Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPv6 hardening Best Practices?

Hi,

I have been searching everywhere for information about best practices to harden Cisco devices when IPv6 is implemented, I have found many documents showing possible threats however some of them are more than 3 years old and don't give a good example of how to implement the best practices

Anyone has information or a guide on how to harden your devices when IPv6 is in place?

Thank you

Everyone's tags (4)
5 REPLIES

Re: IPv6 hardening Best Practices?

Hi,

You will find some good references in the Design Zone for IPv6. Many of the documents there have been updated recently.

http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html

For example see below the IPv6 Campus Security Section

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/CampIPv6.html#wp390569

One of the best older references out there is IPv6 Security, 2008

http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945

See also IPv6 for Enterprises, 2011

http://www.ciscopress.com/bookstore/product.asp?isbn=1587142325

If you keep track of the Cisco Press ebook deals of the day you can purchase them at a heavily discounted rate.

http://www.ciscopress.com/deals/

Don't forget to rate posts that are helpul.

New Member

IPv6 hardening Best Practices?

Thank you Sean, however it seems there is no general guidance as it is for IPv4, I gound a couple of good examples on your links though

New Member

IPv6 hardening Best Practices?

One more Question: Is there any IPv6 ACL similar to the ones exisitin in IPv6 to harden an Internet connection? i.e. wtih IPv4 you can have

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 126.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.0.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 223.255.255.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

Is there an IPv6 Equivalent?

IPv6 hardening Best Practices?

Sure, See below the reference from Team Cymru for filtering IPv6 bogons

http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/

Cheers

Sean

New Member

IPv6 hardening Best Practices?

One More question ... the list is applied as a prefix list, which is OK, however I am not sure if the same prefixes can be used to let's say block connections on a public interface; i.e the IPv4 list above doesn't permit connections from private networks 10.x.x.x, 172.16.x.x and 192.168.x.x

I guess if I use reverse logic from the IPv6 prefix list I can only allow connections from those networks and block everything else, would that bring the same result as in IPv4?

Thank you

2341
Views
3
Helpful
5
Replies
CreatePlease login to create content