IPv6 Security Lab - Traffic Filters
### Configuring IPv6 Traffic Filters
We now configure a traffic filter to only allow traffic from just your address block out of your network (this is BCP38 requirement). Note this configuration goes on the border router, where your network connects to your transit provider.
ipv6 access-list ipv6-packetfilter permit ipv6 2001:db8:X0::/48 any permit icmp any any deny ipv6 any any log ! interface fastethernet 0/0 ipv6 traffic-filter ipv6-packetfilter out !
What happens? Look in the router’s logs. Can you explain what you see? Why do your external BGP sessions go down?
### Inbound packet filtering for IPv6 testing
We will now create an access-list which can be used for initial IPv6 testing. It shows had to trap and test for various traffic types running on a router’s interface.
ipv6 access-list v6starter permit icmp any 2001:db8:X0::/32 echo-reply log-input permit icmp any 2001:db8:X0::/32 echo-request log-input permit icmp any 2001:db8:X0::/32 time-exceeded log-input permit icmp any 2001:db8:X0::/32 packet-too-big log-input permit icmp any 2001:db8:X0::/32 parameter-problem log-input permit ipv6 any host <specific host> log-input deny ipv6 any any log-input ! interface fastethernet 0/0 ipv6 traffic-filter v6starter in !
Note that the ‘log-input’ has been included to check what ipv6 traffic is coming in from the outside. Send some ipv6 pings and see if you can see traffic from a ‘show log’.
Note: ‘log’ simply displays the source and destination addresses in the log messages. ‘log-input’ includes the input interface as well.
### Disabling Router Advertisement on interfaces
Interfaces on core infrastructure routers are generally manually configured. And the devices connected to these interfaces also are manually configured. We want to now disable support for auto-configuration of IPv6 addresses on our router’s ethernet interfaces and disable the announcement of a default route – this will prevent anyone connecting a device to that ethernet and it automatically getting an IPv6 configuration and this IPv6 connectivity. The following command shows what needs to be done for a FastEthernet interface.
interface gigabit 1/0 ipv6 nd prefix default no-advertise ipv6 nd ra suppress all !
Each group should do this for all active interfaces on the routers in their AS.
