NET-IPV6-032 - IPv6 Unique Local Unicast ADDR are not blocked - 'deny ipv6 any FC00::7 log'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.

The IANA has assigned the FC00--/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route. Drop all inbound IPv6 packets with an address FC00--/7 as its source address. Note that includes any address beginning with FC or FD.

NOTE: Change 'IPV6_INGRESS_ACL' to the access control list for IPv6 inbound connection filtering.

Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any Unique Local Unicast addresses.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-15419r2_rule, STIG-ID|NET-IPV6-032, Vuln-ID|V-14703

Plugin: Cisco

Control ID: 92fa3633f8eb1941ea2288cdc10d905bd785295b59164322023457a47561faac