NET-TUNL-001 - Drop IPv4 and IPv6 packets with outdated protocols

Information

The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter:

Source Demand Routing Protocol (SDRP)
AX.25
IP-within-IP Encapsulation Protocol
EtherIP protocol
Encapsulation Header Protocol
PPTP

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols:

Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42)
AX.25 - protocol field value of 0x5D (93)
IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94)
EtherIP protocol - protocol field value of 0x61 (97)
Encapsulation Header Protocol - protocol field value of 0x62 (98)
PPTP - TCP or UDP destination port (0x06BB) 1723

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-20197r4_rule, STIG-ID|NET-TUNL-001, Vuln-ID|V-18633

Plugin: Cisco

Control ID: 9a5920a3cb44cac3bf3848adbe53f5f8bdfddf9ba7e5cc16e4fc7f5504589063