UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14703 NET-IPV6-032 SV-15420r2_rule ECSC-1 Medium
Description
The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route. Drop all inbound IPv6 packets with an address FC00::/7 as its source address. Note that includes any address beginning with FC or FD.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2016-01-04

Details

Check Text ( C-12887r1_chk )
Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress ACLs for IPv6 have been defined to deny the Unique Local Unicast addresses and log all violations.
Fix Text (F-14168r1_fix)
The administrator will configure the router ACLs to restrict IP addresses that contain any Unique Local Unicast addresses.