NET-IPV6-047 - Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic. - inside IPv6 block out

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates IPv4 datagrams into a semantically equivalent IPv6 datagram or vice versa. For this service to work it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT-part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NATPT also uses a pool of addresses which it dynamically assigns to the translated datagrams.

The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the 'DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements', some services/agencies may choose to implement this transition mechanism within an enclave. The following sub-sections provide guidelines for the use of NAT-PT within a controlled enclave.

In addition to the single point of failure, the reduced performance of an application level gateway, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer.

Solution

This can be accomplished by not having IPv6 enabled on the interface supporting the IPv4 network. In addition a filter can be added to deny IPv6 at the interface.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R24_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-16078r2_rule, STIG-ID|NET-IPV6-047, Vuln-ID|V-15296

Plugin: Cisco

Control ID: 11f468eabc4780025ef6e5d02f52827a0404c36eed2f4736a384452794aba56b