the GUIs, because getting them to do what I 
want is a royal pain.  For example, I'm forced to use port-based 
redirection in one edge firewall application -- I blew a whole weekend 
figuring out how to do that with the CentOS 7 firewalld corkscrew, for a 
customer who outgrew the RV-220 he used for the application.  At least 
that didn't need IPv6!

> Primarily it involves changing the IPv4 addresses and/or prefixes
> into IPv6 addresses and/or prefixes.

What about fragmented packets?  And adjusting the parameters in ip6table 
filters to detect the DNS "ANY" requests used in the DDoS amplification 
attacks?

> > I'm not asking NANOG to go past its charter, but I am asking the
> > IPv6fanatics on this mailing list to recognize that, even though the net
> > itself may be running IPv6, the support and education infrastructure is
> > still behind the curve. Reading RFCs is good, reading man pages is good,
> > but there is no guidance about how to implement end-network policies in
> > the wild yet...at least not that I've been able to find.
>
> There is actually quite a bit of information out there. Sylvia
> Hagen’sIPv6 book covers a lot of this (O’Reilly publishes it).

Um, that would be "books".  Which one do you recommend I start with?

* IPv6 Essentials (3rd Edition), 2014, ASIN: B00RWSNEKG
* Planning for IPv6 (1st Edition), 2011,  ISBN-10: 1449305393

(I would assume the first, as the NIST document probably covers the 
contents of the second)

> There are also several other good IPv6 books.

Recommendations?

> > "ipv6.disable" will be changed to zero when I know how to set the
> > firewall to implement the policies I need to keep other edge networks
> > from disrupting mine.
>
> You do. You just don’t realize that you do. See above.

That's encouraging.  Being able to leverage the knowledge from IPv4 to 
project the same policies into IPv6 makes it easier for me, as I'm 
already using programmatic methods of generating the firewalls.  I 
expected that the implementation of existing applications-level policies 
would be parallel; it's the policies further down the stack that was my 
concern.

Also, I have a lot of IP level blocks (like simpler Cisco access control 
lists) to shut out those people who like to bang on my SSH front door. 
I believe that people who are so rude as to try to break through dozens 
or hundreds of time a day will have other bad habits, and don't deserve 
to be allowed for anything.  (I have similar blocks for rabid spammers 
not in the DNSBLs, but that's a different story.)  I would expect to 
maintain a separate list of IPv6 subnets, based on experience.

Which brings up another question:  should I block IPv6 access to port 25 
on my mail servers, and not announce a AAAA record for it?  Postfix 
handles IPv6, but I've seen discussion that e-mail service is going to 
be IPv4 only for quite a while.  Should I even enable IPv6 on my mail 
server at this time?  Or is that a question I should post elsewhere?

As an aside, my day job is converting to Python programming, so my first 
Python project may well be the conversion of my existing firewall 
generator into that language.