NET-TUNL-019 - Ingress filter does not filter protocol 41 - 'access-list IPV4_UPLINK_INGRESS_ACL deny 41)'

Information

The IAO/NSO will ensure the ingress filter drops unexpected protocol 41 packets at the 6to4 site router before sensor inspection.

6to4 is an automated tunneling mechanism that provides v6 capability to a dual-stack node or v6 capable site that has only IPv4 connectivity to the site. One key difference between automatic 6to4 tunnels and manually configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint. Basic 6to4 implementation can be used to connect single nodes too. In 6to4 tunnel implementations, tunnels are not defined in pairs as in manual tunnels. The tunnel destination is determined by the IPv4 address of the border router extracted from the IPv6 address that starts with the prefix 2002--/16, where the format is 2002-IPv4-address in hex--/48. 6to4 traffic takes an asymmetric routing path, outbound traffic and return traffic may take different paths. Although the 6to4 site can select the relay it wants to use, it has no control of the return relay used. See diagram in the STIG. Ensuring reliable operations from relays and knowing who is managing the relay are important and are concerns to preventing against denial of service attacks. 6to4 site routers are not capable of identifying bogus traffic injected from malicious 6to4 relay manufacturing packets. Specifying the exact IPv4 address of the 6to4 relay on the 6to4 router can mitigate these vulnerabilities.

6to4 tunnels are required to discard unexpected protocol 41 packets and inspect IPv6 traffic at the decapsulator end-point.

NOTE: Change 'IPV4_UPLINK_INGRESS_ACL' to the access control list for your organization's 6to4 filtering.

Solution

Define a filter that allows 6to4 tunneling from trusted 6to4 relays.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-16073r1_rule, STIG-ID|NET-TUNL-019, Vuln-ID|V-15293

Plugin: Cisco

Control ID: 5d415e7d613ae25e5366b15ba1d64af151996d930e0f510c2594dec974bcb2b3