NET-IPV6-065 - The 6-to-4 router is not filtering protocol 41 - 'ip access-group IPV4_EGRESS_FILTER'

Information

The administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.

The 6to4 specific filters accomplish the role of endpoint verification and provide assurance that the tunnels are being used properly. This primary guidance assumes that only the designated 6to4 router is allowed to form tunnel packets. If they are being formed inside an enclave and passed to the 6to4 router, they are suspicious and must be dropped. In accordance with DoD IPv6 IA Guidance for MO3 (S5-C7-8), packets as such must be dropped and logged as a security event.

NOTE: Change 'TUNNEL_SRC_INTERFACE' to the source interface of the 6to4 tunnel interface.
NOTE: Change 'IPV4_EGRESS_ACL' to the access control list number for IPv4 outbound connection filtering.

Solution

If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CAT|II, Rule-ID|SV-40452r1_rule, STIG-ID|NET-IPV6-065, Vuln-ID|V-30660

Plugin: Cisco

Control ID: 596793f56de38cd7f58f3531dd3f1e5448e75ed444206c01c55739c7b1ab7dd2