The firewall implementation must ensure IPv6 Site Local Unicast addresses are not used.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37368 | SRG-NET-999999-FW-000198 | SV-49129r1_rule | Medium |
| Description |
|---|
| As currently defined, Site Local Unicast addresses are ambiguous and can be present in multiple sites. The addresses themselves do not contain any indication of the site to which it belongs. The use of site-local addresses may adversely affect network security through leaks, ambiguity, and potential misrouting. Site Local Unicast address range is FEC0::/10. Note that this includes addresses that begin with FEC, FED, FEE and FEF. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45615r1_chk ) |
|---|
| Review the device configuration to ensure FEC0::/10 IP addresses are not configured on the firewall. Verify a firewall rule exists to filter and deny traffic with IPv6 Site Local Unicast addresses. If IPv6 Site Local Unicast addresses are used or the firewall is not configured to filter and deny these addresses, this is a finding. |
| Fix Text (F-42293r1_fix) |
|---|
| Remove the IPv6 Site Local Unicast addresses and reconfigure the network devices with authorized addresses. Configure the firewall ACL to filter and deny the use of IPv6 Site Local Unicast addresses. |