Cisco IPv6 IOS Hardening - DoD Style

***Updated on 14 May 2014 - regarding NET-IPv6-022, See below***

Thousands of network engineers in the DoD out there looking at implementing IPv6 now have to address a few Security and Technical Implementation Guidance (STIG) items that they used to just annotate as "Not Applicable - NA."  Now, IPv6 security is important.  If you are a vendor, it might be a good idea to look at what you will now absolutely have to address, or risk certification and accreditation of your products in an DoD enterprise.

The STIG Viewer

Whatever your feelings are with Java, the software engineers at DISA put together a great way to finally view, edit, and transmit those STIGs.  It's called the DISA STIG Viewer (currently in version 1.1).  It's available to everyone, regardless of operating system platform.  Not all of the STIGs are available to the average "Joe", but a good majority are available.  In this blog I will be using the Cisco Perimeter Router STIG as an example.  The IPv6-secific STIG items are as follows.  The parts in bold are the actual commands.

The IPv6 STIG Items

NET-IPv6-004 - IPv6 Router Advertisements must be suppressed on externally-facing links

-This is usually your BGP peering points, but it's good practice for all your Point-point router links:

ipv6 nd ra-supress

On an ASA it's ipv6 ra-supress

NET-IPv6-006 - IPv6 Undermined Transport

-This is for IPv6 packets with Next Headers that are totally not correct

ipv6  access-list inbound-to-enclave remark prohibit unknown protocols deny ipv6 any any undetermined-trans log

NET-IPv6-008 - IPv6 Bogons

-This is for IPv6 address you shouldn't see - like the old 6Bone

ipv6 access-list inbound-to-enclave remark prohibit IPv6 Bogons deny ipv6 3FFE::/16 any log deny ipv6 any 3FFE::/16 log

NET-IPv6-011 - IPv6 Outbound ICMPv6

-This is for all thing ICMPv6 related

ipv6 access-list inbound-to-enclave remark Filter ICMPv6 remark Allow outbound ping request from LAN subnet permit icmp 2001:db8:60::/44 2000::/3 echo-request remark Allow Path MTU to function permit icmp 2001:db8:60::/44 2000::/3 packet-too-big remark Allow flow control permit icmp 2001:db8:60::/44 2000::/3 source-quench remark Allow time exceeded messages for loops permit icmp 2001:db8:60::/44 2000::/3 time-exceeded remark Allow ND ICMP types generally, but not RD permit icmp any any nd-na permit icmp any any nd-ns remark Explicitly block all other ICMP packets deny icmp any any log-input

NET-IPv6-016 - Disable vulnerable ICMPv6 on external interface

-This is for the external interface and could be good on point-to-point, routed, untrusted interfaces

(config-int) no ipv6 redirects (config-int) no ipv6 unreachables (config-int) no ipv6 mask-reply

NET-IPv6-017 - IPv6 Routing Header (or just RH Type 0)

-This is for the IPv6 source routing header.  If you are running Mobile IPv6 use the first one, if not use the second one.

With Mobile IPv6 (Routing Header Type 2):

ipv6  access-list inbound-to-enclave remark prohibit IPv6 routing header type0 deny ipv6 any any routing-type 0 log

Without Mobile IPv6 (Routing Header Type 2):

(config)no ipv6 source-routing

ipv6  access-list inbound-to-enclave remark prohibit IPv6 routing header type0 deny ipv6 any any routing

UPDATE! - 1 May 2014 - DISA Removes the below requirement as of Version 8, Release 17!NET-IPv6-022 - IPv6 Link-Local Unicast Addresses at perimeter-This is one I don't agree with and think DISA needs to remove this one.  Even at the perimeter, Neighbor Discovery (ND) needs to happen.  Plus routing updates use link-local.  DISA gets a de-merit for this one :-)

***Don't do this unless you want to break IPv6 routing***
ipv6 access-list inbound-to-enclave
remark prohibit use of link-local
deny ipv6 fe80::/10 any log
deny ipv6 any fe80::/10 log 

