Operational Security Considerations for IPv6 Networks
draft-ietf-opsec-v6-24
Document | Type | Active Internet-Draft (opsec WG) | |
---|---|---|---|
Authors | Éric Vyncke , Chittimaneni Kk , Merike Kaeo , Enno Rey | ||
Last updated | 2021-02-12 | ||
Replaces | draft-vyncke-opsec-v6 | ||
Stream | IETF | ||
Intended RFC status | Informational | ||
Formats | plain text xml pdf htmlized (tools) htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Gyan Mishra | ||
Shepherd write-up | Show (last changed 2019-11-08) | ||
IESG | IESG state | Waiting for Writeup | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Warren Kumari | ||
Send notices to | Gyan Mishra <hayabusagsm@gmail.com> | ||
IANA | IANA review state | Version Changed - Review Needed |
OPSEC E. Vyncke Internet-Draft Cisco Intended status: Informational K. Chittimaneni Expires: August 16, 2021 WeWork M. Kaeo Double Shot Security E. Rey ERNW February 12, 2021 Operational Security Considerations for IPv6 Networks draft-ietf-opsec-v6-24 Abstract Knowledge and experience on how to operate IPv4 securely is available: whether it is the Internet or an enterprise internal network. However, IPv6 presents some new security challenges. RFC 4942 describes the security issues in the protocol, but network managers also need a more practical, operations-minded document to enumerate advantages and/or disadvantages of certain choices. This document analyzes the operational security issues associated with several types of network and proposes technical and procedural mitigation techniques. This document is only applicable to managed networks, such as enterprise building networks. The recommendations in this document are not applicable to residential user cases, even in cases where a Service Provider may be managing the home gateway. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 16, 2021. Vyncke, et al. Expires August 16, 2021 [Page 1] Internet-Draft OPsec IPv6 February 2021 Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Applicability Statement . . . . . . . . . . . . . . . . . 4 2. Generic Security Considerations . . . . . . . . . . . . . . . 4 2.1. Addressing Architecture . . . . . . . . . . . . . . . . . 4 2.1.1. Use of ULAs . . . . . . . . . . . . . . . . . . . . . 5 2.1.2. Point-to-Point Links . . . . . . . . . . . . . . . . 5 2.1.3. Loopback Addresses . . . . . . . . . . . . . . . . . 5 2.1.4. Stable Addresses . . . . . . . . . . . . . . . . . . 5 2.1.5. Temporary Addresses for SLAAC . . . . . . . . . . . . 6 2.1.6. DHCP and DNS Considerations . . . . . . . . . . . . . 7 2.1.7. Using a /64 per host . . . . . . . . . . . . . . . . 8 2.1.8. Privacy consideration of Addresses . . . . . . . . . 8 2.2. Extension Headers . . . . . . . . . . . . . . . . . . . . 8 2.2.1. Order and Repetition of Extension Headers . . . . . . 9 2.2.2. Hop-by-Hop Options Header . . . . . . . . . . . . . . 9 2.2.3. Fragment Header . . . . . . . . . . . . . . . . . . . 10 2.2.4. IP Security Extension Header . . . . . . . . . . . . 10 2.3. Link-Layer Security . . . . . . . . . . . . . . . . . . . 10 2.3.1. Neighbor Solicitation Rate Limiting . . . . . . . . . 10 2.3.2. Router and Neighbor Advertisements Filtering . . . . 11 2.3.3. Securing DHCP . . . . . . . . . . . . . . . . . . . . 13 2.3.4. 3GPP Link-Layer Security . . . . . . . . . . . . . . 13 2.3.5. Impact of Multicast Traffic . . . . . . . . . . . . . 14 2.3.6. SeND and CGA . . . . . . . . . . . . . . . . . . . . 14 2.4. Control Plane Security . . . . . . . . . . . . . . . . . 15Show full document text