UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must ensure IPv6 6-to-4 addresses are dropped at the enclave perimeter for inbound and outbound traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37367 SRG-NET-999999-FW-000197 SV-49128r1_rule Medium
Description
"6-to-4" is a tunneling IPv6 transition mechanism. The guidance is the default case, which assumes that 6-to-4 is not used. If 6-to-4 is used, then firewall rules must be configured to drop packets as required.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45614r1_chk )
Review the perimeter firewall configuration to ensure filters are in place to restrict the IP addresses.
Verify that inbound and outbound ACLs for IPv6 have been defined to deny 6-to-4 addresses (source/destination type 2002::/16) and log all violations.

If IPv6 6-to-4 addresses are not dropped at the enclave perimeter for inbound and outbound traffic, this is a finding.
Fix Text (F-42292r1_fix)
Configure the router ACLs to restrict IP addresses that contain any 6-to-4 addresses.
Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.
Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.