NET-TUNL-001 - Drop IPv4 and IPv6 packets with outdated protocols - 'IPv4 deny udp any any eq 1723'

Information

The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter:

Source Demand Routing Protocol (SDRP)
AX.25
IP-within-IP Encapsulation Protocol
EtherIP protocol
Encapsulation Header Protocol
PPTP

NOTE: Change 'INTERNAL_EGRESS_ACL' to the access-list IP standard access list number for your organization.

Solution

Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols:

Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42)
AX.25 - protocol field value of 0x5D (93)
IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94)
EtherIP protocol - protocol field value of 0x61 (97)
Encapsulation Header Protocol - protocol field value of 0x62 (98)
PPTP - TCP or UDP destination port (0x06BB) 1723

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-20197r4_rule, STIG-ID|NET-TUNL-001, Vuln-ID|V-18633

Plugin: Cisco

Control ID: 9a5920a3cb44cac3bf3848adbe53f5f8bdfddf9ba7e5cc16e4fc7f5504589063