The IAO/NSO will ensure if DHCPV6 is not being used in the enclave it will be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18632	NET-IPV6-039	SV-20192r1_rule	ECSC-1	Medium

Description
Currently, many vendors are not prepared for DHCPv6 stateful autoconfiguration, thus there are very few implementations of it. DHCPv6 is a completely separate protocol than DHCPv4. In IPV6 DHCPDISCOVER use of the unspecified address 0.0.0.0 with a broadcast address. These messages are sent with a FF02::1:2 (RFC3315) via IPv6 support of link-local autoconfiguration. There is also DHCPv6-Prefix Delegation that allows nodes to request not just an address, but also the entire prefix. DHCPv6-PD is primarily used by routers. Stateful autoconfiguration offers the best auditing capabilities due to the logs being centralized at the DHCP server and may become the preferred implementation as the protocol matures. When DHCP is not being used in an IPv6 network, DHCP packets should be filtered at security boundaries and internally at router interfaces where possible. The internal filtering will not completely prevent use since any on-link attacks never pass through a router, hence the IDS recommendations follow. Create an IDS check to detect any inconsistencies in the advertised “M or O bit values” of router advertisements on a link. If DHCP is not being used in the network, create an IDS check to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490.

Description

Currently, many vendors are not prepared for DHCPv6 stateful autoconfiguration, thus there are very few implementations of it. DHCPv6 is a completely separate protocol than DHCPv4. In IPV6 DHCPDISCOVER use of the unspecified address 0.0.0.0 with a broadcast address. These messages are sent with a FF02::1:2 (RFC3315) via IPv6 support of link-local autoconfiguration. There is also DHCPv6-Prefix Delegation that allows nodes to request not just an address, but also the entire prefix. DHCPv6-PD is primarily used by routers. Stateful autoconfiguration offers the best auditing capabilities due to the logs being centralized at the DHCP server and may become the preferred implementation as the protocol matures. When DHCP is not being used in an IPv6 network, DHCP packets should be filtered at security boundaries and internally at router interfaces where possible. The internal filtering will not completely prevent use since any on-link attacks never pass through a router, hence the IDS recommendations follow. Create an IDS check to detect any inconsistencies in the advertised “M or O bit values” of router advertisements on a link. If DHCP is not being used in the network, create an IDS check to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490.

STIG	Date
IDS/IPS Security Technical Implementation Guide	2013-10-08

Details

Check Text ( C-22325r1_chk )
If DHCP is not being used in the network, drop inbound and outbound TCP and UDP packets with the following port numbers: 67, 68, 546, 547, 647, 847, and 2490 on the IDPS.

Fix Text (F-19258r1_fix)
Apply inspection on IDPS.