NET-IPv6-025 & 26 - Block IPv6 Site-Local

-Site-Local was deprecated with Unique-Local Unicast.  Block these.

ipv6  access-list inbound-to-enclave remark prohibit use of site-local deny ipv6 fec0::/10 any log deny ipv6 any fec0::/10 log

NET-IPv6-027 - Block IPv6 Loopback Address

-Loopback in IPv6 is ::1 just like IPv4's 127.0.0.1, and you shouldn't see these on any wire.  Block these.

ipv6  access-list inbound-to-enclave remark block packets with local loopback address deny ipv6 ::1/128 any log

NET-IPv6-028 - Block IPv6 Unspecified Address

-Unspecified in IPv6 is ::/0 just like IPv4's 0.0.0.0, and you shouldn't see these on any wire.  Block these. ipv6  access-list inbound-to-enclave remark block traffic with the unspecified address deny ipv6 ::/128 any log deny ipv6 any ::/128 log

NET-IPv6-029 - Block IPv6 Multicast Source Address

-You should never see an IPv6 multicast address as the source address anywhere.  They will only be destination addresses.  Block these.  Of course, DISA messed up the example in their STIG.  ***Only block the source - not destination!

ipv6  access-list inbound-to-enclave remark block packets with multicast source address deny ipv6 ff00::/8 any log

NET-IPv6-030 - Block IPv4-compatible Addresses

-You should never see an IPv4-compatible address on the wire.  Block these.

ipv6  access-list inbound-to-enclave remark block packets with embedded IPv4-compatible IPv6 addresses deny ipv6 0::/96 any log deny ipv6 any 0::/96 log

NET-IPv6-031 - Block IPv4-mapped Addresses

-You should never see an IPv4-mapped address on the wire.  Block these.

ipv6  access-list inbound-to-enclave remark block embedded IPv4-mapped IPv6 addresses deny ipv6 ::FFFF:0:0/96 any log deny ipv6 any ::FFFF:0:0/96 log

NET-IPv6-032 - Block IPv6 Unique Local Addresses (ULA)

-You should never see an IPv6 ULA on your border, it's OK for internal use, but never allow them in or out!  Block these.

ipv6  access-list inbound-to-enclave remark block IPv6 Unique Local Unicast Addresses deny ipv6 FC00::/7 any log deny ipv6 any FC00::/7 log

NET-IPv6-033 - IPv6 CEF enabled

-Enable IPv6 CEF

(config) ipv6 cef

NET-IPv6-034 - Egrees Outbound Source Reachable

-Very similar to uRPF.

ipv6 verify unicast source reachable-via rx  outbound-to-backbone

NET-IPv6-047 & 48- IPv6 NAT

-I don't recommend you do IPv6 NAT, but don't do what DISA recommends as it is the old NAT-PT.  Most everyone has moved to the new standard: NAT64.  There's a lot of commands so go here to see it: https://supportforums.cisco.com/docs/DOC-22619

NET-IPv6-060 - Packet with Invalid Hop-by-Hop Header

-Fun with Extension Headers!  This is where is gets fun.  Only some values are within spec.  Block these.

ipv6  access-list inbound-to-enclave remark block IPv6 HbH Invalid Options deny 0 any any dest-option-type 4  deny 0 any any dest-option-type 195  deny 0 any any dest-option-type home-address

NET-IPv6-061 & 63 - Packet with Invalid Destination Options Header

-Fun with Extension Headers!  This is where is gets fun.  Only some values are within spec.  Block these.

ipv6  access-list inbound-to-enclave remark block IPv6 DO Invalid Options  deny 60 any any dest-option-type 5 deny 60 any any dest-option-type 194

deny 60 any any dest-option-type 195

NET-IPv6-062 - Packet with IPv6 Endpoint Identification

-Fun with Extension Headers!  This is where is gets fun.  Only some values are within spec.  Block these.

ipv6  access-list inbound-to-enclave remark block IPv6 DO Invalid Options  deny any any dest-option-type 138

 NET-IPv6-064 - Filter Undefined Extension Header Types

-Fun with Extension Headers!  This is where is gets fun.  Only some values are within spec.  Block these.

