OpenBSD 7.6 finally added a DHCPv6-PD app (dhcp6leased) in base, so I decided to convert my network into a dual stack IPv4/IPv6 network. I have everything up and running, and now, I'm at the stage of hardening my setup. And I have a few questions I was hoping folks here could help me out with.
The first concerns martian packets for IPv6.
I have followed the following two sites and have come up with the following to reject from my network.
table <martians> { 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
192.0.0.0/24 192.0.2.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 224.0.0.0/3 240.0.0.0/4 \
::1/128 ::/128 100::/64 2001::/23 2001::/32 \
2001:2::/48 2001:db8::/32 2001:10::/28 \
3fff::/20 }
Does my reduced list of the IPv6 addresses make sense? Are there more that I should add, or are there ones I should remove?
The next thing I looked at was ICMPv6.
I've read through this doc: https://www.rfc-editor.org/rfc/rfc4890 And I'm not sure really what to keep and not keep since so much of IPv6s functionality depends on ICMPv6. For now, I'm passing all ICMPv6 traffic. Let me know your thoughts on this one. It does look like I should have some restriction here, but I'm not sure. My current rule passes it all and keeps state.
# allow ICMP6 traffic
pass in quick inet6 proto icmp6
pass out quick inet6 proto icmp6
I'm also still trying to get my head around the idea that I'm not NATing anything for IPv6. My IPv6 only egress pass in rule is as follows to get my 64 bit PD from my ISP. My router is setup to default block all.
# dhcpv6 traffic for WAN
pass in on egress inet6 proto udp \
from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client no state
The other items that I'm trying to get my head around that is going to require more reading on my part is settings things up locally equivalent for IPv6. My SSH on my router is still only setup for IPv4 and only accepts login via certs. I haven't configured my unbound to a IPv6 address yet, but hosts are getting IPv6 from the AAAA record currently. These are on my todo list. I'm not passing DNS yet with a RA daemon yet.
I haven't done anything to my Synology NAS for IPv6. I'm using an ASUS router as an AP only connected to my switch, and I can't figure out how to give it a static IPv6 address. Both the NAS and AP and my printer have static IPv4 addresses from my DHCP by MAC address. I'm not sure what the equivalent is for IPv6. The good news is that my ISP continues to give me the same 64 bit PD each day. Right now, I'm dual stack, so I'm not worried about it. But I'd like to know approaches.
Everything appears to work correctly. I'm trying to tie up loose ends. IPv6 is definitely more complex than IPv4 even though you don't have to NAT.
Anything I'm missing?
Also, this interesting. Here's Steve talking about the state of IPv6:
and here's the current status. Lots has changed, and I'm trying to catch up.
The first concerns martian packets for IPv6.
Martian packet - Wikipedia
en.wikipedia.org
I have followed the following two sites and have come up with the following to reject from my network.
RFC 6890: Special-Purpose IP Address Registries
This memo reiterates the assignment of an IPv4 address block (192.0.0.0/24) to IANA. It also instructs IANA to restructure its IPv4 and IPv6 Special-Purpose Address Registries. Upon restructuring, the aforementioned registries will record all special-purpose address blocks, maintaining a common...
datatracker.ietf.org
table <martians> { 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
192.0.0.0/24 192.0.2.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 224.0.0.0/3 240.0.0.0/4 \
::1/128 ::/128 100::/64 2001::/23 2001::/32 \
2001:2::/48 2001:db8::/32 2001:10::/28 \
3fff::/20 }
Does my reduced list of the IPv6 addresses make sense? Are there more that I should add, or are there ones I should remove?
The next thing I looked at was ICMPv6.
I've read through this doc: https://www.rfc-editor.org/rfc/rfc4890 And I'm not sure really what to keep and not keep since so much of IPv6s functionality depends on ICMPv6. For now, I'm passing all ICMPv6 traffic. Let me know your thoughts on this one. It does look like I should have some restriction here, but I'm not sure. My current rule passes it all and keeps state.
# allow ICMP6 traffic
pass in quick inet6 proto icmp6
pass out quick inet6 proto icmp6
I'm also still trying to get my head around the idea that I'm not NATing anything for IPv6. My IPv6 only egress pass in rule is as follows to get my 64 bit PD from my ISP. My router is setup to default block all.
# dhcpv6 traffic for WAN
pass in on egress inet6 proto udp \
from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client no state
The other items that I'm trying to get my head around that is going to require more reading on my part is settings things up locally equivalent for IPv6. My SSH on my router is still only setup for IPv4 and only accepts login via certs. I haven't configured my unbound to a IPv6 address yet, but hosts are getting IPv6 from the AAAA record currently. These are on my todo list. I'm not passing DNS yet with a RA daemon yet.
I haven't done anything to my Synology NAS for IPv6. I'm using an ASUS router as an AP only connected to my switch, and I can't figure out how to give it a static IPv6 address. Both the NAS and AP and my printer have static IPv4 addresses from my DHCP by MAC address. I'm not sure what the equivalent is for IPv6. The good news is that my ISP continues to give me the same 64 bit PD each day. Right now, I'm dual stack, so I'm not worried about it. But I'd like to know approaches.
Everything appears to work correctly. I'm trying to tie up loose ends. IPv6 is definitely more complex than IPv4 even though you don't have to NAT.
Anything I'm missing?
Also, this interesting. Here's Steve talking about the state of IPv6:
IPv6 Adoption Around the World: Security Now 541 | TWiT.TV
Google's measurement of iPV6 adoption around the world.For the full episode, visit twit.tv/sn/541.
twit.tv
and here's the current status. Lots has changed, and I'm trying to catch up.