The firewall implementation must ensure IPv6 6-to-4 addresses are dropped at the enclave perimeter for inbound and outbound traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37367 | SRG-NET-999999-FW-000197 | SV-49128r1_rule | Medium |
| Description |
|---|
| "6-to-4" is a tunneling IPv6 transition mechanism. The guidance is the default case, which assumes that 6-to-4 is not used. If 6-to-4 is used, then firewall rules must be configured to drop packets as required. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45614r1_chk ) |
|---|
| Review the perimeter firewall configuration to ensure filters are in place to restrict the IP addresses. Verify that inbound and outbound ACLs for IPv6 have been defined to deny 6-to-4 addresses (source/destination type 2002::/16) and log all violations. If IPv6 6-to-4 addresses are not dropped at the enclave perimeter for inbound and outbound traffic, this is a finding. |
| Fix Text (F-42292r1_fix) |
|---|
| Configure the router ACLs to restrict IP addresses that contain any 6-to-4 addresses. Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used. |