The firewall implementation must ensure interfaces supporting IPv4 in NAT-PT architecture do not receive IPv6 traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37370	SRG-NET-999999-FW-000200	SV-49131r1_rule		Medium

Description
Network Address Translation with Protocol Translation (NAT-PT) is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates an IPv4 datagram into a semantically equivalent IPv6 datagram or vice versa. For this service to work, it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NAT-PT also uses a pool of addresses which it dynamically assigns to the translated datagrams. The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements, some services/agencies may choose to implement this transition mechanism within an enclave. The following subsections provide guidelines for the use of NAT-PT within a controlled enclave. In addition to the single point of failure, the reduced performance of an application-level gateway, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer.

Description

Network Address Translation with Protocol Translation (NAT-PT) is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates an IPv4 datagram into a semantically equivalent IPv6 datagram or vice versa. For this service to work, it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NAT-PT also uses a pool of addresses which it dynamically assigns to the translated datagrams. The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements, some services/agencies may choose to implement this transition mechanism within an enclave. The following subsections provide guidelines for the use of NAT-PT within a controlled enclave. In addition to the single point of failure, the reduced performance of an application-level gateway, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45617r1_chk )
Review the configuration for each firewall in the implementation. Verify the interface supporting IPv6 does not support IPv4 traffic nor is it connected to an IPv4 network. Verify a firewall rule or policy exists that denies IPv6 at interfaces that support IPv4. If the firewall implementation does not prevent interfaces supporting IPv4 in NAT-PT architecture from receiving IPv6 traffic, this is a finding.

Check Text ( C-45617r1_chk )

Review the configuration for each firewall in the implementation.
Verify the interface supporting IPv6 does not support IPv4 traffic nor is it connected to an IPv4 network.
Verify a firewall rule or policy exists that denies IPv6 at interfaces that support IPv4.

If the firewall implementation does not prevent interfaces supporting IPv4 in NAT-PT architecture from receiving IPv6 traffic, this is a finding.

Fix Text (F-42295r1_fix)
Disable IPv6 on the interface supporting the IPv4 network or add a firewall rule or security policy to deny IPv6 at the interface.