ipv6  access-list inbound-to-enclave remark block IPv6 Invalid Extension Header Types deny any any dest-option-type 2 deny any any dest-option-type 3 deny any any dest-option-type 6 deny any any dest-option-type 7 deny any any dest-option-type 8 deny any any dest-option-type 137 deny any any dest-option-type 139 deny any any dest-option-type 193 deny any any dest-option-type 196 deny any any dest-option-type 197 deny any any dest-option-type 198 deny any any dest-option-type 199 deny any any dest-option-type 200 deny any any dest-option-type 202 deny any any dest-option-type 255

NET-IPv6-066 - 6in4 or 6to4 Filtering

-Seems odd that DISA would block the whole address space just to add filtering guidance.  Many of you out there will have IPv6 over IPv4 tunnels.  So use this as guidance.

ipv6 general-prefix 6TO4_PREFIX 6to4 FastEthernet0/1

interface Tunnel0 ipv6 address 2001:db8::1/64 tunnel source FastEthernet0/0 tunnel mode ipv6ip 6to4 **or no 6to4 ! interface FastEthernet0/0 ip address 10.1.12.1 255.255.255.0 ipv6 address 6TO4_PREFIX ::1:0:0:0:1/64 ipv6 traffic-filter IPV6_EGRESS_FILTER in ! interface FastEthernet0/1 description DISN CORE facing ip address 198.18.0.1 255.255.255.0 ! ipv6 route 2002::/16 Tunnel0 ! ipv6 access-list IPV6_EGRESS_FILTER permit ipv6 2002:C612:1::/48 any deny ipv6 any any log

NET-TUNL-001, 2, 20 & 33 - Block Legacy Tunneling

-Some of these may be in use in your network so read carefully.  Only block what's not being used.

ip  access-list inbound-to-enclave remark block Legacy Tunneling deny 4 any any log deny 41 any any log **only if you aren't doing 6in4 tunneling deny 47 any any log **only if you aren't doing GRE tunneling deny 42 any any log deny 93 any any log

 deny  97 any any log  deny tcp any any eq 1723 log  deny udp any any eq 1723 log

 deny udp any any eq 3544 log **Teredo

deny 98 any any log

ip  access-list inbound-to-enclave remark block Legacy Tunneling deny 4 any any log deny 41 any any log **only if you aren't doing 6in4 tunneling deny 47 any any log **only if you aren't doing GRE tunneling deny 42 any any log deny 93 any any log

 deny  97 any any log  deny tcp any any eq 1723 log  deny udp any any eq 1723 log

deny 98 any any log

NET-MCAST-001 - Block PIM - If not useing**

-Some of these may be in use in your network so read carefully.  Only block what's not being used.

interface FastEthernet0/1 description DISN CORE facing no ipv6 pim

NET-MCAST-002 - If using IPv6 PIM - filter

-If you are using PIM make sure to be specific about whom you are allowing to be a PIM neighbor

ipv6 pim neighbor-filter list PIM_NEIGHBORS

ipv6 access-list PIM_NEIGHBORS permit host FE80::1 any permit host FE80::3 any deny any any log

NET-MCAST-009 & 10 - IPv6 Administrative Multicast Restrictions

-Be very careful with this one, especially if you are allowing IPv6 multicast routing in and out of the enterprise.

ipv6 multicast-routing ! interface FastEthernet0/1  description DISN CORE facing  ipv6 address 2001:db8::1/64  ipv6 multicast boundary scope 8

***(this only allows for any type over 8 - like global - if you have an admin or organization local IPv6 multicast infrastructure then modify this value!)

NET-MCAST-020 - IPv6 Source-Specific Multicast Groups

-If you aren't configuring IPv6 SSM don't worry about this one.  However, if you are do this.

ipv6 access-list SSM_RANGE permit  any ff3e::1:0:0/96 ipv6 pim ssm range SSM_RANGE

or

ipv6 pim ssm default *

**"default" means it will only use FF3x::/32 - where "x" is any valid scope value.