We were recently approached by a customer asking us for support along the lines of “do you have any recommendations as for strict hardening of IPv6 parameters on Linux systems?”. It turned out that the systems in question process quite sensitive data and are located in certain, not too big network segments with very high security requirements.
They indicated they were willing to spend significant operational resources on “securely configuring them”. So Antonios deciced to write a small hardening guide for IPv6 on Linux, mostly focusing on manual configuration of pretty much everything (including neighbor cache entries 😉 with accompanying deactivation of all automatic mechanisms, together with ip6tables based local packet filtering.
The document can be found here.
We would like to emphasize that – given the huge operational effort for applying the steps laid out in the document and in particular keeping the configuration approach consistent throughout the whole lifecycle of a system (even after, say, compiling a new kernel) – the approach described should only be used for specific segments, as discussed in my ACSAC 29 talk on “Design & Configuration of IPv6 Segments with High Security Requirements“. It should further be noted that many of the steps somewhat contradict universal IPv6 principles of “automation and flexibility” which we “otherwise strongly believe in”…
We hope some of you find the document instructive or inspirational. Use at your own risk 😉 &
Happy holidays! to everybody