We're finally getting around to polishing up the IPv6 side of the network. We have been running dual-stack for the past four years. IPv6 felt like more of a lab experiment than a production ready network. That is all changing. We've been adding lots of IPv6 peers, new IPv6 DHCP servers (PD), new IPv6 DNS recursors, pdns LUA scripted PTR and AAAA for our /36, and lots of FTTP access and residential gateway testing on IPv6 underway.
Now here's my question(s), what should be happening at the ISP router security level? We currently have ACLs that basically only permit BGP and ICMP echo (with CPP). These were basically a copy paste of the IPv4 rules. With IPv6's heavy reliance on ICMP, should the ICMP rules be opened up a bit for the router too? Or is this basically a host issue only? To be clear, the ACLs I am referring to are only for traffic with a destination address of the router. Otherwise all traffic is passing straight through on the data plane.
Any other special IPv6 router security considerations outside of ICMP?
We're in a Cisco environment, but I think these questions are general and apply to everyone no matter the vendor.
No comments:
Post a Comment