NET-IPV6-024 - IPv6 6-to-4 addresses are not filtered - 'Egress deny ipv6 2002::/16 any log'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The IAO/NSO will ensure IPv6 6-to-4 addresses with a prefix of 2002--/16 are dropped at the enclave perimeter by the ingress and egress filters.

'6-to-4' is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is implemented, reference addition 6-to-4 guidance defined in the STIG. Drop all inbound IPv6 packets containing a source address of type 2002--/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002--/16. This assumes the 6-to-4 transition mechanism is not being used.

NOTE: Change 'IPV6_EGRESS_ACL' to the access control list for IPv6 inbound connection filtering.

Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any 6-to-4 addresses.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-20160r2_rule, STIG-ID|NET-IPV6-024, Vuln-ID|V-18608

Plugin: Cisco

Control ID: bf59ca05f7cae36f41905d55d87d392c05dd6fd13cee686bde249f3c1a4d3ee5