IPv6 traffic filters, tunnel and access-list behaviour

fabios · ‎08-09-2011

Dear community members,

I am rolling out ipv6 in my network and I am running in some "strange" issues in implementing ipv6 access lists.

The following access list is applied to the ipv6ip tunnel providing connectivity to the v6 provider.

ipv6 access-list AL6-v6-inetin

remark V6 incoming tunnel filter

remark allowing ping of outside for tunnel statu and reachability

permit icmp any host 2001:x:x:6BE::2 (router tunnel interface)

remark preventing spoofing

deny ipv6 2001:x:x::/48 any

deny ipv6 host 2001:x:x:6BE::2 any

deny ipv6 ::/3 any log

deny ipv6 8000::/2 any log

deny ipv6 C000::/3 any log

deny ipv6 E000::/4 any log

deny ipv6 F000::/5 any log

deny ipv6 F800::/6 any log

deny ipv6 FC00::/7 any log

deny ipv6 FE00::/8 any log

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit icmp any any echo-request

permit icmp any any echo-reply

My idea would be to deny most of everything and confiugure CBAC (ipv6 inspect) to allow traffic originating inside to "open" connections to the outside.

First question is the usual implicit deny any any applicable in this case?

My doubt comes from the following:=======quote

Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can

be overridden by the user by placing a deny ipv6 any any statement within an ACL. ===unquote

And also because after applying the above access-list to the tunnel interface I can still ping and portscan remotely both the router (which is expected see further quote below) and also inside hosts.

=====quote

IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic

exiting the tunnel is nonterminating, then the traffic is inspected. IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.======unquote

What is the accepted wisdom to filter traffic directed to the router if it arrives via an ipv6ip tunnel?

Hope to start a fruitful discussion here and build some common knowledge in the group by exchanging views.

Cheers

Fabio

Andre Gustavo Albuquerque · ‎08-10-2011

Fabio,

Regarding your first question, the implicit deny rule exists.

In IOS, each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery.

---------------------------

permit icmp any any nd-ns

permit icmp any any nd-na

deny ipv6 any any

----------------------------

ASR1K platform is one notable exception, as the implict deny rule is present, but the permit rules are not, as documented on CCO [1]. So, if you want to allow ND, you'd need to add the permit rules yourself.

Cheers, Gustavo

[1] http://www.cisco.com/en/US/docs/ios/ios_xe/ipv6/configuration/guide/ip6-sec_trfltr_fw_xe.html#wp1072522

fabios · ‎08-10-2011

Hi Gustavo,

Thanks for your reply. If I understand correctly the implicit ND is there and works only if I do not add an explicit deny ipv6 any any (or deny icmp any any). If I do add an explicit deny ipv6 any any for example to log packets matching I would have to include explicitly the permit icmp nd statements.

This leaves open a question:

quote=====IPv6 packets tunneled in IPv4 are not inspected. ======= unquote

How do I filter traffic to prevent reaching the router if the access-list do not work and I have IPv6 connectivity through an ipv4 tunnel?

By the way, configuring the tunnel and the access-list the statement above appears to be not true.

Cheers

Fabio