IPv6 security; reflexive ACL on Cisco

[Originally posted Oct 21, 2012 10:53 AM by Antti Uitto]

So you got an IPv6 network up and running? Good!

If you have not done so, it is about the time to make sure only desired traffic from the Internet can get to your machines.

This example shows you how to set up a rather basic ACL (Access Control List) that is automated:

1) Allows all traffic from your network to Internet.
2) Keeps track of the connections opened from your network
3) Creates permit-rules to allow returning traffic
4) Removes those rules as they expire
5) Rejects all other traffic originating from the Internet

The technology used here is called Reflexive access-list, or IP Session Filtering.

We are going to monitor and evaluate the IPv6 traffic on the LAN interface, which in this case is Vlan1.

First create a list that checks inbound traffic on your interface and allows your own IPv6 net:

 ipv6 access-list interior-in6
 sequence 10 permit ipv6 2001:19:13:42::/64 any reflect my-net

When this traffic originating from your IPv6 network goes by, it is marked to a reflexive list called “my-net”

I also have this on interior-in6 list because I sometimes want to connect to my router by using the link-local address:

sequence 20 permit ipv6 FE80::/10 any

Then create another list that checks the outbound traffic on your LAN interface:

 ipv6 access-list interior-out6
 evaluate my-net sequence 1
 deny ipv6 any any sequence 1000

This list applies to returning packets and new connections that opened from the Internet. Now in this example it just checks if this connection is to be found from reflexive list “my-net”.  If it is, it will pass and if not, then it won’t. If you want to allow connections originating from the Internet to your own IPv6 net, ýou can add those rules to this list.

Last but not the least, assign these ACL’s to the LAN interface:

 interface Vlan1
 ipv6 traffic-filter interior-in6 in
 ipv6 traffic-filter interior-out6 out

Open some IPv6 sites and see how show ipv6 access-list looks like.

Resources
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/screflex.html