NET-TUNL-001 - Drop IPv4 and IPv6 packets with outdated protocols - 'deny 98 any any'

Information

The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter:

Source Demand Routing Protocol (SDRP)
AX.25
IP-within-IP Encapsulation Protocol
EtherIP protocol
Encapsulation Header Protocol
PPTP

NOTE: Change 'IPV6_INGRESS_ACL' to the access control list for IPv6 inbound connection filtering.

Solution

Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols:

Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42)
AX.25 - protocol field value of 0x5D (93)
IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94)
EtherIP protocol - protocol field value of 0x61 (97)
Encapsulation Header Protocol - protocol field value of 0x62 (98)
PPTP - TCP or UDP destination port (0x06BB) 1723

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-20197r4_rule, STIG-ID|NET-TUNL-001, Vuln-ID|V-18633

Plugin: Cisco

Control ID: 9a5920a3cb44cac3bf3848adbe53f5f8bdfddf9ba7e5cc16e4fc7f5504589063