08-09-2011 11:13 PM - edited 03-01-2019 05:29 PM
Dear community members,
I am rolling out ipv6 in my network and I am running in some "strange" issues in implementing ipv6 access lists.
The following access list is applied to the ipv6ip tunnel providing connectivity to the v6 provider.
ipv6 access-list AL6-v6-inetin
remark V6 incoming tunnel filter
remark allowing ping of outside for tunnel statu and reachability
permit icmp any host 2001:x:x:6BE::2 (router tunnel interface)
remark preventing spoofing
deny ipv6 2001:x:x::/48 any
deny ipv6 host 2001:x:x:6BE::2 any
deny ipv6 ::/3 any log
deny ipv6 8000::/2 any log
deny ipv6 C000::/3 any log
deny ipv6 E000::/4 any log
deny ipv6 F000::/5 any log
deny ipv6 F800::/6 any log
deny ipv6 FC00::/7 any log
deny ipv6 FE00::/8 any log
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any echo-request
permit icmp any any echo-reply
My idea would be to deny most of everything and confiugure CBAC (ipv6 inspect) to allow traffic originating inside to "open" connections to the outside.
First question is the usual implicit deny any any applicable in this case?
My doubt comes from the following:=======quote
Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can
be overridden by the user by placing a deny ipv6 any any statement within an ACL. ===unquote
And also because after applying the above access-list to the tunnel interface I can still ping and portscan remotely both the router (which is expected see further quote below) and also inside hosts.
=====quote
IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic
exiting the tunnel is nonterminating, then the traffic is inspected. IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.======unquote
What is the accepted wisdom to filter traffic directed to the router if it arrives via an ipv6ip tunnel?
Hope to start a fruitful discussion here and build some common knowledge in the group by exchanging views.
Cheers
Fabio
08-10-2011 07:18 AM
Fabio,
Regarding your first question, the implicit deny rule exists.
In IOS, each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery.
---------------------------
permit icmp any any nd-ns
permit icmp any any nd-na
deny ipv6 any any
----------------------------
ASR1K platform is one notable exception, as the implict deny rule is present, but the permit rules are not, as documented on CCO [1]. So, if you want to allow ND, you'd need to add the permit rules yourself.
Cheers, Gustavo
08-10-2011 07:35 AM
Hi Gustavo,
Thanks for your reply. If I understand correctly the implicit ND is there and works only if I do not add an explicit deny ipv6 any any (or deny icmp any any). If I do add an explicit deny ipv6 any any for example to log packets matching I would have to include explicitly the permit icmp nd statements.
This leaves open a question:
quote=====IPv6 packets tunneled in IPv4 are not inspected. ======= unquote
How do I filter traffic to prevent reaching the router if the access-list do not work and I have IPv6 connectivity through an ipv4 tunnel?
By the way, configuring the tunnel and the access-list the statement above appears to be not true.
Cheers
Fabio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide