NET-IPV6-026 - IPv6 Site Local Unicast Addresses are not blocked - 'Egress deny ipv6 any fec0::/10 log'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The network element will be configured to ensure IPv6 Site Local Unicast addresses are blocked on the ingress inbound and egress outbound filters, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.

As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity and potential misrouting, as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10.

Drop all inbound and outbound IPv6 packets with an address FEC0::/10 as its source address. Note that this consists of all addresses that begin with FEC, FED, FEE, or FEF.

Drop all inbound and outbound IPv6 packets with an address FEC0::/10 as its destination address. Note that this consists of all addresses that begin with FEC, FED, FEE, or FEF.

NOTE: Change 'IPV6_EGRESS_ACL' to the access control list for IPv6 inbound connection filtering.

Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any Site Local Unicast addresses.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|I, Rule-ID|SV-15398r2_rule, STIG-ID|NET-IPV6-026, Vuln-ID|V-14694

Plugin: Cisco

Control ID: d4a4e06d9d3f0b1822f7e818e7c18cdd405a778a49e0f94bd8c531078b0291d0