We'll see here what is an Edge Network, ' IPv6 Ingress Filtering ', and the IPv6 Ingresse Filtering RFCs.
I'll uses a DLink DIR-626 L for this study, so we'll be able see its IPv6 Firewall Implementation.
An Edge Network is the part of a network that makes the connection to others external networks : ISP or partner organisations for an enterprise, other ISPs and customers for an ISP.
It can be a single Router, or a complexe zone built with redundancy, load balancing, etc ...
Its hosts too the public-access services : Web Servers, FTP Servers, etc ...
The Edge Network is a single point of failure for a network, and a partly-open zone security-wise. A second layer of security ( ie Firewall ) usually separate the Edge Network from the Inner Network ( Core Network ).
Here is a basic entreprise Edge Network :
Here is an enterprise Edge Network built with Redundancy ( the Inner Network is built with redundancy here too ) :
IPv6 Ingress Filtering
Ingress Filtering with a short definition :
" IPv6 Ingress Filtering is a special rule, implemented in routers, that only allow incoming packets that have a valid source address. Valid packets are allowed to be routed, non-valid packets are either dropped or bounced back. The purpose of Ingress Filtering is to strongly reduce source-spoofed packets traffic which is used by DoS. "
Ingress filtering is a set of rules, aimed at curtaining spoofed IP addresses to enter or cross a network. The goal is to prevent DDoS, as well as to provide traceability to the source of these DDoS.
Another benefit of Ingress Filtering is an enhanced security, as no exterior host can spoof an internal address to access management interfaces.
Ingress filtering is typically implemented at edge networks, of an organisation ( endpoint network ) or of an ISP ( transit network ).
Ingress filtering at transit networks can filter too the so called ' Martian Addresses ', ie non internet-routable addresses ( 1::, fc00::/7, ::/128, ... )
It may be implemented using different ways. The simplest implementation, found in consumer equipments, only allow incoming packets that have a source address in the subnet of the router receiving interface.
Ingress Filtering is described in RFC 2827 and RFC 3704.
Practical implementation and test of Ingress Filtering
Our D-Link DIR-626L does offer an ' Enable IPv6 Ingress Filtering ' checkbox, in the IPv6 Firewall menu. Here is how it looks, in an open-firewall setting ( which is not advisable except for testing purpose ) :
The test consist in sending spoffed address packets through the router, and monitoring with Wireshark network monitor on the other side if they manage to get through. The test has to be done in both directions, and try all of the RFC 3704 implementations ( no route presence, matching route presence, non-matching route presence, default route presence )
The test shows that it does enable a basic ingress filtering : It compares the subnet prefix of a reveived packet source address to the receiving interface subnet prefix, and discards non-matching packets.
Please note that while this works, this is not the exact RFC 2827 / RFC 3704 implementation which is found in more complex equipements ( ISP and enterprise-grade routers )
Another thing to note is that the DLink only filters outgoing packets ( from Lan to Wan ), and lets all incomming packets get in. So this is more of an egress filtering in my opinion. It curtains spoof packets to pass the router, leave the network, and enter the ISP network.
Maybe this misnommer confusion comes from the ' Ingress Filtering ' term that has become a generic word for Ingress and Egress Filtering techniques.
One last detail to note : As the DIR-626L ingress filtering is based on the receiving interface prefix, the link-up of two DIR-626L will result in the 'Inner Network' subnet traffic being dropped by the first Router ( Internet gateway ) :
The solution to this problem is to create an ' allow everything out ' rule for the Internet Gateway. Doing this will override the ingress filter :
RFC 2827 / RFC 3704 Ingress Filtering Implementation
Theses RFCs describe 5 types of Ingress Filtering :
Ingress Access Lists : a static list of valid prefix is manually maintained for each interface. This is the original RFC 2827 implementation
Strict RPF ( reverse Path Forwarding ) : the subnet prefix of the received packet must be in the routing table of the router, and must point to the receiving interface.
Loose RPF Ignoring Default Routes : the subnet prefix of the received packet must be in the routing table of the router, without concern about the receiving interface match.
Loose RPF : a route must exist in the routing table for the subnet prefix of the received packet, even if it is only a default route
Feasible Path RPF : Is a Strict RPF-evolved, which can manage assymetrical routing ( the path is different for the two travel directions of a network link ), using BGP as an exemple.
These implementations are more complexe than consumer-equipements implementation. For an example, notice Strict RPF : by checking a reverse route existence on the receiving interface instead of just a prefix match, it allows to do ingress filtering through multi-hops, not just on the local-link.