IPv6 filtering basics or guidelines?

[raidius]

Hey,

I was wondering if anyone has any pointers, links, or other information about basic filtering setups for IPv6? All IPv4 filter configurations seem to share the same basic shape, including many nearly universal sanity checks for bogus/malformed/martian packets, screwy ICMP hijinks, nonsense TCP flags, spoof rejection, and so on. I'm looking for info for laying that sort of basic starting point for a good set of v6 filter rules.

I do not want or need esoteric paranoid rules that breaks things like PMTU, ping, traceroute, etc--just the basics would be fine :) I'm working with a Juniper SRX210 for what that's worth, but think I can figure out the JUNOS details given some good generic guides.

Thanks,
-Kyle

[cholzhauer]

It was pretty easy to set up my ASA...I don't know how Juniper does it, but the ASA has default configurations that sniff for everything you mentioned.

All ICMP is enabled, everything else is blocked unless there's a need for it (public server, DNS, ect)

[maestroevolution]

Are you asking about security policy or screens on your SRX?

Security policy is written just like IPv4:  address book entries, policy from zone foo to zone bar, and defining applications.

Most of the application stuff should be the same; tcp is still tcp, udp is still udp.  You do need to remember to use 'junos-pingv6' and 'junos-icmp6' for the ping/icmp, policies...  I've forgotten that twice now.

The screens I haven't played with or verified, but I believe they work and are supported except the rpf-check (as of 10.2, per the release notes).  I would expect the session limits, malformed tcp packets, etc to be layer3 agnostic.

Joel