The firewall implementation must suppress router advertisements for traffic destined for external IPv6-enabled interfaces.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37361	SRG-NET-999999-FW-000191	SV-49122r1_rule		Medium

Description
Many of the known attacks in stateless autoconfiguration defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for "link local attacks", but has bootstrapping problems and is difficult to administer. First requiring an IP address in order to set up the IPSec security association creates the chicken-before-the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and Cryptographic Generated Addressing) to secure these threats but they are not currently available at the time of this writing. To mitigate these vulnerabilities, links that have no hosts connected, such as the interface connecting to external gateways, will be configured to suppress router advertisements. Disable (or do not configure) all IPv6 Neighbor Discovery functions across tunnels including the Neighbor Unreachability Detection (NUD) function. Note: this is applicable only when the inner IP layer is IPv6 since IPv4 does not have the Neighbor Discovery functionality.

Description

Many of the known attacks in stateless autoconfiguration defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for "link local attacks", but has bootstrapping problems and is difficult to administer. First requiring an IP address in order to set up the IPSec security association creates the chicken-before-the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and Cryptographic Generated Addressing) to secure these threats but they are not currently available at the time of this writing. To mitigate these vulnerabilities, links that have no hosts connected, such as the interface connecting to external gateways, will be configured to suppress router advertisements. Disable (or do not configure) all IPv6 Neighbor Discovery functions across tunnels including the Neighbor Unreachability Detection (NUD) function. Note: this is applicable only when the inner IP layer is IPv6 since IPv4 does not have the Neighbor Discovery functionality.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45608r1_chk )
Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e., NIPRNet, SIPRNet, etc.), backdoor link, or an alternate gateway (AG). If the firewall implementation is not configured to suppress router advertisements for traffic destined for external IPv6-enabled interfaces, this is a finding.

Check Text ( C-45608r1_chk )

Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e., NIPRNet, SIPRNet, etc.), backdoor link, or an alternate gateway (AG).

If the firewall implementation is not configured to suppress router advertisements for traffic destined for external IPv6-enabled interfaces, this is a finding.

Fix Text (F-42286r1_fix)
Configure the firewall implementation to suppress router advertisements for traffic destined for external IPv6-enabled interfaces.