We were recently approached by a customer asking us for support along the lines of “do you have any recommendations as for strict hardening of IPv6 parameters on Linux systems?”. It turned out that the systems in question process quite sensitive data and are located in certain, not too big network segments with very high security requirements.
They indicated they were willing to spend significant operational resources on “securely configuring them”. So Antonios deciced to write a small hardening guide for IPv6 on Linux, mostly focusing on manual configuration of pretty much everything (including neighbor cache entries 😉 with accompanying deactivation of all automatic mechanisms, together with ip6tables based local packet filtering.
The document can be found here.
We would like to emphasize that – given the huge operational effort for applying the steps laid out in the document and in particular keeping the configuration approach consistent throughout the whole lifecycle of a system (even after, say, compiling a new kernel) – the approach described should only be used for specific segments, as discussed in my ACSAC 29 talk on “Design & Configuration of IPv6 Segments with High Security Requirements“. It should further be noted that many of the steps somewhat contradict universal IPv6 principles of “automation and flexibility” which we “otherwise strongly believe in”…
We hope some of you find the document instructive or inspirational. Use at your own risk 😉 &
Happy holidays! to everybody
Enno
Can you produce a FreeBSD version of this document too for people that want speed, security, and sanity?
In addition to FreeBSD, OSX would be great – I am willing to help.
Hi Sally and Don,
thanks for your suggestions. Any help is always appreciated 🙂
We are aiming at expanding the work to other OS, like OS-X or FreeBSD. In the meantime, any other suggestions, hints, advices, etc. are more than welcome.
So, stay tuned 😉
Best
Antonios
Hi Antonios,
great document. Thanks for your effort!
Johannes