IPv6 security; reflexive ACL on Cisco

[Originally posted Oct 21, 2012 10:53 AM by Antti Uitto]

So you got an IPv6 network up and running? Good!

If you have not done so, it is about the time to make sure only desired traffic from the Internet can get to your machines.

This example shows you how to set up a rather basic ACL (Access Control List) that is automated:

1) Allows all traffic from your network to Internet.
2) Keeps track of the connections opened from your network
3) Creates permit-rules to allow returning traffic
4) Removes those rules as they expire
5) Rejects all other traffic originating from the Internet

The technology used here is called Reflexive access-list, or IP Session Filtering.

We are going to monitor and evaluate the IPv6 traffic on the LAN interface, which in this case is Vlan1.

First create a list that checks inbound traffic on your interface and allows your own IPv6 net:

 ipv6 access-list interior-in6
 sequence 10 permit ipv6 2001:19:13:42::/64 any reflect my-net

When this traffic originating from your IPv6 network goes by, it is marked to a reflexive list called “my-net”

I also have this on interior-in6 list because I sometimes want to connect to my router by using the link-local address:

sequence 20 permit ipv6 FE80::/10 any

Then create another list that checks the outbound traffic on your LAN interface:

 ipv6 access-list interior-out6
 evaluate my-net sequence 1
 deny ipv6 any any sequence 1000

This list applies to returning packets and new connections that opened from the Internet. Now in this example it just checks if this connection is to be found from reflexive list “my-net”.  If it is, it will pass and if not, then it won’t. If you want to allow connections originating from the Internet to your own IPv6 net, ýou can add those rules to this list.

Last but not the least, assign these ACL’s to the LAN interface:

 interface Vlan1
 ipv6 traffic-filter interior-in6 in
 ipv6 traffic-filter interior-out6 out

Open some IPv6 sites and see how show ipv6 access-list looks like.

Resources
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/screflex.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s